What are the potential security issues of the Win2k remote admin function?

What are the potential issues with the remote admin function of Windows 2000, both server and workstation? What do we need to do in the way of configuration to not enable this feature? Or what security issues do we need to be aware of if we determine that we would like to use this feature for remote admin?
Several options for remote administration of Windows 2000 exist. In the simplest sense, an administrator can use many multimedia card-accessible tools to connect to and administer a remote Windows 2000 computer. To gain access to some other administrative tools, you can load Terminal Services in remote administration mode. (Terminal Services is not installed by default, but is available on the installation CD-ROM). You can also use Telnet.

First of all, to prevent remote administration, disable the Telnet service and disable the remote registry service. Also disable file and print sharing to prevent connections to administrative shares. However, note that this means you will not be able to use tools such as the Microsoft Security Baseline Analyzer to assess the patching level of the computer.

If you want to remotely administer Windows 2000, I would suggest using Terminal Services in administrative mode. By default, all communication between client and server is encrypted at the medium level, which means 56-bit. This can be raised to 128-bit if the server and client support it. A white paper is available on the subject from Microsoft. I would not suggest the use of Telnet, unless you also provide IPsec policy to ensure encryption of the data between client and server. Like any action, client and server should be secured, and you may decide that for very sensitive systems you do not want to enable any remote administration.

This was first published in January 2003

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top