Add a secure GUI to your locked-down Web server

In "Hardening an IIS 4.0 Web Server," October 2001, InstantDoc ID 22282, I explain how to remove services from a Windows NT Server 4.0 system running IIS 4.0 to protect the system from attacks. I also recommend using the Secure Shell (SSH) protocol to communicate with the server. Now, I want to tell you about AT&T Laboratories Cambridge's Virtual Network Computing (VNC), a graphical desktop program that can run on top of SSH to provide secure, remote management of your Web server.

You can also use VNC over SSH with a Windows 2000 Server system running IIS 5.0, but most people will want the better performance and integration of Win2K's bundled RDP and Win2K Server Terminal Services. (Keep in mind, though, that RDP hasn't gone through the intensive peer review that SSH has and therefore might have undiscovered security exposures.)

Installing VNC
VNC is a free GUI program that allows full access to a remote server's console. VNC client and server programs are available for most popular computer architectures. VNC by itself isn't secure: All its communications are in plaintext, and it uses only a weak form of encryption to protect passwords stored in the registry. However, you can tunnel VNC through the more secure SSH protocol, which encrypts all information that goes over the wire and uses its strong authentication model and usernames and passwords that the Windows server provides. For more information about SSH authentication, see the SSH FAQ at http://www.employees.org/~satch/ssh/faq/ssh-faq.html.

Start by downloading VNC 3.3.3.r 9 (the current version) from http://www.uk.research.att.com/vnc. This version works on Win2K, NT, and Windows 9x platforms, as well as on Linux, Solaris, and Mac OS. When you extract the downloaded file, it creates two subdirectories: vncviewer, which contains the client software, and winvnc, which contains the server software. In the winvnc directory, double-click setup.exe to install both the client and server software. After setup has finished, open the VNC program group, which Figure 1 shows, and double-click Run WinVNC (App Mode). At the WinVNC: Current User Properties dialog box, which Figure 2 shows, enter a password for the console sessions and click Apply. In the future, you can click Show User Settings in the VNC program group to open this dialog box.

To set up VNC as a service that runs whenever the server starts, click Administrative Tools in the VNC program group. In the resulting program group, which Figure 3 shows, click Install Default Registry Settings, then click Install WinVNC Service. Start the service and set a password when prompted. Before you continue to the next step, connect from a client to your newly installed server to verify that VNC works.

Next, you need to change VNC to allow only local connections to ensure that VNC will work only through the SSH pipe. After you make this change, you won't be able to use VNC until after you install SSH. Run regedt32.exe and go to the HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3 registry subkey. Add the subkey AllowLoopback with the data type REG_DWORD and a hexadecimal value of 1. Then, add the subkey LoopbackOnly with the data type REG_DWORD and a hex value of 1. The first added subkey allows local loopback connections; the second disables all connections other than loopback. Figure 4 shows the HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3 subkey with the added subkeys. These registry additions are important because they prevent plaintext VNC traffic and because without them, anyone with a VNC client can access your server. You can download a .reg file that has these settings from the Code Library at http://www.windowswebsolutions.com. After you download the file, click it to install the two subkeys.

Installing SSH and Connecting
Next, install one of the many available versions of SSH for NT Server. I recommend SSH Communications Security's SSH Secure Shell for Windows Servers ($565) or VanDyke Software's Vshell ($249). Several freeware versions of SSH for NT Server are also available. I describe how to install one of them—sshdnt.zip—in "Hardening an IIS 4.0 Web Server."

After you have an SSH daemon running on the NT host, you need to download and install an SSH client on your client machine. Many clients are available, but I recommend SSH Secure Shell for Workstations ($99), which runs on Win2K, NT, and Win9x. For a list of clients, including freeware clients, go to http://www.ece.nwu.edu/~mack23/ssh-clients.html. After installing a client, you can establish an SSH connection and issue a command on the remote Web server. For example, if you're using SSH Secure Shell for Workstations, you can open a command prompt and type

ssh2.exe -L 5901:127.0.0.1:5900
  <username>@<servername>
  <command>

In this command, 5901 represents the TCP port that VNC uses (i.e., TCP port 5900) plus 01, which is the display number for a Windows client machine. The remote server's IP address is 127.0.0.1. The VNC TCP port is 5900 plus 00, which is the display number for a Windows server. Username is your username, servername is the Fully Qualified Domain Name (FQDN) or IP address of the remote server, and command is some command that you want to perform on the server. Web Figure 1 and Web Figure 2 (http://www.windowswebsolutions.com, InstantDoc ID 24839) show sample output of this command on the client and on the server, respectively, when the server is in debug mode and the command is successful. This command does a couple of things. First, it establishes an SSH connection between the client and the server. Second, it creates a dummy server on the client machine that listens on the VNC port and tunnels all connections to that port through the SSH connection.

You can now click Run VNCviewer in the VNC program group to start the VNC client. Type

localhost:1

to connect to your server, as Figure 5 shows, and click OK. If you can supply the VNC password, you can view and control the server. Your SSH tunnel will intercept all connections at the local VNC port and channel them to the remote server. The remote server will think the connection is local and allow it.

You now have remote GUI console access from your workstation to an NT Server system. And you can feel confident that the access is secure because it uses the strong authentication and encryption for which SSH is known.