http://thelazyadmin.com/blogs/thelazyadmin/archive/2007/01/26/Configure-RDP-over-SSL-with-SelfSSL.aspx

Windows 2003 Service Pack 1 included a new feature, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections using SelfSSL to create the SSL certificate. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.

Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.

Server-side

• The Terminal Server must run 2003 SP1
• The Terminal Server must have a certificate from a Windows CA or a 3rd Party CA

The certificate must meet the following criteria

• Certificate is a computer certificate
• Certificate is for server authentication
• Certificate must have a private key
• Certificate is stored in the TS personal store
• Certificate has a Crytographic Service Provider that can be used for TLS/SSL  

The client computer must also meet some criteria

• Must run Windows 2000, Windows XP, Windows 2003 or Windows Vista
• Must use RDP Client 5.2 orhigher, this can be found on the 2003 SP1 server under %systemroot%\system32\clients\tsclient\win32\msrdpcli.msi
• Must trust the root CA for the certificate

If you do not have a CA, don’t wish to spend money on a “real” SSL cert, or just want to do some testing, you can use SelfSSL from the IIS 6.0 Resource Kit. Once you have downloaded and installed SelfSSL, run it with the following command

SelfSSL.exe /CN=domain.com /V:365

The command will create and install a certificate for domain.com that is valid for 365 days. If you do not have IIS installed, you may get an error message but you can ignore this message, the SSL certificate is still created and installed. The CN must be the name you will be accessing the TS with. Next open up Administrative Tools, and launch the Terminal Server Configuration applet. Right-click RDP-Tcp and select properties.

Click Edit next to the Certificate, you will be shown the SSL certificate that SelfSSL created. Select it and click OK

Next, select SSL from the Security Layer drop down box and set the Encryption Level to High.

Now you will need to install the new RDP client on all workstations that will be accessing the Terminal Server. You will notice a new tab under the connection properties called Security. Select this tab and then choose Require Authentication from the drop down.

When you try to connect, you will be denied access because the SSL cert is not trusted. Click View Certificate, and then Install to install the certificate to the local machines certificate store.

Attempt to connect again and the connection will be allowed. You are now connected through RDP over SSL. If you are connected in full screen mode, you will see the SSL lock symbol next to the pushpin in the yellow toolbar.

For more information see:

Download Details: Internet Information Services (IIS) 6.0 Resource Kit Tools

 Article ID: 275727 – High Encryption on a Remote Desktop or Terminal Services Session Does Not Encrypt All Information

http://advosys.ca/viewpoints/2006/11/free-host-intrusion-prevention/ 

 ”Host intrusion prevention” (HIP) software tries to stop malicious software either either recognizing patterns of malicious activity, or by blocking access to critical system areas. When properly implemented, HIP very effective at stopping new (“zero day”) attacks that anti-virus (AV) software is largely incapable of preventing.

People seem to have a hard time understanding the difference between HIP and anti-virus, so let’s put it in overly simplistic terms:

• Anti-virus software: identifies malicious code by what it looks like.
• Host intrusion prevention software identifies malicious code by what it does.

AV software identifies malware by matching sequences of bytes in a file with a list of known malware (yes there’s more to it than that, but that’s the basic idea). HIP on the other hand tries to stop malicious actions as they are attempted. This is done in two ways:

1. Access controls: by checking the actions of each application against a list of allowed actions (e.g. A web browser is allowed to save files, but not access the system registry)
2. Behavior: by monitoring sequences of actions (e.g. An email message is opened then MS Outlook suddenly starts sending attachments to everyone in your address book)

Most HIP products use a combination of both approaches though some are purely behavior-based. By controlling and identifying actions, HIP software is far more effective than anti-virus. For anti-virus to identify and stop malicious actions, all of the following must occur:

1. The malicious code must have been captured by the AV vendor (vendors discover new malware a variety of ways, such as by using “bait” machines (honeypots) on the Internet that pose as vulnerable Windows machine)
2. The AV vendor must have decide the malware is widespread enough to bother with (AV vendors focus on widespread, public malware)
3. The AV vendors must have analyzed the code and found a sequence of bytes that uniquely identify that code.
4. The byte sequence must have been added to the daily/weekly AV database update.
5. Your organization must have downloaded the update and distributed it to all computers.

Twenty years ago when the pattern-based anti-virus approach was first conceived, that approach worked well. Back then malware spread via floppy disk. AV companies had ample time to collect samples, identify unique patterns, and distribute updates to customers.

Now however, malware is developed and spread much faster than AV patterns can be implemented. Also, the public mass destruction malware that AV vendors focus on is being supplanted by smaller targeted malware written for financial gain. Most malware is now being written to wipe out bank accounts, not hard drives. Targets are small, like the customers of one little online bank, and distribution is swift: victims are usually fleeced long before any AV vendor can respond.

Some HIP products also use patterns that must be downloaded once in a while. However, these are patterns of suspicious actions or lists of system areas to protect… not patterns of bytes in a file. HIP products that use downloadable patterns require updates infrequently, like once per quarter.

Are you HIP?

There is a wide variety of HIP software available, each having different capabilities. There’s no universal agreement on exactly what functions HIP software should perform (other than stop malicious actions without relying on file patterns) but as minimum all HIP should be able to control access to the following areas:

• File system (including modification of EXEs and shared libraries)
• Windows registry
• System memory
• Running processes (including system services, spawning of sub-processes and code injection)

Better HIP software will also be able to control access to the following:

• Windows message passing (e.g. “shatter” attacks)
• COM and OLE
• Network access (binding to a port, sending outbound traffic etc.)

Another criteria for HIP is that it must control access to system resources per application. Resources that MS Internet Explorer can access can be different from those of MS Outlook. High-end HIP software like Cisco Security Agent allow administrators to specific precisely what resource each application can access. Other HIP use vendor-defined databases or restrict all applications the same until placed on a trusted list.

What’s available

There are many good commercial HIP products available: McAfee bought Entercept, Cisco bought Okena, but these are aimed at the enterprise market. They require centralized servers and a significant investment in knowledge, time and capital.

Fortunately for smaller users there are quite a few free and free-for-personal-use HIP products available. Here are a few that we’ve found:

GentleSecurity GeSWall: A comprehensive HIP with both generic protection and rules for enforcing resource access for specific applications (e.g. ME Internet explorer). Desktop version free for personal use.

eEye Blink: Very comprehensive. Free for personal use version monitors applications, registry, memory, and provides a personal firewall (apparently with network intrusion prevention abilities).

PrevX Prevx1: More of an EXE monitor than a HIP: it maintains a shared list of known executables and blocks known “bad” ones. According to comments from PrevX, it also provides “generic keylogger, rootkit and buffer overflow protection”. The literature is unclear but it seems that once an application is allowed to execute it is able to access any system resource, rather than just resources it “should” access.

PrivacyWare DSA: Monitors applications, registry, email, services and network. Free for personal and non-commercial use.

Novatix Cyberhawk: The vendor provides no details on which resources it protects, but this appear to be a purely behavior based HIP especially for non-technical users.

CoreImpact COREFORCE: Free for personal and commercial use. Includes a stateful firewall derived from the OpenBSD pf packet filter. Filesystem, network, registry, program integrity. Seems to use a community developed database of specific rules for each application (Firefox, etc).

Arovax Shield: A basic registry monitor. Apparently only monitors and prevents certain registry changes so only performs a small part of what a a full HIP system should do. It can also prevent changes to the system’s hosts file and creation of http cookies in Internet explorer.

Not ready for prime time:

In addition to the above, there are many up-and-comers that are promising but, in my opinion, aren’t yet mature enough for daily use:

winpooch: Open source. Still in beta. Monitors access to critical files only. One interesting feature is that winpooch can integrate with ClamWin to scan files on access, a feature ClamWin desperately needs.

Neoava Guard: A promising but still in beta HIP by a single developer. Can monitor disk, memory, some network access, prompts when unknown EXEs are run, has activity thresholds to detect worm-like behavior and more features being added.

System Safety: Limited trial and freeware version. EXE control (run or block, permit spawning) and registry access control.

Not listed:

I haven’t listed single product protectors (e.g. IE specific), personal firewalls that control only network access, simple file / registry monitors, address space randomizers and the like. A HIP must be able to monitor any application and control access to at least a couple of the resources listed above.

Do you need HIP?

If you have host intrusion prevention installed, do you still need anti-virus? Well, why not… anti-virus is still useful to catch the older malware still in circulation. Both technologies can usually be used without conflict.

Using both HIP and AV provides multiple layers of defense (“defense in depth”) which is always a good practice. A Windows system armored by AV, HIP, a personal firewall and not running as Administrator makes a formidable target for malicious software.

http://www.gentlesecurity.com/index.html 

GentleSecurityWall ensures safe use of internet and network services. It enforces mandatory access control policy, which maintains confidentiality of your data, prevents damage from intrusions and malicious software: viruses, worms, spyware, key loggers etc.

Underlying technology bridges strong GeSWall security with great usability. Being non-intrusive for a user GeSWall requires no or minimal configuration and enforces protection once installed.

 >> Well, it doesn’t seem to run on Win 98

http://www.syssafety.com/ 

System Safety  Monitor (SSM) is a Host Based Intrusion Prevention System which will protect your system from all known and unknown malware, rootkits and “zero-day” attacks. SSM proactively keeps track of all running programs’ behavior and blocks malicious or suspicious actions.
Learning mode will help you to easily configure the required security rules.
Compatible with most of well known security software. 100% freeware.
Working at the Windows Kernel level SSM monitors in real-time:
* Malware and Rootkit Installation
* Driver Loading
* Program Execution
* NT Services Installation and State Change
* Program State and Memory Modification
* Thread and Process Suspension and Termination
* Direct Physical Memory Access
* Global Hook Installation
* System Registry Modification
* Window Opening
* IE Settings Change
* Startup Menu Modification

>> Well, it claim that could run on Win 98, however……

http://www.malwareguard.com/malware.html

Malware Guard gives you the most advanced spyware detection, blocking and removing threads as you browse.

http://www.threatfire.com/ 

ThreatFire uses advanced patent-pending technology to detect signs of malicious behavior commonly used by malware threats. ThreatFire is unlike traditional antivirus products that rely on old fashioned “signature” technology and require updating every time a new threat occurs.

By constantly monitoring the activity on your PC ThreatFire’s ActiveDefense technology is able to hunt down and paralyze threats that are too new or too clever to be recognized by traditional security software.

ThreatFire employs an intelligent behavioral engine to only alert you on truly malicious behavior, because sometimes even legitimate software may look malicious. This means you are only alerted when you really need to be.

http://www.comodo.com/index.html 

But if permitable, i think i will prefer Comodo, which come with FREE Firewall, Anti-Malware, Antivirus

This website, on one hand, enables you to test your software personal firewall thanks to different test programs (‘leaktests’), and on the other hand, shows a global vulnerabilities view of the most common personal firewalls in a summary page.
Firewall Leak Tester provides also documentation and advices to improve your security dramatically.