I recently heard that remotely administering a server via Terminal Services provides more security against eavesdropping and session hijacking than does remotely administering the server through Microsoft Management Console (MMC). Is that true? If so, can you explain why?
The risk of eavesdropping is that an attacker will be able to obtain valuable information about the server from the traffic generated as you administer the server. Session hijacking carries the risk that after you initiate a legitimate, authenticated connection, an attacker can take over the session. Terminal Services can be safer from these threats because it offers encryption options for encrypting data between the server and client, whereas communication between MMC and the server uses protocols that don't offer integrity checking or encryption. However, Terminal Services doesn't guard against these risks by default.
Windows Server 2003 Terminal Services has four encryption levels, and Windows 2000 Server Terminal Services has three. You configure the encryption level by opening the MMC Terminal Services Configuration snap-in, then opening the RDP-Tcp connection object's properties, which Figure 1 shows. Both OSs support Low, Client Compatible (which Win2K calls Medium), and High encryption levels.
At the Low level, all data (i.e., keystrokes, passwords, and mouse movements) that the client sends to the server benefits from 56-bit encryption. On Win2K, the next level is Medium, which uses 56-bit encryption for data that the server as well as the client sends. In contrast, Windows 2003's Client Compatible level encrypts traffic in both directions by using the maximum level of encryption that the client supports. The High encryption level operates like the Client Compatible level but uses the maximum strength encryption that the server supports; clients that can't match the server's strongest encryption can't connect. On Win2K, the highest encryption level is 128 bits. Windows 2003 also offers the FIPS Compliant encryption level, which requires all data sent between client and server to use encryption that complies with the Federal Information Processing Standard (FIPS). You're unlikely to need the FIPS Compliant level unless you deal with government systems or contracts.
The risk with the Low encryption level is that eavesdroppers can capture information coming to the client and reassemble it into a "movie" of what the administrator is doing on the remote server's console. In effect, the Low level lets an intruder look over the administrator's shoulder and watch the monitor. The other encryption levels protect against eavesdropping on data flowing both directions and protect against session hijacking.
Because Terminal Services' default encryption level is Low, you need to increase it to at least Client Compatible or Medium on all the computers you administer via Terminal Services. The same risks and controls apply to end users who use Terminal Services to run applications on servers. Another advantage of using Terminal Services is that you can completely administer and manage a server by using only TCP port 3389. MMC requires that you open multiple ports for authentication.
