[THIN] Re: Port/box Security

  • From: "Roger Riggins" <roger.riggins@xxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Mon, 24 May 2004 08:55:43 -0500

"...there are plenty of companies that use TS without Citrix
to provide desktops..."

WTS Gateway=3D$189.00

www.terminal-services.net


Good luck,
R






-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Durbin
Sent: Sunday, May 23, 2004 10:35 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Port/box Security

  Man, you might want to lay off the caffeine a little.=20
  I did read your whole post. What I was wondering was whether anyone
did
know of any way to exploit the GINA other than typing in guesses for
usernames and passwords and whether anyone knew of any RDP exploits.
  As for the cost, there are plenty of companies that use TS without
Citrix
to provide desktops, and even more companies allow remote access via RDP
to
servers simply for administrative access. So the cost issue to implement
WI/CSG IS significant when you have to add Citrix itself in addition to
the
hardware and the certs. My question isn't whether or not WI/CSG is
safer; I
agree that it is. I'm trying to assess the level of security that exists
to
an RDP-exposed server in the absence of WI/CSG.
  What I'm really getting at here is this: If I have a server that's
exposed
publicly via RDP, and I feel confident that the usernames and passwords
are
not easily guessed (a stretch in most environments, I know), is the GINA
*itself* or RDP vulnerable?

JD

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx=20
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> Sent: Monday, 24 May 2004 12:01 p.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
>=20
> =20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Hey moron (and I use that term very loosely, 'cuz a moron has=20
> more brains than you)!
>=20
> Just because I said dictionary attack, doesn't mean that I=20
> captured data from a TCP or UDP stream, and I was attempting=20
> to guess the password hash.  If I get a GINA prompt, I can=20
> start using "common"
> usernames (administrator, backup, nimda, etc), and then use a=20
> dictionary cracker to come up with common passwords and enter=20
> them into the prompt.  I agree that WI exposes the same=20
> thing, but at least it's one central location, instead of=20
> multiple servers.  To reduce the risk further, yes, use 2=20
> factor authentication (SafeWord or RSA tokens).  There have=20
> been some GINA exploits in the past (NT4 was a prime suspect,=20
> don't know of one with Windows 2000).
>=20
> The only cost that a company will need to incur is the hardware (very
> minimal) and the SSL cert (1 or 2, and you can get them cheap).
>=20
> My argument wasn't necessarily with exposing GINA (you really=20
> need to read the whole email).  I stated that *most*=20
> locations have either the UDP port or the XML port open to=20
> the internet for ICA Browsing.=20
> There are a few hacks out there for capturing this info and=20
> getting the usernames and passwords, as well as enumerating=20
> the published applications.  Using WI and CSG eliminate this=20
> completely.
>=20
> Sheesh, and you called yourself a Senior Engineer.
>=20
> Chris
>=20
> [INSERT]  Don't the flames start, cuz he and I used to work=20
> with each other. [/INSERT]
>=20
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > Sent: Friday, May 21, 2004 10:36 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> >=20
> >   Someone who's got any server whose adminstrator password=20
> is blank or=20
> > easy has bigger problems than whether or not to expose a TS=20
> directly=20
> > to the Internet. I never said it was the right thing to do.=20
> Nor did I=20
> > say this:
> > =20
> > "You never knew he was there... so you claim to allow 1494=20
> to the LAN=20
> > and have zero issues to date. How would you know?"
> >=20
> >   I agree that the risk is decreased if you have a single point of=20
> > entry
> > (CSG/WI) to your farm rather than exposing multiple servers=20
> directly.=20
> > However, if anyone does find your WI page, you still have=20
> 100% of the=20
> > password guesing risk unless you use two-factor authentication.
> >   Really, my question was whether there was a direct risk=20
> of exposing=20
> > the GINA, i.e., can you get a password hash? Chris said=20
> that exposing=20
> > the GINA put you at risk for a dictionary attack, and I=20
> don't see how=20
> > it does.
> >=20
> > JD
> >=20
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Roger Riggins
> > > Sent: Saturday, 22 May 2004 5:16 p.m.
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > >=20
> > > Just because a lot of people do it, doesn't mean it's the
> > right thing
> > > to do. One doesn't always need a password hash to score a
> > password. I
> > > *guarantee* that some of the people that are reading these
> > posts have
> > > member servers that are running TS and don't have a local=20
> > > administrator password. Some also have passwords that are easily=20
> > > guessed on the second or third attempts. Once you're on=20
> as a local =20
> > > admin, you can shadow...install a sniffer...browse the=20
> profiles on =20
> > > that machine...whatever you want! Oh, you don't use an idle
> > timeout?=20
> > > Then he'll shadow a session at 3:00 in the morning when
> > nobody is in
> > > the office.
> > > Maybe it'll be an IT person's session who is a domain admin.
> > > Then he'll create his own domain admin account with an=20
> obscure name =20
> > > that you may overlook. Maybe he'll map his client drive and
> > copy your
> > > HR and fiscal databases to his local machine.
> > >=20
> > > You never knew he was there... so you claim to allow 1494
> > to the LAN
> > > and have zero issues to date. How would you know?=3D20
> > >=20
> > > Also, if somebody finds 3389 or 1494 open it may prompt
> > them to do a
> > > little social engineering. It's easier than you think. He=20
> already =20
> > > knows you run Citrix or TS, right?
> > >=20
> > > Can they do the same thing if you're running CSG? Sure,=20
> but they'll =20
> > > have a hell of a time finding WI sites with a port scanner.
> > By using
> > > CSG, you're reducing the risk. CSG is FREE!=3D20
> > >=20
> > > Infosec is about best effort. It's our job to give that
> > best effort,
> > > IMHO.=3D20
> > >=20
> > > Good luck,
> > > R=3D20
> > >=20
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > > Sent: Friday, May 21, 2004 6:05 PM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > >=20
> > >   Let's say you did see the login prompt, either via ICA or
> > RDP. How
> > > would you use a dictionary attack if you didn't have a
> > username and a
> > > password hash? Or, maybe what I'm asking is, how would that
> > help you
> > > get a username and a password hash which you could use a=20
> > > dictionary/brute force attack on?
> > >   You know me - when it comes to paranoia, I'm up there
> > with the worst
> > > of them, but I'm not sure how getting a windows login=20
> screen hurts =20
> > > you.
> > > Unless
> > > that specific situation can somehow be used to get a=20
> username and =20
> > > password hash, I don't see the danger (unless there's a protocol =20
> > > vulnerability that can be exploited, in which case WI/CSG=20
> insulates =20
> > > you from it).=3D20
> > >   As an aside, and to illustrate how many companies do
> > this, consider
> > > this:
> > > One of my customers moved physical locations, and his ISP
> > changed his
> > > IP address. I didn't know the new IP addresses of his
> > Terminal Server
> > > and couldn't reach the administrator. I figured it might be
> > close to
> > > his old address, so I port-scanned 253 IP addresses looking
> > for port
> > > 3389. I found about 60 servers, so there are a lot of=20
> people doing =20
> > > this.
> > >=20
> > > JD
> > >=20
> > >=20
> > >=20
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx=3D20 =20
> > > >[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > > > Sent: Friday, 21 May 2004 6:51 a.m.
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security =3D20  =3D20  -----BEGIN =
PGP=20
> > > >SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >=3D20
> > > > To say that you have never experienced this, doesn't
> > > mean=3D20  that it
> > > >doesn't happen.  Just do a search on=3D20
> > http://neworder.box.sk for
> > > >CITRIX or ICA and you will find a=3D20  few exploits/hacks.
> > > Can you say
> > > >for sure that no one has=3D20  EVER attempted to log into your
> > > systems? =20
> > > >If I did a port=3D20  scan on your external IP range and saw
> > that 1494
> > > >was open, or=3D20  3389, or if my port scanner attempted a
> > > telnet to that
> > > >port=3D20  to see if any banner was presented for the=20
> service and I =20
> > > >get=3D20  the ^ICA prompt, I know that I need the ICA client to =20
> > > >connect=3D20  to that IP address.  Bam.  I have a logon
> > prompt.  I can
> > > >then=3D20  try to use a dictionary attack attempt to guess=20
> usernames =20
> > > >and=3D20  passwords.  OR, if you have the XML service open=20
> to the=3D20 =20
> > > >internet or the ICA Browser service (1604/UDP), all I
> > > would=3D20  need to
> > > >do is capture or attempt a redirect (hijack) the=3D20  TCP/UDP
> > > connection
> > > >to my machine.  I could then attempt to=3D20  crack the password.
> > > >=3D20
> > > > Again, there is a lot of "attempting" here.  I would
> > rather=3D20  be
> > > >safe knowing that I had SG in place or a VPN in place=20
> that=3D20 is =20
> > > >securing the communications.  Also, what's to say that I=3D20
> > > cannot get
> > > >the source of the connection, and break into that=3D20
> > machine?  How
> > > >many users out there have firewalls in place? =3D20  Not many.=20
> > > >With  Windows XP SP2, the firewall will be enabled=3D20 =20
> by default.
> > >  That's a
> > > >good thing.  We will see how robust=3D20  that firewall is. =20
> > > That's also
> > > >for another discussion.
> > > >=3D20
> > > > Chris=3D20
> > > >=3D20
> > > > > -----Original Message-----
> > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K=3D20
> > > > Coffman Jr -=3D20
> > > > > Info From Data Corporation
> > > > > Sent: Thursday, May 20, 2004 11:38 AM
> > > > > To: thin@xxxxxxxxxxxxx
> > > > > Subject: [THIN] Re: Port/box Security =3D20  While I
> > > completely agree
> > > > >with you in theory, in practice this has=3D20  never=20
> caused us a =20
> > > > >problem.  I've suggested to my clients=3D20
> > > > that it may=3D20
> > > > > be a matter of time before this port gets exploited, to=3D20
> > > > date we've had=3D20
> > > > > 0 issues and have been running this way for years.
> > > > >=3D20
> > > > > Can anyone provide concrete reasons not to expose 1494
> > to the=3D20
> > > > >internet?
> > > > >=3D20
> > > > > PS - Don't jump all over me here, I'm all in favor of
> > > exposing as=3D20
> > > > >little as possible to the net...  I just need more ammo to=20
> > > > >convince=3D20  those with the purse strings.
> > > > >=3D20
> > > > > - Bob Coffman
> > > > >=3D20
> > > > > -----Original Message-----
> > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > > > > Sent: Thursday, May 20, 2004 12:01 PM
> > > > > To: thin@xxxxxxxxxxxxx
> > > > > Subject: [THIN] Re: Port/box Security =3D20 =3D20 =3D20
> > -----BEGIN PGP
> > > > >SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >=3D20
> > > > > The cost of hardware is negligible once someone high up=20
> > > > >understands=3D20  the security implications.  Also, these
> > > two services
> > > > >can run on the=3D20  same server, and don't require much=20
> (PIV with =20
> > > > >512MB of RAM would be=3D20  sufficient for almost 1000
> > connections).
> > > > >=3D20
> > > > > And, notice that I said "WI AND SG".  I would never=3D20
> > > > recommend running=3D20
> > > > > just WI, unless it was for internal users only.
> > > > > Exposing the ICA port to the Internet is just asking
> > for trouble.=20
> > > > > =3D20 Especially if you are also wanting Program =
Neighborhood=3D20
> > > > access (either=3D20
> > > > > XML or 1604/UDP).
> > > > >=3D20
> > > > > Chris
> > > > >=3D20
> > > > >=3D20
> > > > >=3D20
> > > > > ********************************************************
> > > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > > Tarantella=3D20
> > > > >Secure Global Desktop Terminal Server Edition Free Terminal=20
> > > > >Service=3D20  Edition software with 2 years maintenance.
> > > > > http://www.tarantella.com/ttba
> > > > > **********************************************************
> > > > > Useful Thin Client Computing Links are available at:
> > > > > http://thin.net/links.cfm
> > > > > ***********************************************************
> > > > > For Archives, to Unsubscribe, Subscribe or set Digest or=3D20
> > > > Vacation mode=3D20
> > > > > use the below link:
> > > > > http://thin.net/citrixlist.cfm
> > > >=3D20
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: PGP 8.0.3
> > > > Comment: Public PGP Key for Chris Lynch =3D20=20
> > > >iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > > > jVFNAPrlJdIEcLdr+f0rsFY4
> > > > =3D3Drs5a
> > > > -----END PGP SIGNATURE-----
> > > >=3D20
> > > >=3D20
> > > > ********************************************************
> > > > This Week's Sponsor - Tarantella Secure Global Desktop=3D20
> > > Tarantella
> > > >Secure Global Desktop Terminal Server Edition Free=3D20
> > > Terminal Service
> > > >Edition software with 2 years maintenance.
> > > > http://www.tarantella.com/ttba
> > > > **********************************************************
> > > > Useful Thin Client Computing Links are available at:
> > > > http://thin.net/links.cfm
> > > > ***********************************************************
> > > > For Archives, to Unsubscribe, Subscribe or set Digest or=3D20
> > >  Vacation
> > > >mode use the below link:
> > > > http://thin.net/citrixlist.cfm
> > > >=3D20
> > >=20
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop=20
> Tarantella =20
> > > Secure Global Desktop Terminal Server Edition Free=20
> Terminal Service =20
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or
> > Vacation
> > > mode use the below link:
> > > http://thin.net/citrixlist.cfm
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop=20
> Tarantella =20
> > > Secure Global Desktop Terminal Server Edition Free=20
> Terminal Service =20
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode
> > > use the below link:
> > > http://thin.net/citrixlist.cfm
> > >=20
> >=20
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella=20
> > Secure Global Desktop Terminal Server Edition Free Terminal Service=20
> > Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> Vacation mode=20
> > use the below link:
> > http://thin.net/citrixlist.cfm
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> Comment: Public PGP Key for Chris Lynch
>=20
> iQA/AwUBQLE6t29fg+xq5T3MEQJmsACgpGqb7nCW1cW5QldAR54x/nC09kAAoLrv
> dqUd4OjnrLJGZGIO0tlMyEUp
> =3Do4O5
> -----END PGP SIGNATURE-----
>=20
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop=20
> Tarantella Secure Global Desktop Terminal Server Edition Free=20
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or=20
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>=20

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: