Windows 2003 – “Enable Remote Desktop on this computer” greyed out

 

Background

This is another post to address the Terminal Services intrusion we discovered a few weeks ago.

Terminal Services Configuration

Configuration

The specific area of the vulnerability that we will like to address in this post is the fact that TS is always enabled.

If we access “Control Panel” \ “System Properties” \ “Remote” Tab, we will notice that “Enable Remote Desktop on this computer” is checked and grayed out.

Implication

So it appears that we are unable to disable Terminal Services.

 

Remediation

  1. Registry
    • Policies
      • Terminal Services
    • Services
      • Control
        • Terminal Services
  2. Group Policy

 

Registry

Section Branch Item
 Policy HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fDenyTSConnections
 Services  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server  fDenyTSConnections

 

 

Policies – Terminal Services – fDenyTSConnections

Branch :- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Item :- fDenyTSConnections

Current

Revised

Rename fDenyTSConnections to fDenyTSConnections.20170701.0800AM.

Also feel free to rename it altogether.

Control – Terminal Server – fDenyTSConnections

Branch :- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Item :- fDenyTSConnections

Current

Revised

Rename fDenyTSConnections to fDenyTSConnections.20170701.1154AM.

Also feel free to rename it altogether.

 

Group Policy

Connected to the Domain Controller and launched “Group Policy Object Editor” ( gpedit.msc ).

Policy Group :- “Local Computer Policy” \ “Computer Configuration” \ “Administrative Templates” \ “Terminal Services”

Item :- “Allow User to connect remotely using Terminal Services”

Image

Image – Terminal Services

Image – Terminal Services – Setting

Explanation

Reviewed “Allow User to connect remotely using Terminal Services” and confirmed it is not configured.

And, so we definitely know that TS is not being forced on us.

Auditing

Windows Firewall

Log – pfirewall.log

Image

Explanation

In the process of preparing this post we experienced active attacks against the default Remote Desktop Port ( 3389).

Summary

It looks like the intruder accessed the registry and change the registry entries mentioned above to 0.

In so doing they prevented us from being able to use the GUI to make a choice as to whether we want to allow Remote Desktop Connections.

The inability to re-configure ability to accept TS Connection was likely applied via the Registry’s Policy branch identified above.

 

References

  1. Server Fault
    • Difference between HKLM:\SOFTWARE\Policies\ and HKLM:\SYSTEM\CurrentControlSet\
      Link
  2. MSSQLServerTips.com
    • Troubleshooting Windows Remote Desktop Connection
      Link
  3. Windows Command Line
    • Enable remote desktop from command line (CMD)
      Link
  4.  WinHelpOnline
    • “Allow users to remotely connect to this computer” Remote Desktop option is grayed out
      Link
  5. Tech Republic
    • Terminal Server 2003; not accepting connections
      Link
  6. ars technica
    • “Enable Remote Desktop” option greyed out
      Link

 

BFGuard – Day 2

Background

In this post we actually start BFGuard and try to connect to the host from other workstations.

 

Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time

 

Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time

 

BF Guard – Application – Log entrys

Explanation
  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes

 

BF Guard – Application – Blocked IP

Explanation
  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked

 

OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.

 

Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625
Image

 

Explanation
  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon

 

OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.

 

Explanation

  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes

 

Summary

Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.

 

Terminal Services / Max # of Connections

Background

This last weekend, I tried connecting to one of our Lab computers and got one of those messages stating that we have reached the maximum number of connections allowed.

TroubleShooting

Confirmation

Task Manager

As I happen to be physically close to the computers, I walked over and logged on the console.

Launched Task Manager and confirmed that we indeed have ongoing sessions.

Image

Explanation

  1. In the screenshot above, yours truly is logged on from the console
  2. Whereas, os and string are remotely connected

 

Remediation

Sessions

Thankfully, the connected sessions bored usernames that I was not familiar with.

And, so acquiescing to disconnecting them was easy.

Computer Management

Next in line is to disable the account.  As they were local and not Active Directory accounts, launched Computer Management and disabled each off the ill gotten accounts.

Image

Terminal Services

Registry

Next in line is to change the network port that Terminal Services is listening on.  As we all know Terminal Services, TS, default port is 3389.

Accessed Windows Registry and changed it to a previously unused port.

As we are really not able to simply restart Terminal Services for the change to take effect, rebooted the box.

Image
Image – Before

Image – After

Windows Firewall

New Port

Configured local Windows Firewall to allow incoming connections to the new port.

Logging

Re-enabled Windows Firewall logging for failed connections.

Plans

Windows Firewall

Rather than allow the whole internet access to new network port, make a list of Internet subnets that we usually connect from and allow those alone.

Network Firewall

Review our Network router and likewise tighten its network availability, as well.

Local Windows Accounts

Be more proactive about monitoring local Windows SAM Accounts.  Investigate whether we can be alerted when new ones are created.

Moral of the Story

The same ease that you allow for your usage is the same ease passer bys can access your resources.

Microsoft – Windows – v2012 – Managing Remote Desktop Connections – Using Remote Desktop Connection Manager (RDCMan)

Background

As a quick followup to a previous post “Technical: Microsoft – Windows – v2012 – Managing Remote Desktop Connections – Using Task Manager” (https://danieladeniji.wordpress.com/2014/04/30/technical-microsoft-windows-v2012-managing-remote-desktop-connections/), we wanted to identify a free Microsoft tool,  “Remote Deskop Connection Manager” (RDCMan), as another pathway towards listing and managing remotely connected users.

Supported OSes

Windows XP, Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 2012.

The same binary works on the aforementioned OS versions.

Having said that Windows XP and Windows 2003 users will have to upgrade their remote desktop client (mstsc) to version 6 or newer.

Download URL

The utility is available via http://www.microsoft.com/en-us/download/details.aspx?id=21101.  And, the current version is 2.2 and it has been available since 5/27/2010.

Install

Install the application and please pay attention to your install location.

Since the application is not part of the base OS nor its install folder added to your path, you will have to offer its full path name to run it from your command line.  Btw, the App name is rdcman.exe.

The Application is added to your Program Start Menu as “Remote Desktop Connection Manager”.

Pre TSClient Patch

On MS Windows XP \ Windows 2003, If you try to run the app without first upgrading your tsclient, you will get the error message pasted below:

Error Message

Textual:

Error Message Title:

RDCMan – Unable to initialize

Error Message Body:

RDCMan encountered an error during initialization.  There are likely causes for this: an incompatible version of mstscax.dll is registered or it is not registered at all.  Please see the help for details.

Image:

incompatibleversionofmstscax

Please access  Colek’s Blog posting – How to Fix RDCMan Problem: “Incompatible version of mstscax.dll” ( http://colekcolek.com/2012/03/23/fix-rdcman-problem-incompatible-version-mstscax-dll/ ) to read more about this error message.

Patch Download Links:

Version #

How do we get the version number of Remote Desktop Client ( mstsc.exe ).

  • Launch Remote Desktop Client ( mstsc.exe )
  • Access the System Menu
  • From the System Menu, access the “About” option
  • And, you will see a screen similar to the one below

RemoteDesktopConnection-About

Normal Use

To use, launch application and create a new a new RDC Management Group by using the menu items “File”\”New”.

To add new servers, right click the appropriate Management Group, and choose the “Add Server” menu item.

To list sessions, right click on the server, and select “List Sessions”.

Sessions

References

Remote Desktop Client – Version #