Secure RDP with WS2003 and Vista

Microsoft’s RDP protocol is used extensively throughout the world in many organisations as well as SOHO and home users. However, some people say things like it’s fine from a security stand-point as it’s encrypted – and well yes…. it is encrypted… BUT:

  • Server authentication – RDP does not provide authentication to a terminal server
  • Hacking tools such as TS Grinder/TSCrack can be used

To try and mitigate this weakness you can use TLS/SSL over RDP which will also increase the encryption level, in addition Microsoft now support FIPS compliant levels with Windows Server 2003 SP1/SP2, Windows XP SP2, Windows Vista and when released Windows Server Longhorn. You can also configure client computers with the trusted certificate to be the only devices allowed to connect.

Listed below are links for further research and step-by-step procedures, so you can start to implement this today!

Cipher.exe utility

With Windows XP, Windows Server 2003 and Windows Vista you can use the Cipher.exe command line tool to encrypt and decrypt files and folders. This is handy for scripts and/or just to know that you have actually encrypted something if you are a command line freak!

However there is another hidden use that lays within Cipher.exe – the ability to overwrite data that you have deleted so that it cannot be recovered or accessed. See the below examples and a link to the MS KB page about this function.

To encrypt a folder use the following command with Cipher.exe:
E:>cipher /E /S:e:temp

To Decrypt this folder, use this syntax:
E:>cipher /D /S:e:temp

How to Use the Cipher Security Tool to Overwrite Deleted Data
To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command:
cipher /w:e:temp
The above command causes all de-allocated space on drive E to be overwritten.
Data that is not allocated to files or folders is overwritten and this permanently removes the data.

Cipher syntax and switches:

CIPHER [/E | /D] [/S:directory] [/A] [/I] [/F] [/Q] [/H] [pathname […]]


CIPHER /R:filename


CIPHER /W:directory

CIPHER /X[:efsfile] [filename]

/A Operates on files as well as directories. The encrypted file
could become decrypted when it is modified if the parent
directory is not encrypted. It is recommended that you encrypt
the file and the parent directory.
/D Decrypts the specified directories. Directories will be marked
so that files added afterward will not be encrypted.
/E Encrypts the specified directories. Directories will be marked
so that files added afterward will be encrypted.
/F Forces the encryption operation on all specified objects, even
those which are already encrypted. Already-encrypted objects
are skipped by default.
/H Displays files with the hidden or system attributes. These
files are omitted by default.
/I Continues performing the specified operation even after errors
have occurred. By default, CIPHER stops when an error is
/K Creates new file encryption key for the user running CIPHER. If
this option is chosen, all the other options will be ignored.
/N This option only works with /U. This will prevent keys being
updated. This is used to find all the encrypted files on the
local drives.
/Q Reports only the most essential information.
/R Generates an EFS recovery agent key and certificate, then writes
them to a .PFX file (containing certificate and private key) and
a .CER file (containing only the certificate). An administrator
may add the contents of the .CER to the EFS recovery policy to
create the recovery agent for users, and import the .PFX to
recover individual files.
/S Performs the specified operation on directories in the given
directory and all subdirectories.
/U Tries to touch all the encrypted files on local drives. This will
update user’s file encryption key or recovery agent’s key to the
current ones if they are changed. This option does not work with
other options except /N.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.
/X Backup EFS certificate and keys into file filename. If efsfile is
provided, the current user’s certificate(s) used to encrypt the
file will be backed up. Otherwise, the user’s current EFS
certificate and keys will be backed up.

directory A directory path.
filename A filename without extensions.
pathname Specifies a pattern, file or directory.
efsfile An encrypted file path.

Used without parameters, CIPHER displays the encryption state of
the current directory and any files it contains. You may use multiple
directory names and wildcards. You must put spaces between multiple

Microsoft Support KB Article 814599
HOW TO: Use Cipher.exe to Over
write Deleted Data in Windows Server 2003

Handy Netstat Commands

The Netstat command displays active connections, ports, IP routing table and much more. When running the command you can be overwhelmed by the output, especially on Unix/Linux based systems.

To filter out the noise, you can use certain syntax to provide only the results you want to see. For example I use the following to see only SMTP port 25 connections:

netstat -an -p TCP | find ":25"

To see what connections are coming from a specific IP address say

netstat -an -p TCP | find ""

On a Linux system you can simply use grep e.g.

netstat -an -p TCP | grep ""
netstat -atve
netstat -tulpn | grep :53

Here is the complete example list from the Windows help file:
The usual windows netstat output:
Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-t] [-v] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
-e Displays Ethernet statistics. This may be combined with the -s
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
-t Displays the current connection offload state.
-v When used in conjunction with -b, will display sequence of
components involved in creating the connection or listening
port for all executables.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.

Powershell is a little different:

 netstat -a -n | find `"443`" 

To prevent PowerShell from stripping the double quotes use the grave accent (`) to escape them. You can also use the –% parameter to perform the escape.

 nestat -a -n | find --% "443"