Remote terminal 3389 Management and security protection technology _ virus killing

Remote Terminal Services is a major feature of the Microsoft Windows Server series, because of its simplicity, maintenance and ease of use, such as the vast number of users and their hackers love, and remote Terminal Services often run in some important programs on the server; if due to remote Terminal Services configuration and mismanagement, Often leads to huge economic losses.

First, the remote Terminal Services technology Introduction

Windows Terminal Services (WTS) in Windows 2003 Server is also known as Remote Terminal Service (remotely Terminal services) or is commonly known as 3389, in Windows The first terminal used in NT, which cannot be installed in Windows 20030 Professional version, can be installed in Windows 2003 server or above, and its default service port is 3389, which is called in Windows XP system Remote Desktop (Desktop) ".

Remote Terminal Services is an important service in Windows 2003 server that manages or runs applications primarily through Remote Desktop connections, similar to remote management software, because remote Terminal Services are simple, easy to use, do not produce interactive landings, and can operate in the background, Therefore, in all walks of life have a large number of applications, deeply loved by users.

Remote Terminal Services is used more and more widely in many large systems because remote Terminal Services is easy to open in Windows Server 2000 and Windows 2003 server, and is generally not required to be reinstalled, and can be opened with just a few lines of DOS commands. And because the use of terminal is not limited by IP address, as long as the user account and its corresponding user password, you can log on, so the remote use of Windows Server Terminal Services that opened the door, but also opened the security of network security hidden Doors, And there is currently software for remote Terminal Services attacks against Windows Server and above, and once the attack is successful, there will be incalculable economic damage to servers running critical programs, and remote Terminal Services and related security technologies are analyzed below.

Second, the remote terminal opening technology

1. Remote Terminal Services Open step

In Windows Server, there are many ways to turn on remote Terminal Services, which can be summed up for the opening of a remote terminal mainly through the following steps:

(1) to see if "Terminal Services" is turned on. It can be viewed through "service Management" in the server and "net start" under DOS commands. If the status of "Terminal services" in Service Manager is "start", "Terminal services" is turned on, and if "Terminal services" appears in the results of using "net start" under DOS commands Indicates that remote Terminal Services is turned on.

(2) Start the Windows Terminal Services service.

(2) Use Remote Desktop Connection (RDP) to connect to a remote terminal, and if using RDP to connect to a remote terminal succeeds, remote Terminal Services is turned on successfully.

2. Some common ways to open remote Terminal Services

(1) Using Rots.vbs script

Rots.vbs is a VBS script written by the web name "grey trajectory zzzevazzz", which is executed by the Cscript.exe application that comes with the system, which enables Terminal Services and modifies Terminal Services ports using the following format:


　　
Quote:
cscript.exe rots.vbs IP user userpass port/r or cscript.exe rots.vbs IP user userpass port/fr


(2) Use Bat command

Create a bat file from Notepad and enter the following separately:


　　
Quote:
echo [Components] > C:\sql
echo tsenable = on >>sql
c:\sqlsysocmgr/i:c:\winnt\inf\sysoc.inf/u:c:\sql/q


The batch command is then run, and after the computer is restarted, remote Terminal Services is turned on successfully, and the method cannot change the port for Terminal Services.

(3) Import a reg file into a machine that requires Terminal Services to be opened

This method is mainly to modify the port of remote Terminal Services and its associated settings, by generating a file with reg suffix to import the file to a computer that requires Terminal Services to be turned on. This method is relatively covert, and Terminal Services is not found to be started through the service manager and the "net start" command. The contents of the Reg file are as follows:


　　
Quote:
Windows Registry Editor Version 5.00
[Hkey_local_machine\software\microsoft\windows\currentversion\netcache]
"Enabled" = "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ShutdownWithoutLogon" = "0"
[Hkey_local_machine\software\policies\microsoft\windows\installer]
"Enableadmintsremote" =dword:00000001
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server]
"Tsenabled" =dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TERMDD]
"Start" =dword:00000002
[Hkey_local_machine\system\currentcontrolset\services\termservice]
"Start" =dword:00000002
[Hkey_users\. DEFAULT\Keyboard Layout\toggle]
"Hotkey" = "1"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]
"PortNumber" =dword:00000d3d
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00000d3d


(4) Using SQL injection software to start 3389 services

In Domain3.5 and HDSI2.0 SQL injection tools such as the founder of the network to open 3389 Terminal Services, the use of such software to open 3389 of the prerequisite is that the server running the Web service must have SQL injection vulnerability, and the database user's permissions are large, in the SQL The database user in Server 2000 must be an SA.

(5) Use other software to open 3389

Some of the other popular software on the internet has the same opening principle as the previous, just using a different programming language for implementation.


Third, remote terminal attack technology

The technology in the remote terminal attack is the same as the conventional attack technology, which has a separate software for remote Terminal Services attack (Terminal services Cracker), the principle of which is to use an attack dictionary for automatic attempt, if the remote Terminal Server allows the login password in the attack dictionary, In theory the attack was successful.

Four, the remote Terminal Service security establishment and the prevention countermeasure

In the network security, only relative active security, there is no absolute security, this article mainly for the remote Terminal Services in Windows security discussion, for the remote Terminal Services security-related content does not repeat here, for the provision of remote Terminal Services computer, you can refer to the following security settings, And according to the actual situation to adjust accordingly.

1. Update system security patches in time.

For a computer that installs remote Terminal Services, it is highly vulnerable to a new vulnerability, especially in the context of a remote elevation privilege vulnerability, so that the system's Automatic Updates feature is also recommended for immediate updating of all current vulnerabilities in addition to the system installation. Once a new vulnerability patch is in place, an immediate update is required to perform a thorough security check on the system to ensure system security.

2. Strict security log check and remote Terminal Services logon log check

The system should establish 3389 log log records, and regularly check the system security log and remote terminal login logs.

3. Remote Terminal Services Application sharing security rules

(1) One application corresponds to a remote terminal server.

(2) Do not allow remote control, only the application is allowed to execute, preferably only one application.

(3) When multiple servers use a remote terminal server to provide application sharing, all remote terminal servers can be placed in a single OU to apply security policies.

4. Use third party remote terminal security management software 2XSecureRDP

2XSecureRDP is a free remote terminal connection Security management tool software developed by a European 2X company that can effectively protect remote users and choose how to test RDP as appropriate, such as by IP setting, client name, Date time or other criteria selected by the Enterprise for inspection. The software only allows users who qualify for the filter to log on, and is able to protect the computer that is running Terminal Services.

5. Automatic recording of remote terminal login log

Because the computer running remote Terminal Services cannot limit the IP address, you need to log records from a management perspective by creating a name called Tslog.bat file that records information about the IP of the logged-on user [3], and the script reads as follows:


Quote:

Time/t>>tslog.log
Netstat-n-P TCP |find ": 3389" >>tslog.log
Start Explorer


In the Terminal Services configuration, you need to overwrite the user's logon script settings and specify the script file Tslog.bat to open when the user logs on, so that each user must execute the script file after logging in.

6. Recommended remote Terminal Server settings

7. Use Application security tools to restrict application access [6]

You can install Computer Management tools in Windows Server Resource Kit, and then run apply security in the tool to strictly restrict access to your application.

V. Concluding remarks

In this paper, the security problems of the computer with remote Terminal Services are analyzed and discussed, the technology of opening remote Terminal Service and its attacking remote Terminal Server is analyzed, and finally, the security solution for remote Terminal Service and some reference security recommendation settings are proposed. It has some reference value to the computer users who provide remote Terminal Services.