O'Reilly logo

Securing Windows NT/2000 Servers for the Internet by Stefan Norberg

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 4. Setting Up Secure Remote Administration

If you’ve carefully followed the installation and configuration steps outlined in Chapter 2, and Chapter 3, your bastion host is now quite secure. However, there is no way of administering it remotely!

NT’s standard remote administration tools such as Event Viewer and Server Manager are based on RPC using NetBIOS. The problem with NetBIOS (as I discussed in Chapter 1) is that it’s considered unacceptably unsecure in perimeter networks. Hence, we must find alternative tools for administering and monitoring the Windows NT host.

The basic requirements for any new remote management tools are:

Authentication

Both user and source IP address authentication are required to restrict unauthorized access to the servers. IP address authentication means access to certain services can be allowed or rejected based on the IP address of the client.

Encryption

Since we are performing administrative tasks, such as adding users and changing passwords, all sessions must be encrypted.

Ability to use the Windows NT GUI tools

It’s not possible to perform all administration tasks using the command prompt. Hence, we need some kind of remote graphics console.

Ability to transfer files from and to the remote system

It’s often important to be able to transfer files to your bastion hosts in a simple way.

This chapter presents three different solutions for remote management of Windows NT/Windows 2000 servers:

Symantec pcAnywhere v9.x

A very popular commercial software package that works on both Windows NT 4.0 and Windows 2000 systems.

Windows 2000 Terminal Services

A remote management solution that is available on Windows 2000 Servers only (not Windows 2000 Professional).

A combination of open source software

This is a free alternative based on the following components:

Secure Shell (SSH)

A set of Unix programs that allow you to log on to and execute commands on a remote computer. SSH provides a user authentication mechanism and performs session encryption.

TCP Wrappers

A set of Unix programs that log incoming connection requests and provide IP address-based access control, ensuring that the connecting host has permission to connect to a service before giving access to that service.

Cygwin

A free Win32 porting layer for Unix applications. Cygwin enables us to compile and run the SSH and TCP Wrappers Unix source code on the Win32 platform.

Virtual Network Computing (VNC)

A client and display server combination that provides a graphical user interface over the network.

SSH is an effective authentication service. The drawback is that it’s strictly text-based. However, by using it in conjunction with TCP Wrappers and VNC, a powerful, secure, and platform-independent remote administration solution is achieved. It can be somewhat tricky to get this solution running on Windows NT the first time, but if you carefully follow the instructions provided later in this chapter, you’ll be up and running in no time.

This chapter walks you through the necessary steps to successfully install and configure these three recommended remote management solutions.

Symantec pcAnywhere

Symantec’s pcAnywhere product has become the de facto standard remote console solution on Windows NT. It has many features and good security options (128-bit RC4 encryption using the MS CryptoAPI and host IP address authentication), and it’s relatively easy to configure and use. It also includes an excellent file transfer client. A sample pcAnywhere session is shown in Figure 4.1.

A sample pcAnywhere session

Figure 4-1. A sample pcAnywhere session

pcAnywhere uses one well-known TCP port (tcp/5631) for remote sessions. Another well-known port (udp/5632) is used to query the status of remote hosts. You only need to allow tcp/5631 from your management clients to your bastion hosts through your firewalls.

A pcAnywhere license costs about $170 if you buy it online from Symantec.

Configuring pcAnywhere

This section explains the special configuration steps you must perform when installing pcAnywhere 9.x on a bastion host:

  1. Start the installation.

  2. Use the custom installation method and deselect the two optional components, shown in Figure 4.2.

The pcAnywhere Custom Setup dialog box

Figure 4-2. The pcAnywhere Custom Setup dialog box

  1. Reboot the system when prompted to do so.

  2. When the system has rebooted, log on and click on the “Symantec pcAnywhere” shortcut on the Start menu.

  3. pcAnywhere runs a Setup wizard the first time it starts. Cancel the wizard and delete all items in the “Be a Host PC” view, as shown in Figure 4.3.

The pcAnywhere “Be a Host PC” view

Figure 4-3. The pcAnywhere “Be a Host PC” view

  1. Create a new Host PC item by double-clicking on the “Add Be A Host PC Item” wizard. Use “TCP/IP” as the connection device, enable pcAnywhere Caller Security, and add a pcAnywhere user. Uncheck the “Automatically launch this host upon wizard completion” checkbox.

  2. Bring up the Properties dialog box for the newly created Host PC item and click on the Settings tab, shown in Figure 4.4.

pcAnywhere Host PC settings

Figure 4-4. pcAnywhere Host PC settings

  1. Configure the Host PC item to use the non-default settings shown in Table 4.1.

Table 4-1. Recommended pcAnywhere Host PC Settings

Setting

Description

Recommended Value

Launch with Windows

Configures the pcAnywhere Service to start this Host PC at boot

Yes

Abnormal End of Session Security

Specifies the action to take if an ongoing connection is terminated unexpectedly

Logoff user

End of Session Security

Specifies the action to take when a pcAnywhere session ends

Logoff user

  1. Add any additional user accounts using the Callers tab. Configure fine-grained user privileges in the “Privileges” tab, for each individual user, as shown in Figure 4.5.

The pcAnywhere Privileges tab

Figure 4-5. The pcAnywhere Privileges tab

  1. Configure the non-default settings listed in Table 4.2 in the Security Options tab of the Host PC item, as shown in Figure 4.6.

Table 4-2. Recommended Security Settings for pcAnywhere

Setting

Description

Recommended Value

Encryption Level

Configures the level of encryption used by pcAnywhere sessions

Symmetric/Deny Lower Encryption Level

Make passwords case sensitive

Controls whether the case (upper- or lowercase) of passwords is significant

Yes

Keyboard/mouse active during session

Controls where input is allowed

Remote

Disconnect if inactive

Specifies when an inactive session should be terminated

10 minutes

The pcAnywhere Security Options tab

Figure 4-6. The pcAnywhere Security Options tab

  1. Configure IP address restrictions. Click on Tools Network Options (shown in Figure 4.7), and add the hosts that should be allowed to access this computer over the network.

  2. The last GUI-based configuration step is to enable logging. Logging can be configured by selecting “Logging options” from the Tools menu. I recommend that you enable NT Event logging for all pcAnywhere events.

Configuring pcAnywhere IP address restrictions

Figure 4-7. Configuring pcAnywhere IP address restrictions

Configuring pcAnywhere Registry Settings

There are a number of pcAnywhere settings in the registry that should be changed from their defaults on a bastion host.

The pcAnywhere client can be configured to discover hosts on a subnet automatically. The following setting controls whether or not a server should respond to pcAnywhere discovery broadcasts to make itself known to a client. Usually, broadcasts in the perimeter aren’t allowed, so disable this feature by configuring the following registry value on your servers:

Value Name

Type

Recommended Value

HKLM\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\System\DisplayHostInList

REG_DWORD

0

Older versions of pcAnywhere used a different set of TCP (tcp/65301) and UDP (udp/22) ports. Later versions of pcAnywhere support these ports, as well as the new ones, for backward compatibility. You can disable the old ports by adding the following registry value:

Value Name

Type

Recommended Value

HKLM\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\System\TCPIPPortCompatibility

REG_DWORD

0 (this is the default in v9.2)

A pcAnywhere client tries to query the server for its status using UDP before trying to connect to it. If you only allow tcp/5631 from the management clients through your firewall, this causes the client to give up after not being able to query the status. You can configure the client to try to connect anyway by changing the following setting on the pcAnywhere client:

Value Name

Type

Recommended Value

HKLM\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\System\TCPIPConnectIfUnknown

REG_DWORD

1

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required