BPO Solutions
Staff Augmentation
Sales and Recruiting
Accounting Services
Remote Server Management
.::Remote Server Management

Remote management presents several problems, the most obvious being that the traffic between you and the server is travelling across the public Internet, available for others to sniff. Another problem is that remote administration normally involves installing software and opening ports, both of which increase the attack surface of your server. The goal when selecting a remote administration solution is to make sure that we can do your job without exposing the server to additional risk.

In particular, the concerns when administering a remote server are:

  • Access Control
  • Integrity
  • Confidentiality
  • Auditing

Access Control

Access control is making sure that only you can remotely administer the server. This means that the remote administration software should only accept connections from a small range of IP addresses and should prompt for a username and password. Access control can be further strengthened through the use of smart cards and client certificates. There are also obscurity techniques that may provide additional layers of protection such as using non-standard TCP ports or suppressing service banners.

Integrity

Integrity ensures that the data received by the server is the same data that you sent. You also want to be sure that a packet is authentic and cannot be replayed at a later time.

Confidentiality

Perhaps the greatest concern with remote administration is that sensitive data is traveling across a public network. Confidentiality ensures that this traffic cannot be intercepted and viewed by others. Confidentiality means using strong, accepted encryption algorithms with a sufficiently large encryption key.

Auditing

Auditing is the ability to log all access to a server for later analysis. It is important to remember that a server could very well become a crime scene and it is essential that your remote access solution keep sufficient information about every connection to the server. Furthermore, the logs should be moved off the server itself to ensure their integrity.

Remote Management Methods

Although there are a variety of ways to remotely manage a Win2K and Win2k3 server, not all products provide the security requirements listed above. But that doesn't mean we cannot use them. By combining different products we can come up with some very secure solutions that provide features we need to administer remotely. Below are some examples of what can be done using built-in or third-party open source solutions. While there is no one best way to remotely administer a server, these are good examples of what can be done when combining solutions.

Option 1: Terminal Services / Remote Desktop over VPN

Terminal Services is a built-in service in Windows 2000 and as Remote Desktop in Windows XP and Windows 2003 which provides admins with a remote desktop for managing a server. Terminal Services is the most obvious way to remotely manage a server because it is built-in, easy to get running, uses built-in Windows accounts for authentication and allows for strong encryption. We must tunnel the traffic using another technology. In this case a good match is L2TP tunneling using the built-in Windows VPN server and client.

Option 2: VNC On SSH

VNC is a remote desktop tool very similar to Terminal Services, providing remote desktop access to the server. There are, however, some key differences, such as :

  • VNC works with the existing desktop on the server rather than creating multiple virtual desktops
  • VNC clients are available on many platforms, including Windows CE and Java
  • VNC is open source
  • VNC can restrict access by IP address

Option 3: Windows over VPN

If you are on an all-Windows network, you may wish to simply use the built-in administrative tools to manage your server. For example, you may wish to map a drive to the server and take advantage of the many Windows networking services available on Windows 2000/2003. You certainly can accomplish this by opening up port 445 on the server's firewall and only allowing your IP address to connect to that port. However, all traffic between you and the server will not be encrypted and can be sniffed.

Again, we must tunnel the traffic using another technology. In this case a good match is L2TP tunnelling using the built-in Windows VPN server and client.

To do this,

  • You must enable the Routing and Remote Access, the Server and the Workstation services
  • Next, open the Routing and Remote Access administrative tool and right-click on your server
  • Select the Configure and Enable Routing and Remote Access option and follow the instructions to create a new Virtual Private Network server
  • Note that the VPN server will listen on TCP port 1723. If you do not wish for others to see this port open, it is important to restrict access to this port by only allowing a limited range of IP addresses to connect to it
  • On the client end, you must now create a new connection by right clicking on My Network Places and selecting Properties
  • From there, click on Make New Connection and select Connect to a Private Network through the Internet
  • Follow the prompts to configure the connection for your server
  • When finished, you will have a new icon for your VPN connection
  • Double-click on the icon and you will be prompted for a username and password to connect to the server


Once connected, you will have a new network connection, complete with a new IP address and that connects directly to the server just as if you had installed a new network adaptor and ran a cable directly to the server. The only difference is that this connection travels through an encrypted tunnel across the Internet.

As with any network connection, you should be sure to only allow the network protocols you need and you should consider using packet filtering. Keep in mind that this connection could allow an attacker to use your computer to get to your web server or use your web server to get to your internal network. Either way, you must consider the risks involved. Once connected through a VPN, you can map drives or manage the server as if it were connected to the local network. While this option does introduce considerable risks, it is by far the most convenient solution. If properly secured on both ends, this solution can be sufficiently secure for remote server management.

Remote Server Management & Monitoring activities include:

System Administration

Configure, manage and monitor system level services. Configure and manage operating system level security. Create and maintain file systems and directory structures. Create, modify and remove user accounts on servers. Management of remote server access as required. Provide administration support as needed for application software installations and upgrades.
 
Capacity Planning
Perform proactive system level capacity planning and performance tuning as required.

Hardware Maintenance
Remotely troubleshoot and resolve hardware problems Coordination of hardware & OS vendor maintenance and repairs for critical events.
 
Firmware Upgrades
Perform proactive hardware and firmware upgrades as required.

Patch Management
Apply patches and new versions as necessary for the operating system.

Daily Tape Backups
Manage system level backup & recovery procedures. Manage daily incremental and weekly full backups to tape or to client specifications.

24/7 Operational Support
Round the clock support for troubleshooting, escalation and resolution of hardware & O/S problems including access to trouble ticketing system is available.

Server Monitoring
Round the clock monitoring of all server platforms and operating systems for errors and alerts are available.

Automated Alert System
Paging and e-mail notification of alerts to pre-determined escalation contacts by monitoring system.

Customer Portal
Client access to a secure web accessible portal is given which provides reports and monitoring information for the hosted systems.
Copyright 2012 Digi Group Inc.