tag:blogger.com,1999:blog-4088979.post112470865135173853..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Windows Remote Administration OptionsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-4088979.post-1149409412909189132006-06-04T04:23:00.000-04:002006-06-04T04:23:00.000-04:00Check iShadow Desktop - supports RDP, VNC and even...Check iShadow Desktop - supports RDP, VNC and even ICA. Probably the best tool when supporting 50+ win. servers.<BR/><BR/>http://www.ishadow.com/tabid/88/Default.aspx<BR/><BR/>JohnAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124745332464510962005-08-22T17:15:00.000-04:002005-08-22T17:15:00.000-04:00...as long as I'm being technically correct ...I'm......as long as I'm being technically correct ...<BR/><BR/>I'm surprised some here think that Windows server somehow 'needs' a static IP. Richard-the-human may want one, so he doesn't have to query whole broadcast ranges to find a system, but Windows-the-OS has no real need of a static IP other than in certain limited roles, like DNS server for instance. It's outside the scope of this discussion, but certainly possible to run most of a server room via DHCP addresses!<BR/><BR/>One NIC would be fine, /if/ you always returned it to the known IP address before shutting down and moving on to the next site. As for the problem of knowing what IP the system is going to get, if you get the Resource Kit's 'dhcploc.exe' you can issue a fake DHCPREQ and see what the server would send you. This method might save you a PCI slot you might be able to put to better use (like wireless)!<BR/><BR/>A nice download roundup of the various Resource Kits can be found at http://www.dynawell.com/support/Reskit/win2k3.aspAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124743111229379042005-08-22T16:38:00.000-04:002005-08-22T16:38:00.000-04:00Richard:from commandline, domstsc /?... and all wi...Richard:<BR/><BR/>from commandline, do<BR/><BR/>mstsc /?<BR/><BR/>... and all will become clear.<BR/><BR/>Example connection to win2003 server:<BR/><BR/>mstsc /v:192.168.0.10 /console<BR/><BR/>it's possible to connect to the same machine three* times simultaneously from the same system. Once to the console, and 2x to non-console desktops.<BR/><BR/>*If terminal services is in administrative mode. More than three if in full user mode.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124733132273547282005-08-22T13:52:00.000-04:002005-08-22T13:52:00.000-04:00I would have to concur with three posts above mine...I would have to concur with three posts above mine:<BR/>1) Windows is not meant to be moving around, especially if you're switching DHCP and static at any time in that move.<BR/>2) Second NIC is your best option.<BR/>3) Tunnel VNC through an SSH connection.<BR/><BR/>I think you'll be happiest with this setup in the long run. Combine that with netsh and psexec to shovel you a cmd window or some quick batch files with variables and you should be good!<BR/><BR/>-LonerVampAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124731975912440072005-08-22T13:32:00.000-04:002005-08-22T13:32:00.000-04:00Bryan,I am missing something -- how can I connect ...Bryan,<BR/><BR/>I am missing something -- how can I connect to the "console" using RDP and MSRDPCLI.EXE (version 5.1)? I don't see any option to do so. <BR/><BR/>Thank you!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124731470100043882005-08-22T13:24:00.000-04:002005-08-22T13:24:00.000-04:00Oops, I should have made clearer in prior post-Win...Oops, I should have made clearer in prior post-<BR/><BR/>Win2000 terminal server never <I>serves</I> the console session (and I don't beleive it can be upgraded to do so), but with the right (rdp5.1 or above) client Win2000 <I>can</I> view the RDP console session served by WinXP and Win2003.<BR/><BR/>The more recent versions of Windows serve a console session, probably because so many of us Windows admins complained about the lack of one in Win2k!<BR/><BR/>I know all this probably sounds backwards to X11 users here. In Windows world the server is the one exporting a desktop and the client is the one viewing a remote desktop.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124730993304277702005-08-22T13:16:00.000-04:002005-08-22T13:16:00.000-04:00Just a comment on RDP - with the newer terminal se...Just a comment on RDP - with the newer terminal services client in XP, you can also connect to the 'console' session similar to what you mentioned with VNC.<BR/><BR/>This RDP client can be installed on Win2k systems by getting the Win2003 or XP adminpak.msi from MS, or following the instructions at http://www.petri.co.il/download_rdp_5_1.htm<BR/><BR/>Also, linux rdesktop/tsclient can connect to the 'console' rdesktop as long as you have tsclient > version 0.140 and rdesktop > 1.3, if I remember right.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124724882967677772005-08-22T11:34:00.000-04:002005-08-22T11:34:00.000-04:00Apart from the need to connect to a Windows 2000 c...Apart from the need to connect to a Windows 2000 console (ex: some "stupid" applications don't even install through TS), which is not Richard's case as it's using W2K3 and has Remote Desktop, I don't see any advantage of VNC or DameWare (which some security products see as 'malicious') over RDP/TS.<BR/> <BR/>Anyone has good selling arguments that say otherwise?<BR/><BR/>Over the remote administration issue, and considering Richard's needs, I second the 2nd NIC idea: easy to restrict access to and all around bang for the buck.Joao Barroshttps://www.blogger.com/profile/05205997730968637492noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124722522219690572005-08-22T10:55:00.000-04:002005-08-22T10:55:00.000-04:00I concur with the suggestion for a second NIC. In...I concur with the suggestion for a second NIC. In the "unorthodox" way that you're using this server[1], that is the easiest to implement. And, bonus besides, you can restrict traffic to administrative services to only this admin interface.<BR/><BR/>[1] Really. By and large, Windows servers are given static network configurations. Moving around is not part of their design.Ipslorehttps://www.blogger.com/profile/13692766128393199742noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124718929666173242005-08-22T09:55:00.000-04:002005-08-22T09:55:00.000-04:00Rich,Depending on what kind of "remote administrat...Rich,<BR/><BR/>Depending on what kind of "remote administration" you intend on doing, you may not need physical access to the server. The MMC provides quite a few additional tools for remote administration of things like services, users, IIS, remote startup and shutdown, etc. The admins here use a modified VNC client that authenticates through AD. There is also another product called DameWare that local tech support seems to be fond of. And if thats not quite as robust as you need, you might try looking into a remote KVM card (Ive been wanting to try one of these myself), such as http://www.techland.co.uk/index/eric , http://www.techland.co.uk/index/lara , or http://www.minicom.com/kvm.htm . (A Google search for Remote KVM or KVM over IP should return similar products). If you get a chance to try one of these products out, lets us know :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124718694217617032005-08-22T09:51:00.000-04:002005-08-22T09:51:00.000-04:00You might want to take a look at Microsofts Servic...You might want to take a look at Microsofts <A HREF="http://www.microsoft.com/windowsserversystem/sfu/default.mspx" REL="nofollow">Services for Unix</A>. Although it doesn't come with a native SSH server, you can get one (plus several other packages) from <A HREF="http://www.interopsystems.com/tools/warehouse.htm" REL="nofollow">InteropSys</A> -- all for free, of course.<BR/><BR/>I personally like this approach better than the Cygwin one since it has a more native-as-in-microsoft-built-it-themselves feel.<BR/><BR/>Great article, by the way!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124717440396981122005-08-22T09:30:00.000-04:002005-08-22T09:30:00.000-04:00Great comments. I think the extra NIC idea is the...Great comments. I think the extra NIC idea is the easiest to implement. Thank you!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124716929005904562005-08-22T09:22:00.000-04:002005-08-22T09:22:00.000-04:00Richard,Yet another great post. Thanks for sharing...Richard,<BR/><BR/>Yet another great post. Thanks for sharing the info that you do!<BR/><BR/>I don't necessarily like this solution however in your case it might be helpful. PCAnyhwhere has a direct connection via null modem capability:<BR/>(instructions)<BR/>http://service1.symantec.com/SUPPORT/pca.nsf/docid/2001021513251112?Open&src=&docid=2001041212035112&nsf=pca.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=<BR/><BR/>OR, add another NIC to the box and use that as a management network that will never be changed (typically private address space, since your using 192.168.x, try the 10.10.x.x network). With that solution you could just use the apps you've already installed.<BR/><BR/>Hope that helps.<BR/><BR/>Take care,<BR/>ChuckAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124715489670747732005-08-22T08:58:00.000-04:002005-08-22T08:58:00.000-04:00I admin 100+ Windows machines and since Terminal S...I admin 100+ Windows machines and since Terminal Services Advanced Client is not that advanced (can't even rearrange connections) I looked for an alternative and have been happy since: RoyalTS from code4ward.<BR/><BR/>RoyalTS: http://www.code4ward.net/CS/blogs/c4w/articles/royalts.aspx<BR/>Terminal Services Advanced Client: http://www.microsoft.com/downloads/details.aspx?FamilyID=33AD53D8-9ABC-4E15-A78F-EB2AABAD74B5&displaylang=en <BR/>The new version of tsmmcsetup.exe can be found in the Windows Server 2003 Administration Tools Pack: http://www.microsoft.com/downloads/details.aspx?FamilyId=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=enJoao Barroshttps://www.blogger.com/profile/05205997730968637492noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124712350480135902005-08-22T08:05:00.000-04:002005-08-22T08:05:00.000-04:00Q: What's the best Windows remote administration t...Q: What's the best Windows remote administration tool?<BR/>A: A car.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1124711986039263772005-08-22T07:59:00.000-04:002005-08-22T07:59:00.000-04:00It's best encrypt VNC traffic using SSH port forwa...It's best encrypt VNC traffic using SSH port forwarding. I believe there are programs with which you can sniff and basically watch a VNC session stream. I know there have been security issues with it in the past to include brute forcing. Plus, if memory serves correctly there was also an issue with a constant password encryption seed - I've not used VNC in about 3 years, so these issue may have been solved. It does make remote admin easy since it is cross-platform.Anonymousnoreply@blogger.com