Administering Windows Servers through one port

A couple of months ago, I presented at a Financial Services Chief Security Officer’s forum here in Redmond about threat modeling and secure design. One question, totally unrelated to secure design, but still a great question, was how an admin can manage a bunch of Windows servers using one, and only one port.

Think Secure Shell (SSH) on *nix, without using SSH!


I answered the question as well as I could, but it got me doing a little more research – I asked some of the network ops guys I know and they all said the same thing, Terminal Services with “Disk Drive Redirection” enabled.


Let me explain, managing computers involves many tasks, as you well know, such as adding users, setting ACLs, copying files and so on on the target computer. Normally, on Windows this could use a number of ports, but in a highly constrained/restricted/secured/paranoid environment, it’s quite normal to keep the number of open ports to a minimum.


So how can you do all this over one port? This is where TS comes in. It turns out TS is not just about sharing a desktop on a remote computer, it can also be used to copy files, and rather using the SMB ports (139 or 445) it’s all done over port 3389!


All you do is connect to the remote machine, and make sure the client machine has the local drives redirected. To do this open the Remote Desktop Connection application, click the Local Resources tab, and make sure “Disk drives” is checked.


Now that this is all done, when you connect to the remote computer, you can connect back to file shares on the client using \\tsclient\<sharename> syntax. Or you can open My Computer on the server, and you’ll see the client’s shares appear like any other file share. Very cool!


I have to be honest, I really wasn’t convinced it was true, so I check it out; I ran netmon on the remote computer, connected from the client, copied some files and sure enough the only port used was 3389!


And of course, the traffic is encrypted.


Finally, for really secure environments, you can enforce a smartcard logon (let’s face it, passwords are atrocious!) to TS and restrict which hosts can access the TS port (3389) using IPSec policy or a firewall.