Let’s imagine one.IIS7 Remote Desktop ManagementRemote Control Solution: A company needs to install such an IISWeb server, which is located 300 miles away. Server is a single server center which combines broadband network, air conditioning device and power control device. This network service center is stable and reasonable in price, but it requires customers to control the server remotely. This control is at any time, and it is not necessary to run to the console frequently to operate the server. Usually there are several problems in remote control, the most obvious one is that the communication between client machine and host is transmitted through the Internet. In this way, the exchange of data may be sniffed by hackers; another problem is that remote control itself vulnerabilities (such as its open ports) can also lead to network attacks. The ultimate goal of choosing a remote control solution is to ensure that you (only you) as a gateway can control the server without causing other network attacks.
The security principles of the remote control scheme are as follows:
Ensuring the security of remote control rights
Remote control must be able to prevent unauthorized access. This also means that remote management software only accepts a small range of IP address connections, and requires user name and password control. Through the introduction of smart card phase customer verification, remote control security is further strengthened. It can also be enhanced by simple and ready-made technologies, such as using non-standard ports to provide services or some security configuration means that do not display service flags.
Ensuring the integrity of remote data exchange
To prevent data loss in remote control, we must ensure the integrity and instantaneity of data transmission between remote control server and client (that is to say, the data sent is reliable and not retransmitted).
Ensuring the confidentiality of sensitive data transmission
For remote control, the most important thing is to ensure the confidentiality of sensitive data transmitted over the Internet. This is to prevent the transmission of data messages will not be sniffed by hackers. This requires the use of robust and feasible encryption algorithms for session encryption. The advantage of this encryption is that even if the attacker sniffs the data. Sniffer is also useless.
Ensuring that incidents can be audited safely
Good security audit can greatly improve the overall security of remote control, and stifle the potential safety hazards and technological crimes in their infancy. The main function of audit logs is to let administrators know who has access to the system, which services are used, and so on. This requires the server to have a sufficient and secure log record of the black mould remote control traces that attempt to invade through technical crimes.
2. Three Security Solutions for Windows 2000 Remote Control
Although there are many ways to control Windows 2000 remotely. Not all software conforms to the security principle of the remote control scheme mentioned above. We can achieve the remote control solution we need by combining different software.
Some examples below are to achieve secure and reliable remote control by using Windows 2000’s own services or a combination of third-party software.
Method 1. Use of Windows 2000 Terminal Services and Zebedee Software
Terminal service is a technology provided in Windows 2000 that allows users to execute Windows-based applications on a remote Windows 9000 server. Terminal service should be the most widely used method for remote management of Windows 2000 servers, which is related to its convenience and other benefits brought by its built-in services, such as the use of Windows 2000 server’s own authentication system. However, the terminal service program itself has some drawbacks: it can not restrict the mechanism of connecting IP to customers; it does not explicitly propose a way to change the default listening port; its logging audit function, that is, there is no logging tool. Based on the security principle of remote control scheme mentioned at the beginning of this paper, it is not very safe to use terminal services alone. But we can achieve the above remote management security needs by combining with Zebedee software.
The working principle of Zebedee is as follows:’Zebedee listens to local designated applications, encrypts and compresses the TCP or UDP data to be transmitted; a communication tunnel is built between Zebedee client and server side; compressed and encrypted data are transmitted on this channel; multiple TCP or UDP connections can be built on the same TCP connection.
Zebedee is usually used in two steps:
Step 1: Configure Zebedee’s listening port
The following commands are used:
C:zebedee -s -o server.log
Step 2: Configure the listening port 3389 on the client and
Redirect it to the Zebedee listening port on your server
The following commands are used:
C:>zededee 3389 serverhost:3389
In this way, Zebedee starts to start, and its combination with terminal services is shown in Figure 1. As can be seen from Figure 1, when the client process of the terminal service (target TCP port: 3389) is opened, the local Zebedee client begins to intercept the data packet at the same time; Zebedee encrypts and compresses the data and sends it to the Zebedee server (where the default port of Zebedee service is 11965); Zebedee server decompresses and decrypts the service delivered to the server (service port: TC). P:3389). In this case, the terminal service on the server seems to be connected to the local terminal service client, but in fact all the packets passed through an encrypted tunnel. In addition, Zebedee can also implement identity authentication, encryption, IP address filtering and logging through configuration files. A well-configured terminal service of Zebedee and Windows 2000 can be combined to build a very secure remote management system.
Since general terminal services do not provide file transfer functions, other approaches need to be considered. We can use FTP servers. However, FTP servers are generally considered unsafe. They can also enhance their security through Zebedee’s encryption tunnel by transmitting data directly on terminal services. This is cumbersome, but the Zebedee help file has been described in detail. Two third-party solutions are recommended here, one is TSDropCopy of Analogx (http://www.analogx.com/con-te…) and the other is WTS-FTP (http;//www.ibexsoftware.com/about.asp).
In general, Windows 2000 Terminal Services is the most convenient and fast way, but in terms of its own security. Through the combination of Zebedee and terminal services, we can say that it is a convenient, fast and secure solution.
Method 2. VNC on SSH
VNC is a remote management software similar to terminal service, which differs from terminals in the following aspects:
* VNC is a session shared with the user who is currently logged in. You can operate at the same time as the user who was logged in before.
* VNC client is suitable for different platforms, including Windows CE and Java.
* VNC can restrict IP access.
There is no encryption on both client and server.
For these differences in VNC, we are aware of the benefits of using VNC, but there are still some security risks if used alone. The biggest problem is that the data transmission of VNC is not encrypted. We can make up for this defect by using SSH encryption. OpenSSH (http://www.network simplicity….) is commonly used. OpenSSH is a software that theoretically resembles Zebedee. But it is more widely used in SMTP. HTTP. FTP. POP3 and Telnet data packet encryption. Like Zebedee, it is through port communication tunnel, but SSH has become a widely recognized and widely used encryption protocol for users.
Conceptually, OpenSSH forwards packets similar to Zebedee. We can usually configure the server’s listening port (usually the default port of OpenSSH is 22) and then connect to the port used by SSH. An SSH client is essentially an encrypted telnet remote access control prompt. But SSH can also encrypt other protocol connections with a sample. We also have the following two steps to implement VNC’based on SSH.
Step 1: C:> ssh? L5901: serverhost: 5900 serverhost
This will create an SSH server port to forward VNC between local and server packets.
Step 2. C:> vncviewer:1
Figure 2 is actually a VNC session transmitted over an SSH encrypted channel (which, in general, is between a VNC server and a client segment).
If you use multiple client platforms, you can use VNC remote control based on SSH, because VNC and SSH support most of the commonly used operating systems.
Method 3: Application of VPN technology in Windows 2000 remote control
We can interact remotely through Windows 2000 Serve with our own management tools, such as the client can map the server’s drives. Of course, other network services can also be used to achieve remote control. Windows 2000 Server remote management is to forward the exchange data by opening the 445 port connecting the server.