What Is Wrong With Terminal Services
What Is Wrong With Terminal ServicesWindows provides Terminal Services for remote admin, which MS claim is secure. This page was created to discuss people's reservations over it.
On another page it was claimed that Unix has robust, secure, built-in remote administration features (ssh, shell scripts)
The windows equivalent is Terminal Services.
A commentator wrote: Our security manager has major concerns about terminal services (and we're a 100% Windows shop). I don't think they count as secure (yet)
Why is it less secure than SSH? Dunno, not my specialism. I can ask. My suspicion is it will be implementation flaws more than inherent problems
Oh, it's obvious. Just look at the source code. ;)
WTS is not an equivalent to SSH. It is both more and less. SSH allows you to tunnel other services securely through a firewall, including (for example) mail, file transfers, HTTP, and so on. WTS gives you a remote desktop. It's more like X over SSH. Being modular, you don't need to display the desktop (and suck bandwidth) with ssh to read a file or access a database on the remote machine. WTS forces you to install all the tools that everybody might use to access/administer the server, on the server. As a modular solution for secure remote access WTS sucks, but that was never its intent. It's equivalent is more often X plus multi-user access to a server. Or just multi-user access to a server. Or just remote access to a server.
WTS is the 'graphical secure multi-user remote administration solution' for Windows because (a) you can't administer Windows without the desktop (b) PPTP turned out not to be secure (c) you couldn't get concurrent users without it until XP and (d) you needed to buy something like it (e.g. PC Anywhere) to do remote admin anyway. You really can't get away from the fact that it was bolted on.
Of course, Unix doesn't have a 'graphical secure multi-user remote administration solution'. No one's ever felt the need to stick all that in the one program, and most of it came out of the box anyway. Unix can be irritating the few times you want to pop the server side GUI up but I find myself doing this far less often than I would pop a CLI on a remote Windows box.
Neither situation is ideal, and everyone and their aunt is moving over to management console type products - a far more productive use of bandwidth than running your GUI on the server.
Historically, opaque products have been insecure due to a lack of critical oversight (the often hoped-for but never-achieved SecurityThroughObscurity). Microsoft has been repeatedly caught with its pants down, but I can't see them ever publishing the source-code of their products for review. Until then they will always be many steps behind.
EditText of this page
(last edited August 14, 2010)
or FindPage with title or text search