We envision a remote control solution: a company wants to install such an IIS Web server which is placed in 300 Outside. The server is a server center that combines broadband network air-conditioning equipment and power control equipment. This network service center is both stable and reasonable in price but it requires customers to control the server completely remotely. This control is available at any time and it is not necessary to often go to the console to operate the server. Usually there are several problems with remote control. The most obvious one is that the communication between the client machine and the host must be transmitted through the Internet. In this way the exchanged data may be sniffed by hackers; there is another problem that the loopholes in the remote control itself (such as its open ports) can also cause network attacks. The ultimate goal of choosing a remote control solution is to ensure that you (just you) as the gateway can control the server without causing other network attacks.
Remote control solution security principles are as follows:
Ensure the security of remote control authority
Remote control must be able to prevent unauthorized access. This means that the remote management software only accepts connections from a small range of IP addresses and requires user name and password control. The security of remote control has been further strengthened through the introduction of smart card and customer authentication. It can also be enhanced with some simple ready-made technologies such as using non-standard ports to provide services or some security configuration methods that do not display service flags.
Ensure the integrity of remotely exchanged data
To prevent data loss in remote control we must ensure the integrity and immediacy of data transmission between the remote control server and client (that is Said that the data sent is reliable and will not be retransmitted).
Ensure the confidentiality of sensitive data transmission
For remote control the most important point is to ensure the confidentiality of sensitive data transmission over the Internet. This is to prevent the transmitted data message from being sniffed by hackers. This requires the use of robust and feasible encryption algorithms for session encryption. The advantage of this encryption is: even if the attacker sniffs the data. It's useless for sniffers.
Ensure that incidents can be audited safely
A good security audit can greatly improve the overall security of remote control and kill hidden security risks and technical crimes in the bud. The main function of the audit log is to let the administrator know who has accessed the system which services have been used and so on. This requires the server to have a sufficient and safe log record for the black mold remote control traces that attempted to invade through technical crimes.
Second three security solutions for Windows 2000 remote control
Although there are many ways to remotely control Windows 2000. Not all software conforms to the security principles of the above remote control solutions. We can combine different software to complete the remote control solutions we need.
The following examples are to achieve safe and reliable remote control through the combined use of Windows2000's own services or third-party software.
Method 1. Windows2000 terminal service combined with Zebedee software use
Terminal service is provided in Windows2000 to allow users to execute Windows-based applications on a remote Windows9000 server technology. Terminal service should be the most used method for remote management of Windows 2000 server. This is related to its ease of use and other benefits that it is a built-in service of Windows such as the authentication system that comes with Windows 2000 server. However this terminal service program itself has some flaws: it cannot restrict the client's connection IP; it does not clearly propose a way to change the default listening port; its log audit function that is it does not have a logging tool. Based on the security principles of the remote control solution mentioned at the beginning of this article it is not very safe to use Terminal Services alone. But by combining with Zebedee software terminal services can achieve the above remote management security needs.
The working principle of Zebedee is as follows: 'Zebedee listens to the specified application locally encrypts and compresses the TCP or UDP data to be transmitted; a communication tunnel is established between Zebedee client and server; compressed and encrypted Data is transmitted on this channel; multiple TCP or UDP connections can be established on the same TCP connection.
Usually Zebedee is used in the following two steps:
First Step: Configure Zebedee's listening port
Use the following command:
C:\\\\zebedee -s -o server.log
Step 2: On the client Configure listening port 3389 and
make it redirect to the listening port of Zebedee on your server
use the following command:
C:\\\\\u0026gt;zededee 3389 serverhost: 3389
In this way Zebedee starts to start. The principle of its combined use with terminal services is shown in Figure 1. As can be seen from Figure 1 when the client process of terminal services is turned on (target TCP port: 3389 ) the local Zebedee client starts to intercept the data packets at the same time; Zebedee encrypts and compresses the data and sends it to the Zebedee server (here Zebedee service default port 11965); Zebedee server decompresses and decrypts the data passed to the server after receiving it Service (service port: TCP:3389). Here the terminal service on the server seems to be a connection with the local terminal service client but in fact all the data packets passed through an encrypted tunnel. In addition Zebedee The functions of identity authentication encryption IP address filtering and log can also be realized through configuration files. A well-configured Zebedee and Windows2000 terminal service can be combined to build a very secure remote management system.
In view of the fact that general terminal services do not provide file transfer functions other methods need to be considered. We can use FTP server. But FTP server is usually considered insecure and it can also be enhanced by Zebedee's encrypted tunnel The security method is to transfer data directly on the terminal service. This method is more troublesome but the Zebedee help file has made a detailed explanation. Two third-party solutions are recommended here one is Analogx's TSDropCopy (:/ /.analogx.com/con-tents/download/system/tsdc.htm) the other is WTS- FTP (;//.ibexsoftware.com/about.asp)
In general Windows2000 Terminal Services is the most convenient and fastest method but in terms of its own security. Through the combination of Zebedee and terminal services we can say that we have realized a convenient fast and safe solution.
Method 2. VNC on SSH
VNC is a remote management software similar to terminal services and the differences from the terminal are as follows:
*VNC It shares the same session with the currently logged-in user and you can operate at the same time as the currently logged-in user;
*VNC client is suitable for different platforms including WindowsCE and Java;
* VNC can restrict IP access;
is not encrypted on the client and server.
For these differences of VNC we are aware of the benefits of using VNC but there are still some security risks if used alone. The biggest problem is that the VNC data transmission is not encrypted. We can use SSH encryption to make up for this defect. Usually OpenSSH (://.networksimplicity.com/openssh) is used. OpenSSH is a software similar to Zebedee in theory. But it is more widely used in SMTP FTP POP3 and Telnet transmission packet encryption. Like Zebedee it uses a port communication tunnel. The difference is that SSH has become a widely recognized and widely used encryption protocol.
Conceptually OpenSSH forwarding packets is similar to Zebedee. We can usually configure the server's listening port (usually OpenSSH default port is 22) and then you can connect to the port used by SSH. An SSH client is essentially an encrypted telnet remote access control prompt. But SSH can also use one to encrypt other protocol connections. We also have the following two steps to implement VNC based on SSH'
The first step: C:>ssh ?L5901:serverhost:5900serverhost
This will create an SSH server port for VNC Forwarding between local and server data packets.
The second step. C:\\\\\u0026gt;vncviewer:1
Figure 2 is actually a VNC session transmitted through an SSH encrypted channel (This kind of transmission is generally carried out between the VNC server and the client segment).
If you use a multi-client platform you can use VNC remote control based on SSH because VNC Both SSH and SSH support most commonly used operating systems.
Method 3: VPN technology is applied to Windows 2000 remote control
We can use windows2000Serve with its own management tools for remote interactive management such as Clients can map the server's drive. Of course other network services can also be used to achieve remote control. Windows 2000 Server remote management is by opening port 445 connected to the server and forwarding exchanged data through this port. But between the client and the server The data in between is not encrypted which will lead to some malicious sniffing of the network but we can use other encryption tunneling technology. Network tunneling technology refers to the use of one network protocol to transmit another network protocol which mainly uses the network Tunnel protocol to achieve this function. In this case there is a good solution. VPN technology is remotely controlled in Windows 2000. It uses the L2TP tunnel protocol to transmit the exchanged data. In this way the security is greatly enhanced.
The application of VPN technology in Windows2000 remote control has the following advantages:
*VPN is committed to providing overall security for the network and is a security method with a relatively high cost performance;
*The management performance of VPN has improved rapidly. For a single-vendor environment the management workstation can directly provide multi-unit support;
*VPN uses L2TP encryption channel is a virtual private dial-up network protocol;< /P>
*VPN can restrict IP access;
*VPN can be configured transparently in the network connection without the need to modify the network or client configuration.
Next we want The job is to configure the connection between a remote client and a VPNServer.
VPN server configuration
First open routing and remote access right click on the server to be configured -> ; Configure and enable routing and remote access According to the instructions we were able to create a virtual private network (VPN) server.
Note: VPNServer monitors port l723. If you do not expect others to see this open port we can restrict the client's connection IP address.
Right-click on the network neighborhood and select properties. From the pop-up window click New connection. According to the prompts we complete the relevant settings and connect to the server.
After completing the server and client configuration we can see a VPN connection icon. Double-click the icon and fill in the user name and password as prompted to connect to the server. At this time there is a new network connection. This network connection has the same effect as using a network adapter and optical cable to directly connect to the service. The difference is that it transmits and exchanges data through an encrypted channel.
For any network connection we have to consider such a factor: whether the network protocol you are using has packet filtering technology. Note that your connection may be used by hackers to invade your computer thereby threatening your server and then invading your internal network. We have to consider these risks.
Through VPN we can remotely manage the server just as simple as in the LAN. Due to incorrect configuration some security factors may result. But VPN technology is used in Windows 2000 remote control. It is by far the most convenient remote control program. As long as we configure the server and client correctly security risks can be avoided.
3. Other methods
In this article we mentioned 3 effective and safe remote control solutions. Of course there are more than these methods. We just want to take this to help everyone understand the factors worth considering in remote management security and solutions. If you are using a remote management tool you can check whether your software meets the security requirements of remote management mentioned above. If not you need to consider finding other software to enhance its security. The use of encrypted tunnels and reasonable configuration of the firewall is the key to achieving a secure remote management solution.?Win 2000 anti-virus starts when the system is installed |