Yojna Technosoft Pvt Ltd - Professional Web Hosting :: Dedicated Server Hosting, Linux Email Server with Qmail,Reseller Hosting, Linux Window FreeBSD Dedicated Web Hosting Company India

Virtual Hosting Shared Hosting Reseller Hosting Server co-location Remote Server Management Email Servers DD Web Servers

Antivirus / Spam Protection Email DD Server with Jabber Chat modules

Domain Name Reseller Domain Name Registration

Digital Certificates

Web sites Submission Web sites Reports

Live Support/ Open Ticket

It's a common scenario: your company has an IIS Web server sitting 300 miles away at a high-bandwith, air-conditioned and power-regulated co-location center. The network is stable and the price is right, but you must completely manage the server remotely; you can't just go sit down at the console whenever you want. Remote management presents several problems, the most obvious being that the traffic between you and the server is travelling across the public Internet, available for others to sniff. Another problem is that remote administration normally involves installing software and opening ports, both of which increase the attack surface of your server. The goal when selecting a remote administration solution is to make sure that you (and only you) can do your job without exposing the server to additional risk.

In particular, the concerns when administering a remote server are:

Access Control
Integrity
Confidentiality
Auditing

Access Control

Access control is making sure that only you can remotely administer the server. This means that the remote administration software should only accept connections from a small range of IP addresses and should prompt for a username and password. Access control can be further strengthened through the use of smart cards and client certificates. There are also obscurity techniques that may provide additional layers of protection such as using non-standard TCP ports or suppressing service banners.

Remote Management Methods

Although there are a variety of ways to remotely manage a Win2K server, not all products provide the security requirements listed above. But that doesn't mean we cannot use them. By combining different products we can come up with some very secure solutions that provide features we need to administer remotely.

Below are some examples of what can be done using built-in or third-party open source solutions. While there is no one best way to remotely administer a server, these are good examples of what can be done when combining solutions.

Auditing

Auditing is the ability to log all access to a server for later analysis. It is important to remember that a server could very well become a crime scene and it is essential that your remote access solution keep sufficient information about every connection to the server. Furthermore, the logs should be moved off the server itself to ensure their integrity.

Integrity

Integrity ensures that the data received by the server is the same data that you sent. You also want to be sure that a packet is authentic and cannot be replayed at a later time.

Confidentiality

Perhaps the greatest concern with remote administration is that sensitive data is travelling across a public network. Confidentiality ensures that this traffic cannot be intercepted and viewed by others. Confidentiality means using strong, accepted encryption algorithms with a sufficiently large encryption key.

Option 1: Terminal Services

Terminal Services is a built-in service in Windows 2000 that provides admins with a remote desktop for managing a server. Terminal Services is the most obvious way to remotely manage a server because it is built-in, easy to get running, uses built-in Windows accounts for authentication, and allows for strong encryption. But there are some limitations: there is no mechanism to limit access by IP address, it is not obvious how to change the default listening port, and it has no logging facility. Based on the list of requirements at the beginning of this article, Terminal Services alone does not score well on security.

Option 2: VNC On SSH

VNC is a remote desktop tool very similar to Terminal Services, providing remote desktop access to the server. There are, however, some key differences, such as:

VNC works with the existing desktop on the server rather than creating multiple virtual desktops;
VNC clients are available on many platforms, including Windows CE and Java;
VNC is open source;
VNC can restrict access by IP address; and,
Traffic between the client and server is not encrypted;

While VNC does have some benefits, it is not secure enough to use by itself. The most significant problem is the lack of encryption. But VNC traffic, like Terminal Services, can be tunnelled to make up for its shortcomings. In this case, we will match it up with SSH. OpenSSH is in concept similar to Zebedee but it is a much broader application that also allows for a remote command prompt, secure file copy (SCP), and secure FTP (SFTP). Like Zebedee, it can tunnel traffic over a single port; however, it is limited to TCP traffic. SSH supports strong public key encryption and is a widely-used protocol with strong user support.

Option 3: Windows over VPN

If you are on an all-Windows network, you may wish to simply use the built-in administrative tools to manage your server. For example, you may wish to map a drive to the server, and take advantage of the many Windows networking services available on Windows 2000. You certainly can accomplish this by opening up port 445 on the server's firewall and only allowing your IP address to connect to that port. However, all traffic between you and the server will not be encrypted and can be sniffed. Again, we must tunnel the traffic using another technology. In this case a good match is L2TP tunnelling using the built-in Windows VPN server and client.

To do this, you must enable the Routing and Remote Access, the Server, and the Workstation services. Next, open the Routing and Remote Access administrative tool and right-click on your server. Select the Configure and Enable Routing and Remote Access option and follow the instructions to create a new Virtual Private Network server.