Prevent Admin Logon to RWW
spm
RWW? I want to allow domain users to logon via RWW, but not the domain
admin, for reasons of security.
--
Regards,
Steve.
SuperGumby [SBS MVP]
as an issue with MS, can't say there's been much reaction.
"spm" <nos...@coco.dot.co.dot.uk> wrote in message
news:xn0emr38...@news.microsoft.com...
Cris Hanna (SBS-MVP)
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"spm" <nos...@coco.dot.co.dot.uk> wrote in message news:xn0emr38...@news.microsoft.com...
Joe
To avoid confusion here, it's the built-in one that can't be locked
out. The best you can do is to put an enormous and computationally
unbreakable password on it, write it down, put it in a locked cash
box in a locked company safe and never use it. Having made a couple
of domain admins first, of course.
I've said before that I also disagree with MS on this. They say it is
to make sure that you can never be locked out of a server. I'd agree
that this is the reason, and it's also the reason many people won't
hang the WAN NIC of a Microsoft product directly onto the Internet.
I'm sure there are also more subtle ways into Windows, but this is an
obvious one. Personally, given the choice of travelling to fix a
server I'm locked out of, or rebuilding it after it's been cracked,
I'd prefer the former.
My preference is not to lock out the domain admins from RWW, but to
open RWW only via VPN and not to allow the admins to remote in. It's a
bit slower, but not much. That way, you can still do remote admin work
on workstations (I also don't allow admin TS except over VPN) but only
after supplying two passwords, the second after you're connected and
being logged by both firewall and SBS. The bigger the glare of the
spotlight the cracker has to operate in, and the more machines he has
to compromise to cover his tracks, the better. Oh, and the firewall also
logs to a third machine running a syslog daemon.
SuperGumby [SBS MVP]
outside our local subnet'. I adhere to this principal in all other items.
'Administrator' does not have RRAS rights, if I wish to VPN to a server I do
so using a less priveleged account, I may then use the VPN to RDP as
'Administrator', OR since the introduction of RWW RDP Proxy I would prefer
to 1st 'Connect to my computer at work' as a non-priveleged user and then
RDP to the server with elevated priveleges.
I consider the fact that _ALL_ SBS2003 systems suffer from this obvious
security issue a 'problem'.
"Joe" <j...@jretrading.com> wrote in message
news:e5btmo$b5s$1$8300...@news.demon.co.uk...
Cris Hanna [SBS-MVP]
news:uxOnAakg...@TK2MSFTNGP02.phx.gbl...
I have not tested this, but:
On the Administrator Account Properties
Terminal Services Profile Tab, check the box that says : Deny the user
permission to log on to any Terminal Server
Dial in Tab: Heading "Remote Access Permission" (Dial-in or VPN)
Check the Radio Button marked DENY ACCESS
Exchange Features Tab
Deny OWA, OMA, POP, IMAP (ie all mobile services and protocols)
What other method could someone else use with the Administrator Account to
try to get in from outside?
--
Cris Hanna [SBS-MVP]
Owner, Computing Possibilities
Belleville, IL
A Microsoft Partner
--------------------------------------------------------------
Please only respond in newsgroups to share with everyone
spm
> Are you referring to the Administrator Account? or the individual
> who is the Administrator
Basically, if I open up RWW off-LAN, I want the server off-limits to
anyone and everyone (via RWW). To do otherwise is IMO inviting
disaster. I hear talk from people here and elsewhere how RWW is so much
more secure than a VPN, but I just don't see it. The only security
measure that RWW provides is a username/password pair, while a VPN can
be protected by a certificate, which can be easily revoked when
compromised. Even then, I can't really see any justification for an SBS
server being accessible off-LAN (even if via a VPN). Sure, for a larger
Windows Server-based network, there are different considerations.
I think it's best I close off RWW here, both in ISA 2004 and on our
external firewall.
--
Regards,
Steve.
Cris Hanna [SBS-MVP]
So how is it that you propose to do off site admin?
Cris Hanna (SBS-MVP)
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"Cris Hanna [SBS-MVP]" <crisnos...@computingnospampossibilities.net> wrote in message news:uOtj2Tog...@TK2MSFTNGP05.phx.gbl...
Cris Hanna (SBS-MVP)
--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
"Cris Hanna (SBS-MVP)" <crisnos...@computingnospampossibilities.net> wrote in message news:edxDAZog...@TK2MSFTNGP02.phx.gbl...
![Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVWEHNriBiYPzXk-vgDPwHLgmiXqqoZ_BdoNm0rTxa-ZYFnAw=s40-c)
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Please cite the security issues of a SBS network and 90% of them are
stupid users and admins from the inside.
More "security risks" are from Var/vaps who set these puppies up without
using the wizards.
Closing up RWW is not only not understanding the real risks of the Small
Business network but also the balance between risk and needs.
I introduce WAY more risk via a VPN connection than I do from a RWW..but
even then each network has to be looked at individually.. there is no
'cookie cutter' answer here.
spm
> So how is it that you propose to do off site admin?
I don't. I have no need....
... and for those customers for whom I do need to do off-site admin, I
can do so from inside their respective VPNs.
--
Regards,
Steve.
spm
Just because someone sees (security) issues differently to the way you
do does not mean they fundamentally misunderstand them, and it is very
disingenuous of you to claim they do.
There is no doubt that RWW's 'ability' to let in anyone who gets hold
of an admin username/password is a serious security issue. It matters
not that other measures must be taken to keep such details confidential
(and, clearly, such measures are sensible). The issue remains. I
*might* say that for you to fail to see that represents a lack of
understanding on your part, so let's keep the personal attacks on
others' credibility out of things, shall we?
--
Regards,
Steve.
spm
> Well
> I just denied access to Terminal Services to the Administrator account
>
> Logged on to RWW with the Administrator Account, clicked on Logon to
> Servers and it displays the logon screen for the server but when I
> try to logon it denies me with a message that I (Administrator) don't
> have permissions to logon via Terminal Services.
>
> This essentially gets you what you want
Thank you - I'll check this out.
--
Regards,
Steve.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
risk too great.
"who gets hold of an admin username password" ....there's your first
issue.. who did they get hold of the password? Improper access? Lack
of strong passwords? If there's a password attack, you'll see the
'hits' before they get into that RWW.
You have that risk with VPN.. as well. Risk of loss of credentials.. of
rights is universal.
There is no "cookie cutter answer" here.. and blindly writing off one
method of access because you are also not understanding the ways in
which you will see the risks before they occur is also not wise.
This not a personal attack against you.. rather a newsgroup request that
we stand back and understand that if that password is good enough in the
first place.. if you properly handing the password inside the office..
you'll see the impact in your security log long before someone gains any
access whatsoever.
Is the real risk of attack from RWW in a SBS network? I'd argue not.
Not right now anyway. Do you see the attempts of entry now? Is your
password one that can be guessed/cracked easily? If so, fix that
problem first.
spm
> But you made a blanket statement to close up RWW because you saw the
> risk too great.
No, I made a statement re closing up RWW on *our* network. That's
entirely different to making a blanket statement, as you claim.
> "who gets hold of an admin username password" ....there's your first
> issue.. who did they get hold of the password? Improper access?
> Lack of strong passwords? If there's a password attack, you'll see
> the 'hits' before they get into that RWW.
If there's no external RWW, password attacks become a moot point.
> You have that risk with VPN.. as well.
No you don't, not with an L2TP VPN (or, say, an OpenVPN
implementation). Attackers then need *more* info than
usernames/passwords.
> There is no "cookie cutter answer" here.. and blindly writing off one
> method of access because you are also not understanding the ways in
> which you will see the risks before they occur is also not wise.
There you go again. Because I don't see things the way you do, you
attempt to discredit me through such inappropriate nonsense like
'blindly' and 'not understanding' and 'not wise'. Stop.
> This not a personal attack against you..
If you say so, but it is most definitely a personal attack against
anyone that disagrees with you. Maybe 'SuperGumby' and 'Joe' might feel
that way, too.
> that we stand back and understand that if that password is good
> enough in the first place..
Of course passwords need to be 'good enough'. Only *you* are implying
that they might not be, but in any case you entirely miss the point.
Externally available RWW that permits admin access to an SBS server
increases the external attack surface. Period. Cris Hanna has at least
been helpful enough to suggest ways of mitigating that threat, and I am
grateful to him for his input.
--
Regards,
Steve.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
customers.
You accept email right?
There's a port that has a password attack surface.
What other ports do you have open.... open up for OWA.. that's 443 open
anyway.
Not a personal attack at all.. I'm trying to point out to the newsgroup
in general that we need to step back and look at the bigger picture.
And you've just shut down the ability to patch and remotely 'touch' that
server. Are you at your office all the time or do you need remote
access at times to be more efficient. Closing down access also comes
with a cost. Just understand that is all.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
VPN isn't knee jerk the right answer... see you are a consultant.... so
I ask you to just step back and don't throw out RWW without considering
that VPN isn't always the right answer for remote access.
spm
> You accept email right?
> There's a port that has a password attack surface.
That's a red herring. A password attack that gains unrestricted access
to a server is entirely different to one that gains access to sending
email.
> What other ports do you have open.... open up for OWA.. that's 443
> open anyway.
See above.
--
Regards,
Steve.
spm
> VPN isn't knee jerk the right answer... see you are a consultant....
> so I ask you to just step back and don't throw out RWW without
> considering that VPN isn't always the right answer for remote access.
Huh? You don't give up, do you? There's no knee-jerk reaction (except
for yours, that is). I don't consider VPN is always the right answer
for anything. I always consider specific circumstances, and I always
balance needs vs. risks vs. capabilities of systems.
--
Regards,
Steve.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
someone relayauthenticated off a system.
It is still the sign of a
1. sucky password
2. an admin not seeing the signs of attack.
These days unless you've patched that Exchange server for the iCal
vulnerability there's a risk there as well.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
And no I'm not 'knee-jerking' either.. but I'm posting for the benefit
of others reading this is all. Think of the risks and needs of each
customer is all I'm asking all of us to consider.
Cris Hanna [SBS-MVP]
Steve
I would suggest to you that this is not a personal attack but rather the
expression of passion about security that Susan freely shares throughout the
world in a variety of forums. Susan is highly recognized both in the MVP
community, from Microsoft, the Small Business Community at large, etc. for
her passion and expertise when it comes to security issues for small
businesses in particular.
RWW is widely recognized as one of the best (and secure) features of Small
Business Server. Now that may change in time as folks decide to go after
the ports that RWW uses, but for now, she is simply suggesting that you are
eliminating a tool that is probably less susceptible to attack than using
VPN.
From your approach, it appears that your experience may be in larger
environments and perhaps you've not worked with RWW before this. You made
the statements earlier about certificates being easily revoked if
compromised. Its probably easier to change passwords or disable an account
if necessary.
I've given you several options for accomplishing what you originally posted
about. But Susan is simply trying provide insight and information, as we
find there is still a large group of folks with many years of IT experience
who are uneducated regarding the many tools and unique features that are
part of SBS.
I'm sure that no matter how long this thread would go on, there would would
be no level of agreement on the topic.
Les Connor [SBS Community Member - SBS MVP]
:-). You couldn't wrestle it away from them. That said, the reason RWW can
be a preferred security solution (username/passwords aside), is because to
trust a VPN implies you trust the remote computer. And that's the rub - the
remote computers of small biz owners and their employees can't be trusted.
By default, RWW doesn't connect the file systems. By default, VPN does.
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius
"Cris Hanna [SBS-MVP]" <crisnos...@computingnospampossibilities.net>
wrote in message news:118FF6FE-12C0-477E...@microsoft.com...
spm
> I would suggest to you that this is not a personal attack but rather
> the expression of passion about security that Susan freely shares
> throughout the world in a variety of forums. Susan is highly
> recognized both in the MVP community, from Microsoft, the Small
> Business Community at large, etc. for her passion and expertise when
> it comes to security issues for small businesses in particular.
Cris, I don't care who Susan (thinks she) is - passion is one thing,
but for her to use the language she has and the (very) thinly disguised
attacks on the credibility of me and others is unacceptable. Period.
> RWW is widely recognized as one of the best (and secure) features of
> Small Business Server. Now that may change in time as folks decide
> to go after the ports that RWW uses, but for now, she is simply
> suggesting that you are eliminating a tool that is probably less
> susceptible to attack than using VPN.
>
> From your approach, it appears that your experience may be in larger
> environments and perhaps you've not worked with RWW before this. You
> made the statements earlier about certificates being easily revoked
> if compromised. Its probably easier to change passwords or disable
> an account if necessary.
(addressing Les Connor's welcome contribution here, too) Well, it is
more than changing passwords which is at issue here. While I am not
knocking the obvious utility of RWW, how about these security
considerations (to be considered in the light of a compromised
password)...
... it takes more than a compromised username/password to access a VPN
than it does RWW.
... with an authenticated VPN, only designated computers can make use
of the service. RWW allows any computer, anywhere to have - access to
computers on the LAN.
...with a VPN, a user can access only the designated shares on a
server. With RWW, a user can gain full and unrestricted access to a
server, as though they are sitting next to it. That's what remote
server management is about, after all.
When looked at in that light, it's not hard to imagine which solution
is the most 'secure'. Of course, in practice, there are other security
considerations which need to be taken into account. But they do not
serve to eliminate the additional risks that RWW poses that VPNs don't.
'SuperGumby' and 'Joe' have also given their view of the issue in this
thread and, while I am not simply claiming that 'we' are right and
Susan is wrong (things are never that black and white, something that
Susan would do well to learn), she and others would do well consider
others' views more respectfully.
> I've given you several options for accomplishing what you originally
> posted about.
Indeed, and as I have stated elsewhere in this thread, I am grateful to
you for those.
> I'm sure that no matter how long this thread would go on, there would
> would be no level of agreement on the topic.
You're probably right. I will, though, always take issue with
conventional wisdom where I believe there is a reason to do so. Too
many people blindly follow the 'accepted' line (or that espoused by the
so-called experts) without really understanding, or thinking about, the
issues at hand. If what I have written here encourages that, then I
will have considered it worthwhile.
--
Regards,
Steve.
Les Connor [SBS Community Member - SBS MVP]
--
Les Connor [SBS Community Member - SBS MVP]
-----------------------------------------------------------
SBS Rocks !
----------------------
"Tell me and I'll forget. Show me and I'll remember. Involve me and I'll
understand." - Confucius
"spm" <nos...@coco.dot.co.dot.uk> wrote in message
news:xn0emsp8...@news.microsoft.com...
> Cris Hanna [SBS-MVP] wrote:
>
> ... it takes more than a compromised username/password to access a VPN
> than it does RWW.
>
> ... with an authenticated VPN, only designated computers can make use
> of the service. RWW allows any computer, anywhere to have - access to
> computers on the LAN.
For RWW, the security model is based on User credentials, there's no
facility for restricting access by computer or IP (well, there might be if
you have Premium and ISA installed). So, username/password combinations,
*and* the access rights assigned to the user credential are the only
security that exists.
>
> ...with a VPN, a user can access only the designated shares on a
> server. With RWW, a user can gain full and unrestricted access to a
> server, as though they are sitting next to it. That's what remote
> server management is about, after all.
Full and unrestricted access isn't really accurate as a broad statement.
Access to resources is determined by the rights assigned to the user. A user
logging onto RWW doesn't have any additional access to the internal
resources than that user logging on at a local workstation, and in fact
usually has less.
RWW isn't a single big switch, there are options as to what is made
available, and to whom. It's not as granular as some would like, but it's
pretty reasonable for a first generation feature.
>
> When looked at in that light, it's not hard to imagine which solution
> is the most 'secure'. Of course, in practice, there are other security
> considerations which need to be taken into account. But they do not
> serve to eliminate the additional risks that RWW poses that VPNs don't.
> 'SuperGumby' and 'Joe' have also given their view of the issue in this
> thread and, while I am not simply claiming that 'we' are right and
> Susan is wrong (things are never that black and white, something that
> Susan would do well to learn), she and others would do well consider
> others' views more respectfully.
On some levels, productivity (or convenience) and security are quite often
at odds with each other. Trying to achieve a balance is always the
challenge. Whether you allow Administrators to log into RWW, or not, is a
choice one can make without removing the feature for everyone.
Personally, I prefer RWW in most situations for two major reasons ... a)
it's dead simple to configure and use (low cost to owner), and b) use of RWW
and doesn't expose the lan to the remote file system (by default) - meaning
I don't have to worry about the health of the boss's home computer and what
his kids have installed on it ;-) - which is also primarily a cost reducing
feature, allthough I'll take the peace of mind aspect of it ;-).
I don't think there's any doubt that VPN can offer security options that RWW
cannot, espeically if you find a way to make ISA and VPN quarantine work.
But I think 'can' is a key word, as there is a certain skill set required.
And there's going to be a cost for the extra security. Whether the
cost/benefit is a good fit, or not, is going to be specific to the customer
scenario.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
And I can point to situations where VPN connections have brought in
slammer, blaster into a firm whereas RWW does not make by default the
same sort of connections. All I am saying is for folks to blindly throw
out RWW and constantly say that VPN is so much more secure when the
"devil is in the details" as it were.
I have been a SBSer since the 4.0 era and have been here through the
Code Red and Nimda era of SBS 2000. I also see the "attacks" on a SBS
network and as of right now .. I'm seeing more 'hits' on port 25... and
way more issues due to local admin use than either VPN or RWW combined.
Do I want two factor in the future.. sure... but as of right now, Remote
Web Workplace is indeed comparable to VPN for small businesses as a
secure way of connectivity that doesn't take a geek at home to get
working. And I will continue to post back to any consultant who does
not consider it a viable solution.. and I will mourn every time a
customers posts into this newsgroup and doesn't know what RWW is all
about. Because at the end of the day .. you don't own that server, the
client does. RWW should be considered by the client in their remote
access needs. It's too good of a solution not to have a comparison.
Any SBS customer deserves a var/vap to look at this with full
understanding of what it is, the resources they have for alternative
solutions and the risks for each individual client.
And I can state with certainty that I do not see port probes on port 443
for RWW access. (Scorpion Software Firewall Dashboard)
VPN 'can' be more secure than RWW especially with the deployment of
NAP... however most in this community will not do the enhancements to
VPN that you propose.. won't use IPsec, won't add NAP.
And I agree ...there isn't a black and white in security.. and that's
exactly why RWW should be considered as an option. All customers
deserve that.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
server. With RWW, a user can gain full and unrestricted access to a
server, as though they are sitting next to it. That's what remote
server management is about, after all.
...no a "user" can only gain access to the desktop that in turn only has
the appropriate rights.
He or she does not have full access to a server.... only someone logging
in as "domain administrator" have that right ..which is the equivalent
of VPN as well..
When you are a member of the Remote users group.. when I log into RWW
with "user" role I get access only to OWA and my desktop and an
application sharing server (TS box if there is one set up). I'm not
logging into the server.
When I log in with domain admint rights, that's the only time I get
offered up the ability to log into the server.
What rights are you logging in with when logging into RWW?
Frank McCallister SBS MVP
80% of SBS server market is OEM preinstall by DELL, HP, COMPAQ and other
name brand and White box vendors. a Small % of those are reinstalled. Most
are truly Small Businesses from 5 to 25 users who want to work from home and
have small budgets. I submit that RWW is far safer for that user than a
default VPN setup because of the SSL layer and the lack of exposure of the
LAN to the unsecure local machine. Any steps you take to make VPN more
secure can also be taken to make RWW MORE secure than the VPN see
http://seclists.org/lists/security-basics/2006/Mar/0146.html Your thinking
is Enterprise slanted and if you want to deny the Administrator with a
complex pass phrase the ability to remotely administer his network that is
your choice! I have 12 SBS networks to maintain over a 100 mile radius and
don't have that choice or desire. I rely on good passwords and firewalls. We
are trying to educate the SBS user about RWW so he/she can safely work
remotely without having to deal with the complexities and inherent safet
factors of VPN default solutions.
--
Frank McCallister SBS MVP
MCP Microsoft Small Business Specialist
COMPUMAC
"spm" <nos...@coco.dot.co.dot.uk> wrote in message
news:xn0emsp8...@news.microsoft.com...