3 security solutions for remote control of Windows server 2003

I. INTRODUCTION

We envision a remote control solution: a company wants to place such an IIS Web server, which is placed 300 miles away. The server is a server center that combines a broadband network, an air conditioner, and a power control device. This network service center is both stable and reasonably priced, but requires customers to have full remote control of the server. This control is always available, and it is not necessary to go to the console to operate the server. There are usually several problems with remote control, the most obvious being that the communication between the client machine and the host is to be transmitted over the Internet. This exchange of data may be sniffed by hackers; another problem is that remote control itself (such as its open ports) can also cause network attacks. The ultimate goal of choosing a remote control solution is to ensure that you (just you) as a gateway can control the server without causing other network attacks.

The security principles of the remote control scheme are as follows:

Ensuring the security of remote control permissions

Remote control must be able to prevent unauthorized access. This means that the remote management software only accepts connections for a small range of IP addresses and requires control of the username and password. Remote control security is further enhanced through the introduction of smart card phase customer verification. It can also be enhanced with simple, off-the-shelf techniques, such as using non-standard ports to provide services or some security configuration that does not display service flags.

Ensuring the integrity of remotely exchanged data

To prevent data loss in remote control, we must ensure the integrity and immediacy of the remote control server and client data transfer (that is, send The data is reliable and not retransmitted).

Ensuring the confidentiality of sensitive data transmissions

For remote control, the most important thing is to ensure the confidentiality of sensitive data transmission over the Internet. This is to prevent the transmitted data messages from being sniffed by hackers. This requires session encryption using a robust and feasible encryption algorithm. The advantage of this encryption is that even an attacker sniffs the data. It is also useless for people who sniff.

Ensuring that incidents can be safely audited

Good security audits can dramatically improve the overall security of remote controls and smother security threats and technical crimes to the bud. The main purpose of the audit log is to let the administrator know who is accessing the system, which services are used, and so on. This requires the server to have a sufficiently adequate and secure log record of the black mold remote control trace attempting to invade through technical crime.

Second, Windows
2003 3 kinds of security solutions for remote control

Although remote control Windows2003
has many methods. Not all software meets the above remote control solution security principles, we can combine different software to complete the remote control solution we need.

The following examples are used to achieve secure remote control by combining Windows 2003 native services or third-party software.

Method 1. Windows 2003 Terminal Services in conjunction with Zebedee Software

Terminal Services is a technology provided in Windows 2003 that allows users to execute Windows-based applications on a remote Windows 9000 server. Terminal Services should be the most widely used method for remote management of Windows 2003 servers, which is related to its convenience and other benefits brought by Windows built-in services, such as the Windows 2003 server's own authentication system. But the terminal service itself has some drawbacks: it can't restrict the client's connection IP; it doesn't explicitly propose a way to change the default listening port; its log auditing feature, that is, no logging tool. Based on the security principles of the remote control scheme mentioned at the beginning of this article, it is not very secure to use Terminal Services alone. But we can achieve the above remote management security needs by combining with Zebedee software.

Zebedee works as follows: 'Zebedee listens to locally specified applications, encrypts and compresses TCP or UDP data to be transmitted; Zeebedee client and server establish a communication tunnel; compressed and encrypted data Just transfer on this channel; you can make multiple TCP or UDP connections on the same TCP connection.

Usually Zebedee is divided into the following two steps:

Step 1: Configure the Zeebedee listening port

Use the following command:

C:\\ Zebedee -s -o server.log

Step 2: Configure listener port 3389 on the client and

redirect it to the Zeebedee listening port on your server

Use the following command:

C:\\>zededee 3389 serverhost:3389

In this way, Zebedee starts to start, and its combined use with terminal services is shown in Figure 1. As can be seen from Figure 1, when the terminal service client process (target TCP port: 3389) is turned on, the local Zebedee client starts intercepting the data packet at the same time; Zebedee encrypts the data and sends it to the Zebedee server (here) Zebedee service default port 11965); Zeebedee server receives and then decompresses and decrypts the service delivered to the server (service port: TCP: 3389). Here, the terminal service on the server appears to be a connection to the local Terminal Services client, but in reality all the packets passed pass through an encrypted tunnel. In addition, Zebedee can also implement identity authentication, encryption, IP address filtering, and log functions through configuration files. A well-configured Zebedee and Windows 2003 terminal services can be combined to build a very secure remote management system.

In view of the fact that general terminal services do not provide file transfer functions, other methods need to be considered. We can use an FTP server. But the FTP server is generally considered to be insecure, and it can also enhance its security through Zebedee's encrypted tunnel by transmitting data directly on the terminal service. This is a cumbersome practice, but the Zebedee help file has been explained in detail. Two third-party solutions are recommended here, one is Analogx's TSDropCopy (http://www.analogx.com/con-tents/download/system/tsdc.htm) and the other is WTS-FTP (http;//Www.ibexsoftware.com/about.asp)

In general, Windows 2003 Terminal Services is one of the most convenient and quickest methods, but for its own security. Through the combination of Zebedee and terminal services, we can achieve a convenient, fast and secure solution.

Method 2. VNC on SSH

VNC is a remote management software similar to Terminal Services. It has the following differences in different places:

*VNC Is sharing the same session with the user currently logged in, you can operate simultaneously with the currently logged in user;

*VNC client is available for different platforms, including WindowsCE and Java;

* VNC can restrict IP access;

is not encrypted on the client and server.