Experiences in network management: Concepts and Security Management of Terminal Services

When talking about Terminal Services, administrators and hackers should be very familiar with it, but ordinary readers may be confused. Here we will give you a brief introduction to what is a terminal service.
Terminal Service is a new service first introduced in Windows NT. Terminal Services are connected using the RDP protocol (Remote Desktop Protocol) client. Terminal Service customers can remotely access the server in a graphical interface, and can call applications, components, and services on the server, same as operating the local system. This access method not only greatly facilitates a variety of users, but also greatly improves work efficiency and effectively saves the cost of enterprises. The default Terminal Service uses port 3389. However, if you do not set it properly, it will open the door for hackers to intrude into the system, so we must absolutely control it.

1. Terminal Service User Account Security

The biggest security risk of terminal services lies in the security of user accounts. If your server is equipped with terminal services, you must manage the security of user passwords on the server. To avoid weak passwords on your terminal server, you must give your Administrator a powerful password. If your user password is still blank, or you use the password 12345 or so, it is only a matter of time for your server to be hacked.

2. Modify the default port of the Terminal Service

To ensure that our terminal servers are not illegally infiltrated by hackers, we can use the method of modifying the default port of Terminal Services to improve the security of terminal servers. The default port used by the terminal service is port 3389, and the user can easily modify the default port of the Terminal Service through the registry. The configuration method is as follows:

In the Registry Editor [HKEY_LOCAL_M ACHINESystemCurrentControlSetContro lTerminal ServerWdsdpwdTdscp], find the PortNumber key value and select the decimal status (figure 1). The default port number of the terminal is 3389, then, you can modify the settings as needed, for example, change to port 1025.

Figure 1

After the modification, many users will ask how to connect to the terminal server with the modified port? In fact, the method is very simple. You only need to open the terminal client, enter the IP address of the Terminal Server, add a colon to the address, and then enter the modified port number, connect to the instance (figure 2 ).

Figure 2 modifying the default port of the terminal service can enhance the security of the terminal server to a certain extent. However, hackers can also use the default port of the terminal service to hide their intrusion traces.

3. View suspicious users on the Terminal Server

Many users who use Terminal Services may ask a question. If a hacker connects to our Terminal Server, how can we view the user currently logged on to the terminal server? In fact, the method is very simple. You only need to select the "run" command in the "Start" menu and enter "cmd" to open the command line console. Enter query user (query user or quser) to view the user list on the current Terminal Server (Figure 3 ). You can see in Figure 3 which users are logged on. The "console" is the local user of the Terminal Server, and the rest are remote connections. If suspicious connections are found in this list. The administrator can disconnect the connection based on the ID of the connection. As we often call it "kicking", you only need to type the logoff ID (for example, disconnect 2 and type logoff 2.

　　

Figure 34 hacker measures to respond to administrators

By using this method to view suspicious connections, most hackers cannot escape the "eye-catching eyes" of administrators ". Do hackers have no living space on the terminal server? Soon hackers came up with a clever method. After each connection to the terminal server, edit the following batch file to the terminal server:

The following is a reference clip:
: Begin
Query user | find "console"
If errorlevel 1 logoff 1 & logoff 2
Goto begin

The meaning of this batch processing file is very simple. If the query user (that is, quser) appears with the console text, the ID1 and ID2 users will be cut off immediately. This clever idea allows hackers to slide under the Administrator's eyes. In this way, some administrators think that their servers are very secure and have already been taken down by hackers.

5. Enable Terminal Services in Command Line Mode

Some hackers, after using other methods to obtain the hacker shell of the system, find that the command line interface is not conducive to the intuitive management of the system. Then, hackers can use command lines to enable Terminal Services in the system. The hacker only needs to upload the following batch file to the remote system and then execute the batch file, the remote system will install and enable the terminal service without any window or calling any installer.

The following is a reference clip:
Echo [Components]> c: acke
Echo TSEnable = on> c: acke
Sysocmgr/I: c: winntinf/u: c: acke/q/r

However, after the operation is completed, the hacker can connect to the server only after the server is restarted. If some hackers are anxious, they can remove the "r" parameter in the batch file, and the remote system will automatically restart after running the batch file.

The terminal services installed in this way are very concealed and hard to be discovered, but they are not without any flaws. In the task manager, the administrator can find the process Terminal. Since the Administrator has not installed the terminal service, it can be determined that some hackers have intruded into our system.

6. Terminal Service Features of Windows XP

The Terminal Services in Windows XP are very different from those in Windows 2000.

First, it is very easy to enable the terminal service in Windows XP. You only need to right-click "my computer" and select "remote" in the pop-up "System Properties" dialog box ", with the Remote Desktop option checked, Terminal Services in Windows XP can be opened. However, Windows XP users do not have to worry that their terminal services will be exploited by hackers. Windows XP is a client operating system and does not support multi-user functions. If a hacker connects to your Windows XP system, the system will prompt a user to connect to the system and ask whether the current user agrees to the connection. If you choose not to agree, hackers cannot connect to the terminal services of the system in any way. If you agree, the current user of Windows XP will be forcibly canceled. However, the current user only needs to move the mouse and the hacker will be "kicked off ".

I believe that these ideas and methods will certainly inspire and help readers. Do not hesitate to quickly configure our terminal server to be safer.