Security Basics mailing list archives
RE: A different question RE: Windows Remote Desktop
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 16 Jan 2004 09:43:00 -0800
From my terminal server experience I encountered that 'type' of problem in the following situations. 1.) The program can't operate in a shared environment with multiple instances open. Some programs just can work under TS properly due to their use of static files, (INI's, config files, flat file db's, etc). Could you have another instance running on the box that is 'locking' a file needed to be written to by the new instance? 2.) Service packs/updates/hotfixes are more 'pronounced' in a TS environment and need to be looked at a lot more carefully. Even though you install them days ago some file operations are saved for when the system reboots, check your logs to see what updates were installed recently. 3.) Communication errors, excessive latency or dropped packets can mess up communication between the client and server and cause 'weird' TS error messages, usually (The server is too busy....). 4.) If it *is* a Terminal Services server and not a XP RDP box make sure you are licensed properly, TS-CALS are demoed for 90 days or so then become invalid, at which point you need to setup a licensing server and install some TS-CALS. 5.) Make sure you don't have any 'phantom' sessions still open. Set a timeout for disconnected sessions to ensure that they disappear. For my servers I set this high for admin purposes but if it's an end-user TS server I set this very low. 6.) Update your afflicted program or reinstall it, make *SURE* you are running the install/update using the Add/Remove Programs installation utility, no program on a TS server should be installed without using Add/Remove programs utility. 7.) Reinstall your NIC drivers and use a multi-homed server. Which seaming you're sniffing anyways you should be connected to a 'management' NIC and sniffing through another NIC. 8.) Double check permissions, TS for installed programs created 'shadow' copies of static files that the program writes, like configuration files or databases. These might be damaged/missing or have had their permissions removed/changed. 9.) When in Rome.... Remove TS->Reboot->Reinstall TS->Reboot->Reinstall Program (From Add/Remove pgms util)->Reboot. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, January 15, 2004 4:37 PM To: security-basics () securityfocus com Subject: A different question RE: Windows Remote Desktop We don't allow RDP to/from off-site locations, but we've been using it to allow a couple of folks to, from their office desktops, connect to strategically placed servers to sniff specific network segments. This worked fine from sometime in September until the Christmas/New Year's break, during which we had a scheduled power shutdown. Everything came back on after the shutdown, and most boxes involved have been rebooted individually since. But although sniffing still works fine from the server console, RDP clients get a general-purpose error message that seems to indicate that they don't have the necessary permissions, or there's some other kind of problem, with the adapter that connects to the sniffed segment. Since sniffing from the console works, we know it's not an adapter or port configuration issue, or a switch port issue. Since several privileged accounts, including Administrator, *can* sniff from the console but not from an RDP session, we're convinced it's not an account privileges issue. And since it worked before the power shut-down, we know it can be made to work. Has anyone who works more extensively with RDP seen anything similar? Or have you a useful theory that might help explain what we're seeing? Dave Gillett ------------------------------------------------------------------------ --- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- RE: A different question RE: Windows Remote Desktop Shawn Jackson (Jan 16)
- <Possible follow-ups>
- RE: A different question RE: Windows Remote Desktop Gunn, Jeff (Jan 16)