Conduct Remote Desktop Security to the end [it168 special draft, freexploit sorting]

Source: Internet
Author: User
Tags remote desktop access windows remote desktop
[It168]Microsoft has integrated a program named "Remote Desktop" into the operating system since Windows server. With this "Remote Desktop", network administrators can easily control the company's servers at the other end of the network, perform operations on the above, delete the program, and run the same command as on the local computer. Therefore, the "Remote Desktop" function greatly facilitates the work of network administrators and is favored by more and more network administrators after its launch.

However, with the popularization of the network, the security of the network has been paid more and more attention by enterprises. Many network administrators have found that using Windows Remote Desktop to operate servers poses certain security risks. That is to say, the security level of data transmission is not high enough, although some information is encrypted, hackers can easily reduce the cost of information. Due to the lack of Remote Desktop Security, some network administrators began to seek other remote control tools, such as remote admin and PC any where.

Microsoft is very interested in the market of remote control software. To improve the security level of Remote Desktop and ensure that data is not stolen by hackers, a Secure Authentication Remote Desktop function is added to the latest patch package SP1 in Windows2003. With this function, we can use SSL encrypted information to transmit and control the data of remote servers, thus making up for the original security defects of the Remote Desktop function.

TIPS: if you are using Windows2003 but have not installed the latest SP1 Patch, you still cannot use SSL-encrypted remote desktop authentication. Therefore, it is recommended that companies upgrade their servers to Windows2003 + SP1 immediately.

I. Personally crack connection information in a dangerous situation:

How dangerous is the Remote Desktop authentication method that does not use SSL to Encrypt transmission information? Today, we will follow senior network engineers to check whether it is possible.

Lab environment:

The Unit server is Windows Server + SP4 patch pack. The network condition is the 10 m exit of the optical fiber. The computer in the home is a Windows XP Pro + SP2 patch package, and the network condition is Beijing Netcom ADSL 512kb. Use the Remote Desktop Connection function that does not contain SSL authentication to control the server that comes with XP in your home.

Cracking Process:

Step 1: Install the sniffer data packet analysis tool on your computer at home and select the NIC as the local Nic. (1)

Figure 1 click to view the large image

TIPS: in fact, it is no problem to install the sniffer tool on a computer in the same subnet as the computer in the home. It can also monitor the data information mentioned below.

Step 2: Use "Capture-> Start" in the sniffer menu to start the monitoring function. Of course, the start arrow of the shortcut button is the same.

Step 3: Start the Remote Desktop Connection Program of XP to access the company's server.

Step 4: log on to the server, enter the correct user name and password to enter the desktop, and then exit.

Step 5: After logging on to the server, return to the sniffer program of the Local Computer and click "Capture-> stop and display" in the menu to stop monitoring and display the results. (2)

Figure 2 click to view the large image

Step 6: click the "objects" label on the left in the displayed result window, if you use a Broadband Router to share the Internet with multiple computers, you will see the IP address of the server to be accessed in the "objects" window, of course, for those who only have one computer and access the Internet through the ADSL cat, because the ADLs cat acts as an IP address translation and filtering job, the local Nic information will only be seen in the "objects" window. Select the IP address of the local Nic or server and click the "decode" label below to analyze the data packets. (3)

Figure 3 click to view the large image

Step 7: In the "decode" label, we can analyze the monitored data packets. Analyze the destination address from the top. The IP address of the server is displayed when there are 23rd packets. These packets need to be analyzed carefully. (4)

Figure 4 click to view the large image

Step 8: Continue to analyze 26th data packets, and you can clearly see the username "softer" entered when logging on to the server from the bottom data information. (5)

Figure 5 Click to view the large image

Step 9: When 28th and 29 data packets are analyzed, the encrypted password information is displayed in the data information area. (6) Although we cannot identify, hackers can decompile the ciphertext. The compilation process is long, similar to the exhaustive method. (7)

Figure 6 click to view the large image
Figure 7 click to view the large image

Although the Remote Desktop Connection transmission information is different from FTP and telnet in plaintext transmission, simple encryption of user name plaintext transmission and password still poses a great security risk, data packets are easily hacked and cracked. Therefore, we need to implement Remote Desktop Security to the end.

Ii. Use Certificates to encrypt and authenticate copper walls:

First, upgrade the server to the latest version of Windows2003, and then install the service packet 1 patch package through Windows Update or website. Only Windows2003 with SP1 installed has the Remote Desktop function encrypted by SSL. All of the following operations are performed on the server. The client can connect to the server through the Remote Desktop Access Program only after the server is set to support SSL encryption authentication.

1. Install the Certificate Service:

Step 1: by default, the certificate service is not installed in Windows2003. We can install the "Certificate Service" by adding/deleting Windows Components in the control panel ". (8)

Figure 8 click to view the large image

Step 2: Select "independent Root CA" in the CA certificate type, and click "Next" to continue. (9)

Figure 9 click to view the large image

Step 3: In the CA identification information window, set a public name-Softer for the installed ca. You can distinguish the name and Suffix from the blank and leave it blank. The validity period is set to 5 years by default. (10)

Figure 10 click to view the large image

Step 4: Keep the default value in the certificate database settings window, because the system will automatically classify and call the default directory (Windows/system32/certlog) based on the certificate type. Click "Next" to continue. (11)

Figure 11 click to view the large image

Step 5: After you have configured the parameters required to install the certificate, the system will start to install the component. Of course, you will be prompted to insert the Windows2003 system CD during the installation process. (12)

Figure 12 click to view the large image

Step 6: insert the CD to find the system file and continue the installation. At the end of the installation, the system will prompt "to allow certificate service to enable iis asp function ", select "yes" to enable ASP. (13)

Figure 13 click to view the large image

Step 7: Install the Windows component of CA certificate service. (14)

Figure 14 click to view the large image

TIPS: If the IIS component is not installed in Windows2003, install the IIS component as described above.

2. Set Certificate Service parameters:

By default, the certificate type is not required for this operation, so you need to modify it.

Step 1: Go to Start> program> Administrative Tools> Certificate Authority on the taskbar to open the certificate settings window. (15)

Figure 15 click to view the large image

Step 2: If no computer is displayed in the Certificate Authority, load the Certificate Service for the local computer by setting in the File menu. (16)

Figure 16 click to view the large image

Step 3: Right-click the computer softer and select "attribute", then click the "rule mode" tab, and there is a "attribute" button under the rule mode "tab. (17)

Figure 17

Step 4: Click the property button and modify the default settings in the Set Request Processing window to "if possible, follow the settings in the certificate template. Otherwise, the certificate will be issued automatically ". (18)

Figure 18

3. Apply for a certificate:

After IIS is started, we can apply for a certificate through the web page.

Step 1: Open IE and enter http: // ip/certsrv/in the address bar /. For example, if the server address is 10.91.30.45, enter http: // 10.91.30.45/certsrv. If IIS works properly and the Certificate Service is correctly installed, the Microsoft Certificate Service Interface is displayed. (19)

Figure 19 click to view the large image

Step 2: Select "apply for a certificate" on the page ".

Step 3: Select "Advanced Certificate Application" on the Certificate Application page ". (20)

Figure 20 click to view the large image

Step 4: Select "Create and submit an application to this ca" on the Advanced Certificate Application page ". (21)

Figure 21 click to view the big image

Step 5: on the Advanced Certificate Application page, we need to modify many items. First, enter the name and the IP address of the server.

TIPS: If the certificate name is filled with other information, an error occurs when configuring SSL encryption and authentication. Therefore, you must enter the IP address of the server.

Step 6: enter email and Company, department, and region information at will.

Step 7: Select "Server Authentication Certificate" for the required certificate type ".

Step 8: Set the key option to "Create a new key set ".

Step 9: Set the key user to "Switch ".

Step 10: Check the bottom mark key as exported and save the certificate to local computer storage. The parameters for applying for the advanced certificate have been filled in. (22)

Figure 22 click to view the larger image

Step 2: After you submit an application, a "potential script conflict" prompt will appear. You can simply select "yes" instead. (23)

Figure 23

Step 2: After the application is submitted, a certificate suspension prompt will appear. The system will prompt that your application information has been suspended. Wait for the Administrator to issue the application, and the Application ID serial number will be displayed. (24)

Figure 24 click to view the large image

At this point, we have completed the certificate application. Next, we need to issue the applied certificate. We can use it only after it is issued.

4. issue a certificate:

The following describes how to issue the certificate you just applied.

Step 1: Go to Start> program> Administrative Tools> Certificate Authority on the taskbar to open the certificate settings window.

Step 2: In the pending application under the Local Computer softer, you will see an application with the ID number 2. This is the application just now.

Step 3: Right-click the application and choose "all tasks"> "issue". After the application is issued, the certificate we applied for can be used. (25)

Figure 25 click to view the large image

5. Install the certificate:

The certificate has been approved by the server. Next we will install the certificate we applied for on the server. Only with a certificate can we make the data transmitted in remote access more secure.

Step 1: Open IE and enter http: // ip/certsrv/in the address bar /. For example, if the server address is 10.91.30.45, enter http: // 10.91.30.45/certsrv. If IIS works properly and the Certificate Service is correctly installed, the Microsoft Certificate Service Interface is displayed.

Step 2: Select "view pending Certificate Application Status". Here we will see the original "server authentication certificate. (26)

Figure 26 click to view the large image

Step 3: click the "Server Authentication Certificate" and a message is displayed, indicating that the certificate has been issued. Click "install this certificate ". (27)

Figure 27 click to view the large image

Step 4: The system displays the "potential script conflict" prompt, so we can ignore it and click "yes. The system automatically installs the certificate on the server. (28)

Figure 28 click to view the large image

Step 5: After the installation is complete, the system will send the "Certificate installed information" to the user in the form of a webpage. (29)

29. Click to view the big picture

Conclusion: The first half of this article is over. We have explained the security risks of Remote Desktop Connection and introduced "service installation" in "Putting Remote Desktop Security to the end ", "Set Certificate", "apply for Certificate", "issue Certificate", and "Install certificate ". Of course, "putting Remote Desktop Security to the end" involves a lot of content. In the lower part, I will introduce you to "encryption settings for Remote Desktop Connection on servers ", "Install the client with the encrypted remote desktop function" and "Install the client certificate.

[It168]In the previous period (Click here), we introduced "service installation", "set Certificate", "apply for Certificate", "issue Certificate", and "Install certificate ". Today, I will continue to introduce you to "encryption settings for Remote Desktop connections on servers", "installation of remote desktop functions with encryption functions on clients", and "installation of client certificates.

I. Server Remote desktop settings:

By default, the Remote Desktop function does not support SSL encryption authentication, even if we apply for and install a certificate.

Step 1: Start the TSCC terminal service configuration window through "START-> Program-> management tools-> terminal service configuration" in the taskbar. (1)

Figure 1 click to view the large image

Step 2: In the TSCC terminal service configuration window, click "terminal servers?> Connection. The terminal service is displayed in the right window. Right-click the terminal service and choose Properties ". (2)

Figure 2 click to view the large image

Step 3: Click the edit button next to the certificate Settings area in the General tab to open the certificate settings window. Then, view the certificate and find the certificate we installed in the previous article (the Certificate Name Is 10.91.30.45 ). (3)

Figure 3 click to view the large image

Step 4: After selecting the certificate, you also need to set the security level in the general label. We set the security layer to "SSL" and the encryption level to "high ". After confirmation, complete the remote desktop settings for all servers. (4)

Figure 4

Ii. Install the certificate on the client:

Since certificates are used on the server for SSL encryption authentication, you also need to install these certifications on the client. Remote Desktop Access cannot be performed without installation. There are two ways to obtain the certificate. We will introduce it one by one.

1. Export the certificate from the TS Server:

Step 1: run the task bar and enter MMC to start the MMC snap-in. (5)

Figure 5

Step 2: After opening the MMC snap-in, we need to load the certificate service by using "file-> Add/delete snap-in" in the console menu ". (6)

Figure 6 click to view the large image

Step 3: Find the Certificate Management Unit from "available independent management units" and click "add" to load the management unit. (7)

Figure 7 click to view the large image

Step 4: Select "Computer Account" in the certificate management unit and click "Next ". (8)

Figure 8 click to view the large image

Step 5: Find "Local Computer" in the select computer window and complete the operation. (9)

Figure 9 click to view the large image

Step 6: Return to the console interface and select "Console Root Node-> certificate (Local Computer)-> personal-> certificate ", in the right window, all certificates currently installed on the server are displayed. We found the certificate used for SSL encrypted connections. (10)

Figure 10 click to view the large image

Step 7: Right-click the certificate and select "open". On the Certificate Information Page, select "details" and click "Copy to file" at the bottom, copy the certificate. (11)

Figure 11

Step 8: Open the certificate export wizard and click "Next ". (12)

Figure 12

Step 9: Select "No, do not export private key" at the export private key ". (13)

Figure 13

Step 10: Select der-encoded binary X.509 (. CER) for the exported file format )". (14)

Figure 14

Step 2: select the Save path of the exported file. Generally, select the desktop directly. (15)

Figure 15

Step 2: complete the certificate export wizard configuration and save the Certificate file. (16)

Figure 16

Step 2: After the file is saved to the desktop, we can copy the Certificate file to other computers. All clients preparing to connect to the server through remote desktop need to install the certificate.

Step 2: double-click the Certificate file to install it. The "general" tab contains the "Install Certificate" button. (17)

Figure 17

Step 2: click "Install Certificate" to enter the certificate import wizard. Select "automatically select certificate Storage Based on certificate type" and click "Next ". (18)

Figure 18

Step 2: complete the certificate import. (19)

Figure 19

2. Install the certificate on the certificate page:

We also have another method to install certificates on the client.

Step 1: Open the browser on the client and enter http: // ip/certsrv/in the address bar /. For example, if the server address is 10.91.30.45, enter http: // 10.91.30.45/certsrv. The certificate application page is displayed in the browser. (20)

Figure 20 click to view the large image

Step 2: select to download the CA certificate and click "install this CA certificate chain ". (21)

Figure 21 click to view the big image

Step 3: the system automatically installs the CA certificate and provides a prompt after the installation is completed. (22)

Figure 22 click to view the larger image

The client with the certificate installed can access the remote server through the SSL encryption function of the Remote Desktop Connection.

3. client programs should be complete:

If you are eager to use the SSL encryption mode to control the remote server, you will find a problem, that is, remote desktop tools in XP and 2000 have no place to set the security mode. This is because the SSL encryption mode is a new feature added in 2003sp1. To use this feature, you need to install a new Remote Desktop Connection Tool.

1. win2003 system:

The Remote Desktop Connection Program in the 2003 system has a security label. With this label, we can directly set the SSL encryption mode to access the remote server.

2. Other systems:

For other systems, you need to install the new version of the Remote Desktop Connection Program, which is stored in the Windows system CD and stored in the path I:/support/tools. The program name is msrdpcli.exe. (23) run the program directly. (24)

Figure 23 click to view the big image
Figure 24

3. Use the new version of the program:

After installing the new version of the Remote Desktop program, we need to configure it to use SSL to access the remote server.

Step 1: start the new version of Remote Desktop Connection Program.
Step 2: you will find an extra "security" label. (25)

Figure 25

Step 3: Change the authentication method to require authentication on the "Security" tab ". (26)

Figure 26

Step 4: click "Connect" to access the server with the SSL encryption mode configured remotely.

TIPS: the three options in the security label are "no identity authentication" (access to the remote server in normal mode) and "try to authenticate" (access the server with SSL encrypted identity first, if it fails, use the traditional mode) and "authentication required" (use SSL encryption mode to access the server, and exit if it fails ).

Iv. Common Faults:

Because SSL-encrypted remote desktop access is different from traditional Remote Desktop Access, this problem may occur in actual use. The author summarizes the most typical introduction to you.

1. The client cannot establish a connection with a remote computer:

If you use an earlier version of the Remote Desktop Connection Program to access a server configured with encrypted SSL mode, the message "cannot establish a connection with a remote computer" appears. The solution is to upgrade the Desktop Connection Program to the new version. (27)

Figure 27

2. The remote computer must be authenticated before connecting:

If the new desktop connection program is installed but the "Security" label parameter is not set, the message "remote computer requires authentication before connecting" appears, we can use the "Security" label to set the authentication method to "Require Authentication" or "Try authentication. (28)

Figure 28

3. An error occurred while verifying the remote computer certificate:

If the SSL encryption mode is configured on the server but the certificate installed on the client is incorrect, or if the certificate name is not written according to the IP address information but is filled with another name, the message "Verification remote computer certificate encountered error-server name error on Certificate" appears. The solution is to re-apply for a certificate and install the certificate on the client. Enter the IP address of the server in the Certificate Name field. (29)

Figure 29

Summary: after the client connects to the server in SSL encryption mode and controls the server, all information transmitted over the network is encrypted. Hackers cannot capture available data packets using tools such as sniffer. In this way, the security of the Remote Desktop is implemented. The SSL encryption icon is also displayed on the remote operation interface. (30)

Figure 30 click to view the large image

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.