Let’s imagine aIIS7 Remote Desktop ManagementRemote control solution: a company will install such an IISWeb server, which is placed 300 miles away. The server is a server center with broadband network, air conditioning device and power control device. This network service center is stable and reasonable in price, but it requires customers to completely control the server remotely. This kind of control is available at any time, and it is not necessary to often run to the console to operate the server. Usually there are several problems in remote control, the most obvious one is that the communication between the client machine and the host is transmitted through the Internet. In this way, the exchange data may be sniffed by hackers; another problem is that the vulnerability of remote control itself (such as its open port) may also lead to network attacks. The ultimate goal of remote control is to ensure that you (only you) as the gateway can control the server without causing other network attacks.
The safety principle of remote control scheme is as follows:
Ensure the security of remote control authority
Remote control must be able to prevent unauthorized access. This means that the remote management software only accepts the connection of a small range of IP address, and needs the control of user name and password. Through the introduction of smart card phase customer verification, the security of remote control is further strengthened. It can also be enhanced by some simple and off the shelf technologies, such as using non-standard ports to provide services or some security configuration means without displaying service flags.
Ensure the integrity of remote exchange data
In order to prevent data loss in remote control, we must ensure the integrity and instantaneity of data transmission between remote control server and client (that is to say, the data sent is reliable and not retransmitted).
Ensure confidentiality of sensitive data transmission
For remote control, the most important thing is to ensure the confidentiality of sensitive data transmission on the Internet. This is to prevent the transmission of data messages will not be sniffed by hackers. This requires a robust and feasible encryption algorithm for session encryption. The advantage of this encryption is that even if the attacker sniffs the data. It’s no use to sniffers.
Ensure that the incident can be audited safely
Good security audit can greatly improve the overall security of remote control, and kill the potential security risks and technical crimes in the bud. The main function of audit log is to let administrators know who has access to the system, which services are used and so on. This requires the server to have a sufficient and safe log record for the remote control trace of BlackBerry trying to invade through technological crime.
2. Three security solutions for Windows 2000 remote control
Although there are many ways to remotely control windows 2000. Not all software conforms to the above remote control scheme security principle. We can complete the remote control solution we need by combining different software.
The following examples are to achieve safe and reliable remote control through the use of Windows 2000’s own services or the combination of third-party software.
Windows 2000 Terminal Services combined with Zebedee software
Terminal services is a technology provided in Windows 2000 that allows users to execute windows based applications on a remote windows 9000 server. Terminal service should be the most widely used method for remote management of Windows 2000 server, which is related to its convenience and other benefits brought by its built-in services, such as using the authentication system of Windows 2000 server. But the terminal service program itself has some defects: it can’t restrict the client’s IP connection; it doesn’t explicitly propose the way to change the default listening port; its log audit function, that is, there is no logging tool. Based on the security principle of the remote control scheme mentioned at the beginning of this paper, it is not very safe to use terminal services alone. But we can realize the above remote management security needs by combining with Zebedee software.
The working principle of Zebedee is as follows: ‘Zebedee listens to the application specified locally, encrypts and compresses the TCP or UDP data to be transmitted; a communication tunnel is established between the client and the server of Zebedee; the compressed and encrypted data is transmitted on this channel; multiple TCP or UDP connections can be established on the same TCP connection.
Generally, Zebedee is used in the following two steps:
Step 1: configure the listening port of Zebedee
Use the following command:
C:zebedee -s -o server.log
Step 2: configure listening port 3389 on the client and
Redirect it to the Zebedee listening port on your server
Use the following command:
C:>zededee 3389 serverhost:3389
In this way, Zebedee starts to start, and its combination with terminal services is shown in Figure 1. As can be seen from Figure 1, when the client process of terminal services (target TCP port: 3389) is started, the local Zebedee client starts to intercept the data packet at the same time; Zebedee encrypts and compresses the data and sends it to the Zebedee server (here, the default port of Zebedee service is 11965); the Zebedee server decompresses and decrypts the service delivered to the server after receiving it (service port: TC P:3389). In this case, terminal services on the server seems to be connected to the local terminal services client, but in fact, all the packets passed through an encrypted tunnel. In addition, Zebedee can realize the functions of identity authentication, encryption, IP address filtering and logging through configuration files. A well configured Zebedee and windows 2000 Terminal Services can be combined to build a very secure remote management system.
Since general terminal services do not provide the function of file transfer, other methods need to be considered. We can use FTP server. However, FTP server is generally considered to be insecure. It can also enhance its security through the encrypted tunnel of Zebedee by directly transmitting data on terminal services. This is a cumbersome approach, but the Zebedee help file has detailed instructions. Two third-party solutions are recommended here, one is tsdropcopy of AnalogX (http://www.analogx.com/con-te…), the other is wts-ftp (HTTP; / / www.ibexsoftware. COM / about. ASP)
In general, Windows 2000 Terminal Services is the most convenient and fast way, but in terms of its own security. Through the combination of Zebedee and terminal services, we can say that we have realized a convenient, fast and secure solution.
Method 2. VNC on SSH
VNC is a remote management software similar to terminal services, which is different from terminals in the following aspects:
*VNC shares the same session with the current login user. You can operate at the same time as the previous login user.
*VNC client is suitable for different platforms, including Windows CE and Java.
*VNC can restrict IP access;
There is no encryption on the client and server.
For these differences of VNC, we realize the benefits of using VNC, but there are still some security risks if we use VNC alone. The biggest problem is that the data transmission of VNC is not encrypted. We can use SSH encryption to make up for this defect. Openssh (http://www.networkimplication…). Openssh is a software similar to Zebedee in theory. But it is more widely used in smtp.http.ftp.pop3 and telnet transmission packet encryption. Like Zebedee, it is through the port communication tunnel, but SSH has become a widely recognized and widely used encryption protocol.
Conceptually, openssh forwards packets similar to Zebedee. We can usually configure the listening port of the server (usually the default port of openssh is 22), and then we can connect to the port used by SSH. An SSH client is essentially an encrypted telnet remote access control prompt. But SSH can also encrypt other protocol connections with the same one. We also have the following two steps to implement VNC based on SSH “
Step 1: C: > SSH? L5901: serverhost: 5900serverhost
This will create an ssh server port for VNC to forward between local and server packets.
Step 2. C: > vncviewer: 1
Figure 2 is actually a VNC session transmitted through SSH encrypted channel (this kind of transmission, generally speaking, is between VNC server and client segment).
If you use multi client platform, you can use VNC remote control based on SSH, because VNC and SSH support most commonly used operating systems.
Method 3: VPN technology applied in Windows 2000 remote control
We can use Windows 2000 server and self-contained management tools to manage remote interaction. For example, the client can map the server’s drive. Of course, other network services can also be used to achieve remote control. Windows 2000 server remote management is to open port 445 of the connecting server and forward the exchange data through this port.