Three Alternatives for Remote IIS Administration

I want to set up my servers so that I can use Microsoft Management Console (MMC) to administer them remotely. What port must I open in my firewall to enable this capability?

MMC uses remote procedure calls (RPCs) to connect to and manage a server. On a Windows network, this setup requires port 139, which is basically NetBIOS over TCP/IP (NetBT). Opening this port on the firewall lets you connect to the server on the other side of the firewall and manage the system remotely by using MMC. Unfortunately, opening this port also lets anyone else access your system to attempt known exploits on this port. This port is a dangerous door that you shouldn't unlock on your firewall if at all possible.

Alternatively, consider using the IIS Administrative Web site in combination with Secure Sockets Layer (SSL). This setup requires that you open a high port number on the firewall (i.e., a port that's randomly assigned to the Administrative Web site during IIS installation). Although this setup does require another open incoming port on the firewall (which isn't ideal), that port is at least one that the server isn't using except for the Administrative Web site. Use NTFS to secure the files and Basic authentication over SSL with 128-bit encryption to secure authentication.

Another popular choice for remote administration is Windows 2000 Server Terminal Services. I like Terminal Services for remote administration because it doesn't require third-party support, seems to work acceptably over low bandwidth connections, and supports 128-bit encryption. The advantage Terminal Services has over MMC or the Administrative Web site is that you can manage the entire server. If you use the Administrative Web site, you can manage only the Web server components. If you use MMC, you can manage only those components of the server that you can access through MMC. I often need to run a command shell or utilities, such as quickly scanning the IIS log files. Terminal Services is hard to beat for GUI and command-line interfaces.

Terminal Services uses Microsoft's proprietary RDP, which in turn uses TCP port 3389 on the server. As a result, that port on the firewall has to be open on the firewall. You can set up Terminal Services to require 128-bit MD5 encryption, which can't feasibly be broken at this time.

If you don't want to install the Terminal Services client on all the computers from which you might perform remote administration, consider Terminal Services Advanced Client (TSAC), which is available on the Win2K Service Pack 1 (SP1) and SP2 CD-ROMs or from http:// .asp. TSAC is an ActiveX object that lets your Web browser become the Terminal Services client.

When you access TSAC, you see and can use the desktop of the server in your Web browser—very handy in that you can log on to a server from any machine that has Microsoft Internet Explorer (IE) 4.0 or later. Follow these steps to place TSAC in a secure location on your sever:

  1. Create a folder for the TSAC files. (Don't place this folder in \wwwroot or on your C drive if you can avoid it.)
  2. Secure the folder with NTFS permissions. In this case, I recommend using individual user accounts, including the local Administrator and System Full Control.
  3. Create a virtual directory on the Web site that you can use to access TSAC. Map this directory to the TSAC secured folder.
  4. In the virtual directory's Properties dialog box, set Local Path permission to Read and Execute Permissions to Scripts only, as Figure 4 shows. Enable logging, but disable indexing.
  5. Click Configuration, then remove all application mappings except those mapped to asp.dll.
  6. Under the Directory Security tab, click Edit beneath Anonymous Access and Anonymous Control. Clear the Anonymous Access check box, then click OK.
  7. On the server, configure Terminal Services by choosing Start, Programs, Administrative Tools, Terminal Services Configuration. Right-click the RDC-TCP connections, then select Properties. Make these changes to the designated Properties dialog box tabs:
  • General tab—Set the Encryption Level to High. Be sure that you've applied the High Encryption Pack to your server so that you can use 128-bit encryption.
  • Logon Settings tab—Select the Always prompt for password check box.
  • Sessions tab—I set my servers up to end the session when the session is lost. However, if you start a long run task, you might need the session to stay alive. If so, select the Disconnect from session option. Override user settings where possible, and don't let sessions last too long.
  • Permission tab—Set the same permissions you used on the TSAC virtual directory.

Because TSAC uses a Web browser, TSAC initially uses port 80 to contact the Web server, which means that authentication occurs through the Web browser to the virtual directory before the Terminal Services session begins. Be certain that you've used SSL with Basic or Integrated Windows authentication to secure your logon.

Shortly after authentication, the communication switches to port 3389 on the server. When you switch ports, you're using an encrypted channel for authentication and server desktop management.

You can use many other methods to administer your server, including scripting and custom or third-party applications (Citrix being one of the most popular). Even the Microsoft FrontPage client allows some control over Web sites. If you use Microsoft solutions for full-control remote administration, however, your choices are to open port 139 for MMC or port 3389 for Terminal Services. Terminal Services is the better choice because it exposes your server to less security risk.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.