Tired of seeing my event logs filled with people trying to break into one of my staging servers via remote desktop, I decided to move the port (for example, let’s say to 1973).
Simple, enough, registry change done1, I rebooted the machine.
And then couldn’t remote desktop back in.
I knew the server was up, as IIS was serving correctly.
Fortunately, I had Cygwin sshd running (also on a non-standard port) and I was able to connect via putty.
Executing netstat -a confirmed that there was a TCP listener on port 1973.
Hmmm… that would imply something is getting in the way…
I forgot to open the windows firewall for this port.
Dagnamit.
I really don’t want to have to go down the route of asking someone at the data centre to physically log into the machine for me.
Well, I’ve got a prompt right, so why not add the firewall rule? A quick Google search yielded:
netsh advfirewall firewall add rule name=”Open Port 1973” dir=in action=allow protocol=TCP localport=1973
But…
The requested operation requires elevation (Run as administrator).
Hmmm… I thought I was an admin. I’m logged in as an admin user. But it’s quite possible that the sshd service itself is running as a non-admin user. (Which strikes me as being quite prudent for this very reason.)
Queue an hour of experimenting with runas and a range of other attempts to add the firewall rule. Then in my Googling I came across: How to Create a Elevated Program Shortcut without a UAC Prompt2. It described how one could bypass UAC by setting up a scheduled task using administrator credentials which could then launch a process on a non-administrator’s behalf. Of course, the article said, you needed to be an administrator to create the task in the first place.
But the gears had already clicked into place. As it’s my staging server I had a number of scheduled tasks, some of which ran as an administrator. And one of those ran a batch file.
Executing schtasks I found the task I was thinking of. I edited the file3, commenting out the original code and inserting the firewall add command. I had it write the result to a file in case it returned an error.
The task was due to run in seven minutes so I took the chance to make a cup of tea.
As the minute arrived, an eager ls -lh showed the file had been written. I opened the file and it said simply “Ok.”.
Opening my remote desktop client I connected to the staging server with the port appended after a colon4 and in an instant the desktop was up.
After punching the air (maybe it’s a good thing I have my own office) I was left with a lingering thought…
Should I now properly lock down that scheduled task and batch file?
——
[1] http://support.microsoft.com/kb/306759
[2] http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html
[3] The greatest security in the world is only as strong as its weakest point.
[4] For example: staging.example.com:1973