8 stories
today

Secure Remote Administration using SSH and RDP

Security: Secure Remote Administration using SSH and RDP

In a world of would be cyber hackers, thieves and the threat of virus’, it is essential that we put up firewalls, lock down environments, and keep our passwords safe and secure. Any deviation from this act could mean that our very privacy and well being can, and most likely will be compromised.

Unfortunately, windows environments have been criticized for being insecure in the past. Although the analyzing of potential and current “holes”, and speedy patch disseminations have been getting quicker and practices of such have been getting better, the potential threats are still prevalent. It is up to the user/organization/environment to be one up on these miscreants of the net and put in place plans of action which will deter if not fully lock out would be threats.

This article will discuss using an encrypted tunnel mechanism to safely and securely administer your windows environments remotely, and by that same token, locally as well. The concept is much like using a Virtual Private Network, but configuration is very quick and easy to do as compared with setting up a VPN solution.

Environment

A – Windows Server to be Administered
B – Remote location – Client

Tools

OpenSSH for Win32

Remote Desktop Client for Windows 95, 98, ME, NT and Windows 2000 Users (Windows XP and 2003 have the client preinstalled.)

We will be using OpenSSH for Win32 to construct our encrypted tunnel. Install OpenSSH on your remote client first {B}. Only install the Client Portion of the product. On your server to be administered {A}, install the Server and Client portions of the product.

On the server to be administered {A}, open up a command prompt (start->run->cmd (hit enter)), then navigate to the OpenSSH program binary directory like so: cd \Program Files\OpenSSH\bin (hit enter).

Then it is time to add groups:

For Local Groups (no domain; workgroup environments):
mkgroup -l >> ..\etc\group (hit enter)

For Domain Groups (domain environments):
mkgroup -d >> ..\etc\group (hit enter)

After that, it is time to add a user that is allowed to log in. It is recommended that you only add an administrator:

For Local Users:
mkpasswd -l -u USERNAME >> ..\etc\passwd (replace USERNAME with a username and hit enter)

For Domain Users:
mkpasswd -d -u USERNAME >> ..\etc\passwd (replace USERNAME with a username and hit enter)

The documentation states that it is best if the above commands are run twice instead of once. I had no problem running it once. If you run in to problems, you can run it twice.

“NOTE: To add users from a domain that is not the primary domain of the machine, add the domain name after the user name.

NOTE: Ommitting the username switch adds ALL users from the machine or domain, including service accounts and the Guest account”.
{From the OpenSSH Quickstart Documentation}

Note: A user with minimal rights will not have access to be able to write to C:\ or print to shared printers. Read this KB article from MS at resortdata.com

Note: Make sure the username you add in to SSH has authority to control the server via RDP. To add this user: Start->Settings->Control Panel->System->Remote

Now type: net start opensshd (hit enter)

On your Firewall and or Router, open up port 22 (Standard SSH Port), and 115 (Optional (Standard Secure FTP Port)).

Now on your remote host (client) {B}:

At this point we will want to establish a tunnel with the server to be administered. After establishing the tunnel, we will forward an RDP/Terminal Services connection through the tunnel and on to the server to be administered. To do this, we will have our RDP client connect to our local machine, and SSH will take care of forwarding the connection through the tunnel and out on to the other side.

The RDP client will not allow connections made to “localhost”, so this is what we will have to do. Create a folder anywhere you like. We will use C:\RDP. Then, navigate to your System32 folder contained within your Windows folder. Copy mstscax.dll and mstsc.exe to C:\RDP. Then right click mstsc.exe->Properties->Compatibility->tick Run this Program in Compatibility Mode->toggle to Windows 98/Windows ME->Apply->Ok.
{Thanks to The Tao of Mac for this piece of information}.

Launch a command prompt (start->run->cmd (hit enter)).

We will use a local port of 5000, a username of administrator for authentication and a DNS name/ address of mysitetoadmin.com in the following example.

If you are on Windows 95, 98 and or ME and haven’t rebooted after installing OpenSSH, you will have to navigate to the binary directory first.

There was a typographical error in the line below. It should have been “5000:localhost:3389” instead of “5000:mysitetoadmin.com:3389”. The string below has been corrected (1/15/04).

ssh –c blowfish -N -L 5000:localhost:3389 [email][email protected][/email]

The first time you authenticate, you will get prompted with:

“The authenticity of host ‘XXXX…’ can’t be established.
RSA key fingerprint is XX:XX ….
Are you sure you want to continue connecting (yes/no)?”

Enter in yes, hit enter, then enter in the user’s password, then hit enter.

What that above command will do is launch SSH, keep itself alive (and forwarding) until you kill it, use a Cypher encapsulation of Blowfish (it is faster then the default 3DES but some argue that it may not be 100% as secure as DES) forward connections from local port 5000 out through the tunnel and to port 3389 (default Terminal Services port) on the other side, on your machine to be administered via RDP/Terminal Services.

After you type in your password and hit enter, if you authenticated successfully, the window will look like it is hung. Leave this window open and or minimize it.

Launch mstsc.exe from C:\RDP and type in localhost:5000->ok. If everything was successful, you will be brought to a windows login screen on your server.

When you are done with your RDP connection, you can Ctrl-C in the command window to kill SSH.

That’s all there is to it. You are now able to remotely administer your windows environment using an encrypted/secure tunnelling method.

Dyndns.org is not accepting any new free account applications. Please go to no-ip.com to sign up for a free Static Name for your Dynamic IP (1/15/04).

Note: If you do not have static IP, then you can go to DynDNS.org and sign up for a free Static Name for your Dynamic IP.

I would like to point out here that there is a way to make it so you don’t have to type in a password when you authenticate with SSH. This is with the exchanging of keys (public/private). But, due to a bug in the Win32 package, getting it to work is, shall I say, iffy. I will be sure to update this article when a new package is available and that bug has been resolved.

Author: Pershoot