Remote Desktop

  • Thread starter Thread starter Michael A. Covington
  • Start date Start date
M

Michael A. Covington

How secure is Remote Desktop as a way of accessing a Windows 2000 server
(for administrative purposes) from some nearby Windows XP clients?

What precautions need to be taken?

Thanks!

--

Michael A. Covington - Artificial Intelligence Ctr - University of Georgia

"In the core C# language it is simply not possible to have an uninitialized
variable, a 'dangling' pointer, or an expression that indexes an array
beyond its bounds. Whole categories of bugs that routinely plague C and C++
programs are thus eliminated." - A. Hejlsberg, The C# Programming Language
 
I assume nearby means the lan in which case in my opinion it can be very secure. The
RDP traffic itself is encrypted at 128 bit. The biggest risk is that it is a
potential backdoor to your server that might otherwise be locked up in a room which
brings the need for complex passwords, an account lockout policy, and renaming the
administrator account which can not be locked out to interactive logon. The other
risk is that you be careful to only use know trusted XP machines that you would know
do not have keyboard logger, camera watching, etc. You might want to also consider
having an ipsec filtering policy on that server to accept port 3389 traffic from only
specific workstations by IP address. --- Steve
 
Can you explain the account lockout policy. What is this?

Also, how do you rename the administrator account? Do you just create a new
account with administrator access and then lock out the administrator
account so it cannot be logged in via RDP? If so, how do you limit
administrator access via RDP? Just remove its terminal services access?

I'm Sorry I have so many questions - I'm still learning!
 
Account lockout policy is configured in Security Policy at domain level only for
domain user accounts and can be configured locally for local machine user accounts.
Look for the settings under security settings/account policies/account lockout
policy. There you configure thresholds that only allow a user to have a certain
number of bad password attempts before their account is locked out from trying again
to logon until either and administrator resets the account or the lockout duration
expires. MS recommends setting the attempt threshold to no less than ten. The built
in administrator account can not be locked out unless it is configured to be by using
the passprop utility and then it can only be locked out to network logons - not
interactive/console.

Not allowing Terminal Services access in the administrator's account properties is
one way to prevent them from logging on via Terminal Services. How you rename the
administrator account depends on if it is a local account or a domain account. For a
local account, go to the administrator account and then right click it and select
rename and enter new name. To rename a domain account you need to use Active
Directory Users and Computers and then access the account page in the users account.
There may be two logon names there - UPN with the @domainname and the pre windows
2000 logon name. You would want to change both of those names to change the logon
name for any account. See the link below for more information. --- Steve

http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch02.mspx
 
Back
Top