October 2006 Archive

RDP over SSL

There is a new feature in Windows 2003 SP1 that has caused some confusion. It is called RDP over SSL. When you hear about a new feature and it is called RDP over SSL you would imagine that regular RDP is going over http and this new feature is going over https. Well that is not the case.

RDP over SSL still uses port 3389 but now the RDP includes TLS authentication and encryption over TCP. This provides stronger encryption and will verify that you are connecting to a server that you trust. This prevents Man in the Middle Attacks and tightens down the security that much more.

How do you enable RDP over SSL?

Steps to take on the server:

  1. Verify service pack 1 is installed on your Windows 2003 server
  2. Purchase a certificate from a trusted source such as Thawte.com or Verisign.com. If you have already purchased one for your website you will be able to use that. If you don’t want to shell out $150+ from a trust provider for your specific domain MaximumASP will provide their dedicated server customers a free wildcard certificate.
  3. Modify your Terminal Service Configuration opening the TSCC at Programs> Administrative Tools>Terminal Services Configuration.
    RDP-TCPproperties.gif" alt="Terminal Services" />
  4. Expand Connections, right click RDP-TCP and select properties.
  5. Click edit next to certificates and browse to the cert you want to use.
  6. Next to Security Layer select SSL.

Steps to take on your local machine:

  1. Make sure you are running at least RDP 5.2. If you are running an earlier version you can find the install files for 5.2 from your server at %systemroot%\system32\clients\tsclient
  2. Modify your RDP connection by putting the FQDN of the certificate in the computer field. In the example below it is www.mydomain.com
    Remote Desktop Connection Screenshot
  3. Next click the security tab, and select Require Authentication under the Authentication field.
    Security Tab Screenshot
October 16th, mid-afternoon
Post in Security

About Mapped Drives

One question that frequently comes up is whether or not you can map a network drive to your dedicated server. Mapping a network drive requires TCP ports 135, 139 and 445 along with UDP port 137 to be open. A quick google search on these ports will show multiple vulnerabilities out there for these ports.  Because of this we've blocked these ports on our enterprise firewalls.

You have two options to get around this. First you could purchase a personal firewall that supports VPN connections. This will allow you to securely connect to your server through a VPN tunnel and allow you to perform actions just like you were on the same physical network.

Your second option is you could use the share the drive feature built into remote desktop. This uses something called File System Redirection. It allows you to use your local files on a remote desktop and you can also copy files from the server to your local hard drive through the RDP window. When you open My Computer on the server under “other disks” you will see your disk drives listed such as "C on localmachine".

To set this up is simple. When launching the RDP client select the Local Resources tab and check the box next to Disk Drives.

rdpLocalResources.gif

While using the File System Redirection built into RDP is not quite as secure as setting up a VPN Firewall, it is free. A VPN actually encrypts the data between each endpoint and verifying the sender and receiver. While RDP does use encryption (128-bit RC4 symmetric encryption) if you do not have XP Service Pack 1 installed it does not verify the identity of the server when setting up the encryption keys for the session. This means it is possible that you could be vulnerable to a Man in the Middle attack. So if you have not installed XP SP2, install it immediately.

What is a Man in the Middle attack?

Man in the Middle attacks, or MITM as they are often referred to, are when an attacker is able to read, insert, modify, information between two systems. This happens without either party knowing.

How does the attack work for RDP? The below steps are taken from a security alert written by Erik Forsberg:

  1. The client connects to the server, however by some method (DNS spoofing, arp poisoning, etc.) we've fooled it to connect to the MITM instead. The MITM sends the request further to the server.
  2. The server sends its public key and a random salt, in clear text, again through the MITM. The MITM sends the packet further to the client, but exchanges the public key to another one for which it knows the private part.
  3. The client sends a random salt, encrypted with the server public key, to the MITM.
  4. The MITM decrypts the clients random salt with its private key, encrypts it with the real servers public key and sends it to the server.
  5. The MITM now know both the server and the client salt, which is enough information to construct the session keys used for further packets sent between the client and the server. All information sent between the parts can now be read in cleartext.

With Windows 2003 SP1 you can now use RDP over SSL which will help you lock down your box even more.

October 16th, early afternoon
Post in Security

Remotely connecting to SQL Express

By default SQL Express does not accept any connections from another computer. This mean you can’t remotely connect to it with SQL Management Studio, an ODBC connection, etc.

If you plan to do all SQL management while connecting to the server with RDP, and are running the website on the same server as SQL then you will not have to do this. It is recommended that if you do not need to remotely connect to the server do not enable TCP/IP. Without it enabled your server has less of an attack surface.

To allow TCP/IP connections follow these steps:

  1. Launch the SQL Server Configuration Manager from the Programs >Microsoft SQL Server 2005>Configuration Tools
  2. Click on the "Protocols for SQLEXPRESS" node under SQL Server 2005 Network Configuration.
  3. Double click "TCP/IP"
  4. Select Yes next to Enabled
  5. Click the IP Address tab
  6. Under IPAll you will see the port that you will need to connect with.

SQL Configuration Manager

To connect to the server follow these steps:

  1. Launch SQL server Management Studio
  2. Select Connect Object Explorer under file
  3. For Server name you will want to use Servername\SQLExpress,Port

ConnectToSqlExpress.png

While it is possible to enable the SQL Browser service so that you do not need to specify the port above it is a security best practice to not run the SQLBrowser service as it reduces the attack surface area by eliminating the need to listen on an udp port.

October 10th, mid-afternoon
Post in SQL Server

Windows Live Custom Domains

I have been using Windows Live Custom Domains for my personal domain for some time and have been really happy with it. What is Windows Live Custom Domains you ask? With Custom Domains anyone can point their MX record to the Microsoft Live Servers. What this means is you are able to host mail for your domain on the same clustered servers that hotmail is hosted on. What are the other pros and cons?

Pros:

  • You are able to create an unlimited number of email accounts.
  • Ease of use of Hotmail.
  • By default you are allowed a 250MB mail box but you are able to upgrade to 2GB of storage.
  • Requires complex passwords which helps minimize cracking accounts
  • You can require users to change their passwords every 72 days, again helps with security
  • You can use the same email to log into Windows Messenger
  • You can easily white / black list emails
  • There is an SDK available from Microsoft for this product. This enables you to modify and customize Live Custom Domains by incorporating it into your web site or windows applications.
  • Single sign on http://www.hotmail.com
  • Able to send 10MB attachments
  • You can use Outlook or Outlook Express
  • Can allow "open membership" where they give you HTML code to put on your site that allows vistors to signup for email on the fly.
  • Finally a personal testament, I used to still get a couple spam emails a day (after going through a spam filter) in my regular email folder. Since switching over to Custom Domains it has caught every spam accurately AND I have not had a problem with good emails ending up in the junk folder.

Cons:

  • No Alias
  • No Forwarding
  • No Domain Rules
  • One other thing that annoyed me was it took a little while to figure out you had to go back to https://domains.live.com and click a little link under Signup to go back in and manage your domains. It would be a nice feature if when you were already logged into Hotmail you could click something like "manage domains"

Now more importantly, HOW do I start using it.

To start using it all you need to do is go to http://domains.live.com/ and input the domain you have already purchased.

Select an administrator for the account (with this you can create a single account to manage multiple domains you may host)

Next it will give you the changes you need to make to your MX record, remove any additional records, and setup a SenderID

At the first crack I had this up and going in less than ten minutes. All in all I would highly recommend this product.

October 6th, lunch time
Post in E-Mail