Get a glimpse inside Roberta Bragg's new book "Hardening Windows systems" with this series of book excerpts. This...
excerpt from Chapter 1, "An immediate call to action," explains how to keep your server safe while administering it remotely. Click for the complete book excerpt series or purchase the book.
Lock down remote administration
If you have only a few computers to manage, you can insist on management from the local console. However, most organizations have more than a few computers to manage. You must have the ability to remotely administer systems. On the other hand, just because you need to remotely access a server to administer it, that doesn't mean you should leave that type of access open to anyone. Lock down remote administration.
1. Where possible, use IPSec or other protected communications. You can also use IPSec to block access to ports used by your administrative programs, and then allow appropriate administrator workstation access to the server. For example, block access to port 3389, which is used by terminal services, and then permit access to that port, but only from a limited number of computers. IPSec policies can be implemented for Windows 2000, Windows Server 2003, and Windows XP.
2. In many cases, only a few accounts need any access at all to a specific computer over the network. Lock the rest out. In Windows Server 2003 and Windows 2000 domains, use the user right to Access This Computer from the Network and the Allow and Deny Logon user rights to restrict logon.
3. Control access to the Remote Desktop for Administration (terminal services) using user rights. Control logon through Terminal Services using the Allow Log On Through Terminal Services user right as shown next. (In this illustration, the Server Operators group is selected. An alternative would be to create a custom group.)
4. Control remote access by disabling solicited Remote Assistance on servers and managing it for desktops. Remote Assistance for Windows XP and Windows Server 2003 is a tool that allows users to solicit Remote Assistance via e-mail, IM, and a file. An ordinary user can permit another user to remotely control her machine. This can be a boon to Help Desk assistance programs if properly managed. It can be a disaster if not controlled. Appropriate management includes restricting its use to authorized personnel, limiting the length of time the invitation remains open, and training all employees in the proper use of the service. To manage Remote Assistance, use the Computer Configuration, Administrative Templates, System, Remote Assistance, Solicited Remote Assistance Properties option as shown next. In the example, Remote Assistance has been disabled.
5. Control remote access by disabling the ability to offer Remote Assistance. This option does not require a user to solicit Remote Assistance; an offer to help can be made. (Assistance has to be approved by the user.) This option is located at the same place in Group Policy as solicited Remote Assistance.
6. Manage sensitive servers from the console. Just because the sheer number of computers to manage means you must do remote administration, that doesn't mean all servers must be managed that way. Require that computers with sensitive roles or data be administered from the console only, and enforce that by preventing administrative accounts from accessing the computer across the network.
Click for the next excerpt in this series: Lock down administrative workstations.
Click for book details or purchase the book.