7.9 Remote Maintenance Services Countermeasures

  • Don't run Telnet services on publicly accessible devices. Cisco IOS and decent appliance servers and operating platforms can run either SSH or OpenSSH (http://www.openssh.com).

  • Ensure resilience of your remote maintenance services from brute-force password guessing attacks. Ideally, this involves setting account lockout thresholds and enforcing a good password policy.

  • Don't run r-services (rsh, rexec, or rlogin) because they are vulnerable to spoofing attacks, use very weak authentication, and are plaintext.

  • In secure environments, don't use services such as VNC because they have weak authentication, and determined attackers can compromise them. You should use Microsoft RDP and Citrix ICA services with Secure Socket Layer (SSL) encryption to prevent sniffing and hijacking attacks.

  • Read the guide to hardening terminal services that's published by Microsoft (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp).

  • To improve authentication and completely negate brute-force attacks, use two-factor authentication mechanisms such as Secure Computing Safeword and RSA SecurID. These solutions aren't cheap, but they can be useful when authenticating administrative users accessing critical servers.