Saturday, November 6, 2010

PKI authentication and legacy web application

One of the most secure ways of user authentication- is the PKI authentication. A lot of modern systems support this method and everything works nice and smoothly (almost everything - details in the my next post). But, as usually, in real big enterprise you have a dilemma: you need the strongest authentication but you have a lot of legacy systems (or it takes ages to get changes in authentication method from vendor).
The best way (IMHO) to resolve this problem is to use mutual ssl on certificates.
SSL will terminate on reverse proxy server in front of your Business Application Server inside the high secure network zone . So, here the scheme:

It looks really easy, isn't it?
How it works:
1. Each user has his own certificate and private key. It could be located on smart card, token or inside OS key storage.
2. User's browser must be configured to use this certificate for authentication (It's easy - just import it in browser or point it to OS key storage)
3. User must connect to revers proxy server (ssl termination point) for getting access to Business Application Server.

4. Revers proxy server checks validity of user's certificate and some certificate's fields (if you need to restrict access to only some users groups) like OU, CN or "extended key usage" and establish mutual ssl connection.
5. Revers proxy server offloads ssl and make direct connection over http (or non-mutual ssl connection) to your business application server.
6. Business application server authenticate user and authorised them by user/password pair.

The key point of this scheme is the Revers Proxy Server with ssl offloading feature (May be the better name for it - Secure Application Gateway).
How this servers looks like?
1. Open Source:
Any *nix + Apache web server with mod_proxy and mod_ssl + some changes in Apache config for certificate verification.
2. Load balancer or Web Application firewall from your favorite vendor. I have tested this on F5 BigIP and everything works perfectly.

Almost forget. You will get a lot of users' web request logging possibilities during  implementation of this scheme. So you can easily control users' activity within business application server.

That's all folks. Stay secure.

Monday, October 18, 2010

using smart card for standalone management station security

Dedicated standalone management workstation frequently used for control automated equipment (telco systems, smart devices, etc) and is a part of vendor's solution. Usually these stations run on Windows and vendor do not recommend to connect it to the domain or it couldn't be done (or not recommended) by some technical reasons.
Very often these management nodes control company's mission critical equipment, so, password protection not enough for real security. For better security you must use two-factor authentication. I prefer to use smart card. The problem is, that normally, windows does not support smart card authentication on standalone workstation. But,there is a trick: you can use smart card for store windows password on it. In this case your smart card vendor must provide custom logon GINA. In my case ActivIdentity provide me this GINA and all necessary software. So, what have been done:
1. Created a list of management nodes
2. Installed smart card drivers and software on each node.
3. Create account for each technician and store it on smart card. (Hint: password must be randomly generated or created manually by 2 persons who only know a part of whole password. )
4. Prohibit user from changing password manually.
5. If you would like to secure even physical network connection of this node - add 802.1x support based on smart card certificates (But it a bit more tricky)

More over, using this scheme you could create a high secure management node for emergency direct access to your mission critical systems (bypassing terminal servers, firewalls or switches)

Friday, September 10, 2010

Multiboot USB Flash drive

Summer's over, so I'm back (Again)

Let's start from a small trick. If you are security guy (i hope you are) you definitely need to have hell of a lot different liveOS . Sure thing you can have a lot of boot CD, DVD or flash drives with you. But what about one flash disk with multiply different liveOS on it? More over they start from .iso files on flash drive! Very useful!
So, here the steps to create this flash drive.
1. Partition your flash disk. Normally you flash drive is in superfloppy mode with no partition on it.
You can't partition your flash disk by standart Windows format tool. For this purpose use HP USB Format Tool on Windows or Disk Utility on MacOS.
2. Now you have two options:
- use Multiboot USB program on windows and install everything using GUI. In this case just choose which linux you wish to install from the list of preconfigured options.
- use GRUB4DOS (Multiboot USB based on it too) project and do the same manualy.

In my case I've got BackTrack4,Ubuntu NR, Ophcrack XP,Ultimate Boot CD and Offline NT Password Remover on the 4Gb flash disk.

Tuesday, July 6, 2010

Security Incident Report

Hi All,
According to a lot of information security standards you must write a special report in case security incident occurs.
Having well-designed template for this purpose will save your time and simplify process of security event registration.
For this purpose I propose you two self-made templates: in English and Russian:

English version

Security incident Report#04.01.08_email

Detected. time detected 05.12.2007
2.nd time detected 04.01.2008

Internal email message in foreign e-mail box.

Result of investigation:

This situation occurs when user choose account ……

Scope of vulnerability:
All Corporate e-document flow solutions based on Lotus.

Security risk: Low
Desc: foreign user can obtain only notification without any confidential information

Way to fix.
1. way - block all e-emails from local user going
Responsible: It could be done by system administrator by IT department.
Current status: Not done. Reason: Possible problem with e-mail system stability.

2. way - change all E-document flow notification mechanism.
Responsible: IT department.
Current status. Not done. Reason: Impossible according to built-in e-document flow mechanism..

Investigation process:


Head of it-security group ___________ Smith J.
It-security group investigator ___________ McDonald D.
Head of IT _________ Watson H.

Russian version:

Security incident Report #28.05.08_Taburetka

27 мая 2008 года

Краткое описание:
Попытки рассылки спама.

Результаты расследования:
Наличие широкого спектра активного шпионского и вредоносного ПО на рабочей станции сотрудника
Высокая вероятность заражения серверного сегмента

Потенциально уязвимые системы:
Система Табуретка

Уровень рисков безопасности: Высокий
Описание: существует высокая вероятность того, что произошло заражение серверного сегмента системы Табуретка.
Это может привести как к некорректной работе системы так и к утечке конфиденциальных данных.
Также риску заражения подвергнуты другие ИС компании.

Возможные методы локализации и устранения.
Регулярное обновление и проведение полного сканирования с помощью антивирусного ПО всех рабочих станций сотрудников

Сканирование на наличие шпионского и вредоносного ПО серверного сегмента системы Табуретка.
Риск – серьезное падение производительности в момент сканирования.

Установка серверного антивирусного ПО и обновлений на сервера.

Пересмотр в сторону уменьшения доступов и полномочий сотрудников на системе Табуретка и других ИС.

Ход расследования:


Руководитель Группы IT безопасности ___________ Петро З.Е.

специалист Группы IT безопасности ___________ Ветров Э.М

Администратор системы Табуретка _________ Иванов Г.П.

Stay secured!

Tuesday, May 25, 2010

Building the SOC

For run Security Operation Center in your company you must create process, write procedures, hire a staff , etc. All these steps well described in thousand documents.
But what about technical components of SOC?
1. Video wall
Sure thing you need it for security events visibility. It could be LCD, Plasma or just a projector.
Usually you have more than 5 different security management programs (1-2 SIEMs, IDS management, system logsЖирний, etc) , so, you need method to show all these on display. You can't tile one display with all these windows - lack of resolution for huge amount of information.
I recommend to use very simple vb script ,created by friend of mine Roma Lazaruk, to switch between programs.
var WshShell = WScript.CreateObject("WScript.Shell");
KL = true;

while (KL) {


if (WshShell.AppActivate("notepad")) {
KL = false;
It gives you possibility to see and read all security information on video wall and adjust visibility interval between programs. This script use PID numbers (for switching between different process with the same name like browser windows ) for program activation and you must run notepad.exe to kill the script.
2. Knowledge base.
Sharing knowledge between teem players save your time, increase team productivity and secure you from personnel turnover problem.
Sure thing the best engine for knowledge base is Wiki. More over you can create really secure knowledge base based on mutual ssl authentication with certificates on smart card and wiki single sign on (SSO) by user cn. For your convenience Andrey Dugin write a wonderful article about this!

Friday, May 14, 2010

File encryption with smart card for rookies

Let's talk about smart card and file encryption. Your company or just you got a smart card. You would like to use it in stand alone computer scheme (domain infrastructure gives you a lot more features). For this purpose from my point of view you have two best solutions:

1-st - Use a wonderful and powerful tool called TrueCrypt, which has been recommended by Bruce Schneier

As first step you must point TrueCrypt to PKCS 11 library (usually you got it from vendor)
Note: in 64 platform you must point to x86 dlls.

Second step is to go to a Settings/key files and chose Add Token Files option.
You gonna be asked for a PIN to your smart card (it must be already inserted)

If you don't have this key file yet (which is normal for first use of smart card) you should generate it as a next step of pressing " import new key file"

After that - modify some preferences for better security:
-start TrueCrypt at the background
-enable all auto dismount options and set idle time-out to 20 min.
-enable wipe cache option for extra security
Note: do not enable auto mount option - it requires password even in case of key file usage.
For user convenience add encrypted disk to favorites and assign hot keys for mount and unmount this disk.
Everything seems to be nice except some security issues:
1. True Crypt creates key file and stores it on smart card file system as a files protected by PIN. It means that spyware can withdraw this key file from smart in background card if user provide PIN for it. (I haven't seen such program yet but it's possible to do such key and pin "fishing" attack )
2.User must mount disk before use and unmount after.
3. If user lose smart card it's impossible to restore data. But, there is a solution for this: security officer could use a second smart card for storing copy of user encryption key file and keep this backup card (like miniHSM) in safe place.

2-nd Solution have been provided to you by Microsoft for free (there's no such thing as a free lunch :-)) ) in Windows Vista and Windows 7.
Both of these operation systems support using smart card for EFS file encryption out of box.
(There is a possibility to use such feature in Windows XP but only in domain configuration with smart card logon)

Before enable it you must some-how generate and import certificate to your smart card.
I use for this purpose a nice CA based on open-ssl. (This CA with a lot of features has been developed by friend of mine Gorthaur and I hope he will write a nice article about it soon)

First step is choosing your certificate for future file encryption

Then you should create a folder and enable encryption on it.

For first look that's enough and everything works perfect, but in absolutely insecure manner.
You will see it when you take out the card from reader. You could decrypt and encrypt your files even without smart card and even after lock/unlock PC. I'm dead sure that it's absolutely insecure!
So, let's add more security! Type gpedit.msc and go to Encryption file system properties.
Here we have two main option:
-use cashing capable symmetric key (A symmetric key is derived from the user’s private key and cached in protected memory) It gives you more performance and you don't need to keep smart card in reader all the time.
-use a non-cached mode. It require to keep smart card in reader all the time.

I prefer cached mode with short time caching (5 min) (windows default is 480 min!!!!) and clearing a cache when user lock the station. I think it good compromise between performance and security.
Not forget to run gpupdate /force and enjoy it.

If you try to write to encrypted area without smart card inserted (and when key cache period expired) you will got messages below

This message you will got if you will try to read files in encrypted area without smart card and after cached key expired:
Do not forget to type PIN when you insert smart card back! PIN request window is located at the system notification area and it's really small. Do not miss it !
That's all rookies. Stay secured!

Saturday, May 8, 2010

Getting windows security or system event log remotely

How to get windows event log information from remote computer?
Sure thing you can install really cool logging tool Snare for getting these logs over the syslog protocol to the central log host.
But what would you do if there is no possibility to install any application on this computers?
Here is a very simple vb script for collecting these log files from remote computer.
strComputer = ""
Set objWMILocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objWMILocator.ConnectServer(strComputer,"root\cimv2","User_name","Password")
objWMIService.Security_.ImpersonationLevel = 3
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
errBackupLog = objLogFile.BackupEventLog("\\\Security.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The System event log could not be backed up."
Wscript.Echo errBackupLog
End If

This script utilize WMI mechanism and should run from log collection host with file share(for saving log files) on it. You must have an account on host from which you would like get logs. It shouldn't be user with admin privilege - just give backup permission and grant access to wmi namespaces.
For parsing these logs you can use one old MS tool Log Parser

Thursday, April 29, 2010

Be careful with Free WiFi

Recently I and my colleagues have visited Moscow for a business.
When we get tired we found a nice cafe (Coffee house network) with free WiFi from Beeline.
It was really nice but only for first look. We easily get internet connection, type and .. get warning that Google use self-signed ssl certificate from Beeline!
When we try point to other sites over https - we get absolutely the same message.
So,please note, that free Wifi providers start use some kind of proxies (there are a lot of them) with https monitoring features enabled (by man-in-the-middle technique).

Stay secured!

Monday, April 19, 2010

security asceticism - getting list of subdomains

Hi folks.
During first step of security audit you need to get list of all sub-domains for a company domain name. How we can do it?
1. If target corporate DNS server support zone transfer (it's a security problem itself) it's easy:
#dig nameserver domainname axfr
#host -l domainname
2. DNS brute forcers - as a any brute force attack it's take a lot of time and it's always dirty work
3. My favorite way - ,sure thing, using google:
Just do a simple request
So, if google already indexed these domains you will find it in the list!
Sure thing, it works only with domains with web-servers on it.

Monday, April 5, 2010

Big Brother watching you or mobile phone security issues

Lets talk about mobile phone security. You are well qualified security specialist and never install suspicious application on you handset, so, you think you are secure? Have you heard about OMA-DM technology?
OMA-DM stands from Open Mobile Alliance Device Management. Within the Open Mobile Alliance Device Management the standard for firmware handset updates is known as the Firmware Update Management Object (FUMO) This standard permits Firmware Over the Air (FOTA) technology. How it works - here you can find short description. But it was only first step of implementing such technology on the market.
The second step is SCOMO - Software Component Management Object standard that permits Software Component Over the Air (SCOTA) technology. This technology was created for more granular and flexible management of each software components. With SCOTA, one or more piece of software could be changed without requiring update whole handset firmware. SCOTA is a best way to create phones' application stores, so, consumers can have access to the latest applications, without needing to replace devices.
The most interesting thing that all these technologies use http/https over IP and xml data format.
Sound cool, does it? But lets turn on our paranoia:
1. These technologies allow vendors, mobile or value added service providers (but not only them) to install or delete any application or data on your mobile phone.
2. This technology uses centralized management model , so, from the one management Center it's possible to legally control a huge botnet of mobile phones.
3. This technology could allow (or it could be already used) government to spy on citizens.
4. These system components could be penetrated by some "bad guys" and used for stealing your data or spying on you.

Talking about OMA-DM overall security conception - I' ve found only OMA Device Management Security Candidate Version 1.2 document. According to it OMA-DM protocol use to level of authentication: on transport layer (recommended to use TLS 1.0, SSL 3.0 ) and on application layer (OMA-DM use MD5 !).
Some useful information for Windows based smartphones you can find on msdn web site:

How many phones support these technologies? There are two types of OMA-DM support: OMA-DM ready terminals (soft client already build-in) and terminals that need OMA-DM client to be installed by user to enable OMA-DM support. Some useful but a bit old information you can find here .

Big Brother is watching you! Stay secured!

Sunday, April 4, 2010

How to see unseen

If I say that you 100% have a lot of infrared cameras at home you probably will not trust me.
So, lets test it! As a infrared light source we gonna use remote control.
First tests - Sumsung Corby mobile phone:

Second test - build-in web camera in MacBook laptop.

How it's possible? Sensor in you camera (CCD or CMOS) is sensitive for Infrared. CMOS sensor is sensitive in the near infrared than CCD sensor, but both of them work good with infrared projector (that could be made from infrared light emitting diodes ) Usually vendors install IR cut filter before the sensor, so, if you remove it (for a lot of cameras models it's really easy) you will get possibility to make cool IR photos.

How we can use it? For fun, as a very simple night vision system, or even as kind of x-ray system for some kind of materials transparent in IR lights (some types of paper, synthetics, etc)

Saturday, March 27, 2010

Security configuration guides

When auditors visit your company for checking overall information security level they usually shower you with questions about vulnerability and patch management process. And if you haven't one of these processes well established - I'm dead sure you will get serious deficiency in the audit results.
But what about system hardening process ( it could part of configuration management ) - do you have such process established? Do yo have security configuration standards for all yours OS, DB and application well developed and updated? If you will start doing this from a scratch you gonna waste hell of a lot time. To save your time I propose you list of links to the well known library of security configuration guides:
  1. USA National Security Agency (NSA) - Security Configuration Guides
  2. USA National Institute of Standards and Technology (NIST) - National Checklist Program Repository
  3. USA Defense Information System Agency (DISA) - Security Technical Implementation Guides (STIGS)
  4. Community: the Center of Internet Security (CIS) - CIS Benchmarks
Sure thing you can find a lot of such guides on vendors websites:
  1. Apple Mac OS X Security Configuration Guide
  2. Microsoft Security Configuration Guides and Wizards
  3. Apache community Security Tips
  4. Cisco IOS Security Configuration Guide
  5. Debian Linux Securing Debian Manual
Automated Hardening Tools:
So, use it and stay secured!

PS. If you got more links and guides , pls add it in comments.

I do it myself:
Old one general Unix security checklist

Saturday, March 13, 2010

Using Google Alert for information security

So, we have spent hell of a lot of time and money installing different systems but how we can be sure that everything done good? Once in the morning you can find out that top today news is: your company has been hacked! I think, you must get worst news first. For this purpose you can write own web robot but from my point of view the simplest way is google alert service. How we can use it?
Create a search pattern like " my_company_name hacked OR compromised OR defaced " change option How often to as-it-happens, provide email and vuala - once google find something it gonna inform you.
More over you can use google alert service for checking your company web-resources for occasional leakage of confidential information. For this purpose create pattern like " confidential OR secret OR internal use" or special pattern for documents that should not be published " confidential filetype:doc OR filetype:cad". So, google will monitor your web sites instead of you and notify you.
Sure thing you can combine both methods for control of private data leakage over the internet, finding negative information about your company, advertisement about selling your protected data, etc.
Keep informed! :-)

Sunday, February 28, 2010

Vulnerabilities scanners architecture in big enterprise

Let's talk about vulnerabilities scanners within corporate security infrastructure. Everybody knows that vulnerability identification is one of the major component of security risk management process. So we must be sure that information about vulnerabilities is correct and up to date .
It's easy when you scan the network from your own laptop and use direct connection to the target system. But what about huge corporate network with a lot of routers, firewalls and packet filters between you and target system?
First of all you must install multiply instances of vulnerabilities scanners across the network. why you should avoid to use one scanner for all network ?
- compromising this scanner will give possibilities to attacker easily get access to all hosts. (For same scanner it's snap - IBM ISS internet scanner only works on Windows XP SP1 , so the scanner is vulnerable himself. )
- scanning through the firewalls will impact to the scan performance and could produce firewall cpu overload.
-low accuracy of the scans results (firewalls, routers and packets filters between scanner and the target can distort the scan )
So, does installing multiply scanner fix all problems? Sure thing, not. What about scan accuracy? It's depends of scanners and network configuration. So, if you would like to get trusted result you must be sure in scanner and network configuration before run each scan. It is not easy and can consume a lot of time without any warranty. How to solve this problem? Just do the same as engineers do for the precision instruments - calibrate them using master or template.
I recommend to use a bunch of calibration systems and allocate them across the network. It could be virtual systems based on well known vulnerable distributive such as Damn Vulnerable Linux or simple unpatched Windows with a test services running.
So, before scan the target system you must choose nearest calibration system, scan it and check result for accuracy. From my experience it's very important to do this because often even very famous vulnerabilities scanners fail during simple scan.

Tuesday, February 2, 2010

security asceticism-start browser from diff user

A lot of information security guys use windows. Sure thing -We Are All Sinners!
All of us know that they must work under limited account on windows - but usually we work with admin privileges. Yes it insecure, but everybody does it! So, how you can reduce the risk staying working under admin account?
Just start your web browser from account with limited privileges and access rights.
1. Create a user with such limited rights. (I've called him- browser)
2. Create a desktop shortcut with this command:

%windir%\System32\runas.exe /savecred /user:browser "C:\ProgramFiles\Mozilla Firefox\firefox.exe"

Thats all folks. If your browser will be penetrated , attacker gets only limited rights on your system.

Thursday, January 21, 2010

Terminal server with advanced logging capabilities.

How we (Information security guys) get the information about user activities within information system? Sure thing – from the logs, produced by this system. But what could we do if some business critical system do not produce such logs or we cannot trust them? It could be in cases below:

1. Legacy system with no logging at all.

In the any big enterprise you can find old legacy system that have been designed a lot of years ago and do not fit any information security requirements at all. Very often you even haven’t possibility to install any additional software on such system (restricted by vendor or lack of performance). Sure thing you could protect this system from the network side by firewall but it not helps to get more logs from the system inside.

2. Business/ Mission critical systems supported on site or remotely by vendor.
It’s very popular now to give IT system operation support to the vendor or special outsourcing company. It’s very useful and helps to reduce you costs. But what about security? In such case you should fully trust to this company and couldn’t trust to the system logs (they could be changed easily with admin privileges on system and vendor knowledge of the system internals).

3. Protect your Business/ Mission critical systems from the evil systems administrators’ activities.
These guys have full knowledge and enough permission to do whatever they want. Sure thing well designed system must send logs to the central log’s storage and you could do investigation based on these logs. But what happened if it’s not enough or some subsystem of the system does not produce logs at all?

In all this case you must have a special designed infrastructure with terminals servers with advanced logging capabilities and give users access to the protected systems only through this terminal servers.

So , below samples of such infrastructures for each case.

1. Legacy system with no logging at all.

Except terminal server in this case sometimes you will need install network sniffer for control data flow within legacy information system (because old switches do not support acl or installing acl on network equipment prohibited by vendor )

2. Business/ Mission critical systems supported on site or remotely by vendor.

3. Protect your Business/ Mission critical systems from the evil systems administrators’ activities.

There are a lot of very expensive commercial terminal server solutions that could record all activities and produce a lot of logs or even be a man of the middle for ssh session. From my point of view one of the best solutions is Shell Control Box from Balabit. But it cost a lot and you should by license per each user ho access to the system and per each server access to whom this device protect.

In this article I gonna propose you alternative solution that will be much much cheaper but have almost the same functionality.

As a terminal server core I use Windows Terminal Server (Windows Server 2003). I chose licensing type – per user, but you could choose whatever you want.

1. Installing Windows Server 2003 and Terminal Server Service

Here there are two options:
  • use local authentication for terminal users (for small amount of users )
  • join the AD domain and use domain authentication for terminal users (for big amount users). If your company do not use AD, but you need to manage a lot users, especially on a multiply terminals servers you could install special AD Domain controller for this purpose.
Registering Windows Terminal Server and installing CAL licenses. (On domain controller for multiply terminal servers within domain)

2. Hardening terminal server.

First of all install Microsoft Windows Server 2003 Security Guide Tools and Templates (download it from Microsoft site) and configure your server as a Specialized Security - Limited Functionality server.

Then turn off or uninstall all unused services and windows components.

Modify the group policy and the registry to prohibit users to mount disk, copy clipboard, redirect ports and etc through RDP.

Do not forget do disable windows admin shares!

3. Set up a file share for users file transfer.

Very often users should have possibility to copy files to or from protected servers. We cannot allow users to use for this purpose RDP drive mounting for a lot of security reasons. The best way is to setup dedicated file share for such purpose. So, how user will transfer file to the protected area?
First of all user copy file to the terminal server file share. After that, he logon to the protected area through terminal server and copy file from terminal server to the protected server. So, he uses the terminal server as temporary transfer storage.

For you , as a security guy, it give possibility to copy this files for further analysis, scan it by anti-virus, log file transfer event, etc.

So, what should you do for this:

  • Create a file share on separate disk.
  • Turn on disk quotas.
  • Modify folder and subfolder permissions for allowing only to file owner view o modify own files and folders. (It will protect information of one user from others during file transfer through terminal server)
4. Install Antivirus software and configure it to scan files in shared folder.

5. Install a Screen Anytime software.

It cost about 1K$ per terminal server without session limitation. This really amazing soft could capture the user’s terminal session and store it as a high compressed video file. More over this software provide you session player and records management tools.
Configure Screen Anytime software for recording all session in shadow mode (hide it from users). If you have centralized log storage you can configure this software to send captured session video files to this log storage from all your terminals servers.

6. Change default shell to mstsc.exe instead of explorer.

Changing shell you prevent users from access data and software stored on terminal server. So, users can only go through this terminal server without possibilities to do something on the terminals server.
So, using mstsc ( RDP client) you can easily manage only windows servers.
But what happens if you would like to control access to the unix based systems? No problem! Create custom shell based on ssh client like Putty or even write small shall and include in it RDP, ssh, sql or other clients that you need. I strongly recommend you to check and modify these clients for preventing user access to terminal server file system. For example in my terminal server I using modified Putty with record session option and without any possibility to change it. So, I get two logs in one time: video from Screen Anytime and commands log in text from Putty.

7. Create a custom startup script to start Screen Anytime video capture on user log on.

Normally Screen Anytime does it for you. But, when you change this default shell you must take care of starting screen capturing.

8. Configure and startup a firewall.

Transit terminal server infrastructure
Sometimes you would like to allow users to install some software on terminal server or you cannot modify some client software to securely install it on terminal server. I recommend you to create a chain of terminal servers. First terminal server will have mstsc ( RDP client) as a shell and work as a transit terminal server with one purpose – record users activity. First server will only allow user to get to second terminal server. On this terminal server users will have all their software installed or even be administrators!

This scheme works amazing especially in case number 2 - giving ability to vendor easily remotely support your business critical systems.

Last tip: Use virtual infrastructure for these terminal servers! It really simplify your life.

That’s all folks!