[THIN] Re: Port/box Security

  • From: Henry Sieff <hsieff@xxxxxxxxxxxx>
  • To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
  • Date: Mon, 24 May 2004 12:35:56 -0500

Consultants will tell you not to do this.

They will tell you there are better ways - use CSG etc, a VPN, etc.

It all comes down to the same old security equation that covers everything
else:

Is the chance of the exploit times the cost of a successful exploit greater
then the cost of the solution (both in implementation and in terms of impact
to productivity).

If no, then fuggedaboutit, if yes, then implement.

Now, your question of successful attacks against the GINA:

Are there any? Well, there are some GINA replacement attacks, which are
really just privelege elevation attacks. There WERE some DoS attacks which
are no longer exposed, but no - truth be told, the GINA is not particularly
easy to attack in and of itself. I would rate the chances of this exploit
pretty darn low, considering that there aren't any known ones out there, and
if there were, it would be used A BUNCH.

I suppose once somebody has figured out that you are using a citrix server
they could fire up the old dictionary and try attacking well known accounts;
hence, meticulous adherence to best practices wrt to password policies and
account disabling and security options is essential. Letting only port 1494
or 3389 is also a good thing. Disable (not rename) admin, create an
equivalent called something completely random, etc.

Truth be told, if you follow the NSA guidelines, have the proper audit
policy and actually do something with the logs besides delete them once a
week :-), there is absolutely nothing to worry about. Password/user guessing
attempts look like, well, a kid trying to guess usernames and passwords. Its
very easy to spot in audit logs, and if you're really worried these can be
monitored in real time if you put some work into log centralization
solutions.

Be paranoid, fer sure, but almost all exploits are the result of not
applying a patch somewhere along the line. Plenty to worry about there. The
issue of exposing the GINA is, imo, (to quote somebody else on this thread)
moronic. Anytime somebody warns you about this, put on your best innocent
smile and ask for some proof-of-concept of a way to break the GINA. Then sit
back and watch them stutter.

Henry

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
> Behalf Of Jeff Durbin
> Sent: Friday, May 21, 2004 6:05 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
> 
>   Let's say you did see the login prompt, either via ICA or 
> RDP. How would
> you use a dictionary attack if you didn't have a username and 
> a password
> hash? Or, maybe what I'm asking is, how would that help you 
> get a username
> and a password hash which you could use a dictionary/brute 
> force attack on?
>   You know me - when it comes to paranoia, I'm up there with 
> the worst of
> them, but I'm not sure how getting a windows login screen 
> hurts you. Unless
> that specific situation can somehow be used to get a username 
> and password
> hash, I don't see the danger (unless there's a protocol 
> vulnerability that
> can be exploited, in which case WI/CSG insulates you from it). 
>   As an aside, and to illustrate how many companies do this, 
> consider this:
> One of my customers moved physical locations, and his ISP 
> changed his IP
> address. I didn't know the new IP addresses of his Terminal Server and
> couldn't reach the administrator. I figured it might be close 
> to his old
> address, so I port-scanned 253 IP addresses looking for port 
> 3389. I found
> about 60 servers, so there are a lot of people doing this.
> 
> JD
> 
> 
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx 
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > Sent: Friday, 21 May 2004 6:51 a.m.
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> >  
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > To say that you have never experienced this, doesn't mean 
> > that it doesn't happen.  Just do a search on 
> > http://neworder.box.sk for CITRIX or ICA and you will find a 
> > few exploits/hacks.  Can you say for sure that no one has 
> > EVER attempted to log into your systems?  If I did a port 
> > scan on your external IP range and saw that 1494 was open, or 
> > 3389, or if my port scanner attempted a telnet to that port 
> > to see if any banner was presented for the service and I get 
> > the ^ICA prompt, I know that I need the ICA client to connect 
> > to that IP address.  Bam.  I have a logon prompt.  I can then 
> > try to use a dictionary attack attempt to guess usernames and 
> > passwords.  OR, if you have the XML service open to the 
> > internet or the ICA Browser service (1604/UDP), all I would 
> > need to do is capture or attempt a redirect (hijack) the 
> > TCP/UDP connection to my machine.  I could then attempt to 
> > crack the password.
> > 
> > Again, there is a lot of "attempting" here.  I would rather 
> > be safe knowing that I had SG in place or a VPN in place that 
> > is securing the communications.  Also, what's to say that I 
> > cannot get the source of the connection, and break into that 
> > machine?  How many users out there have firewalls in place?  
> > Not many.  With Windows XP SP2, the firewall will be enabled 
> > by default.  That's a good thing.  We will see how robust 
> > that firewall is.  That's also for another discussion.
> > 
> > Chris 
> > 
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K 
> > Coffman Jr - 
> > > Info From Data Corporation
> > > Sent: Thursday, May 20, 2004 11:38 AM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > > 
> > > While I completely agree with you in theory, in practice this has 
> > > never caused us a problem.  I've suggested to my clients 
> > that it may 
> > > be a matter of time before this port gets exploited, to 
> > date we've had 
> > > 0 issues and have been running this way for years.
> > > 
> > > Can anyone provide concrete reasons not to expose 1494 to the 
> > > internet?
> > > 
> > > PS - Don't jump all over me here, I'm all in favor of exposing as 
> > > little as possible to the net...  I just need more ammo 
> to convince 
> > > those with the purse strings.
> > > 
> > > - Bob Coffman
> > > 
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > > Sent: Thursday, May 20, 2004 12:01 PM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > > 
> > > 
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > The cost of hardware is negligible once someone high up 
> understands 
> > > the security implications.  Also, these two services can 
> run on the 
> > > same server, and don't require much (PIV with 512MB of 
> RAM would be 
> > > sufficient for almost 1000 connections).
> > > 
> > > And, notice that I said "WI AND SG".  I would never 
> > recommend running 
> > > just WI, unless it was for internal users only.
> > > Exposing the ICA port to the Internet is just asking for 
> trouble.  
> > > Especially if you are also wanting Program Neighborhood 
> > access (either 
> > > XML or 1604/UDP).
> > > 
> > > Chris
> > > 
> > > 
> > > 
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella 
> > > Secure Global Desktop Terminal Server Edition Free 
> Terminal Service 
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or 
> > Vacation mode 
> > > use the below link:
> > > http://thin.net/citrixlist.cfm
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.3
> > Comment: Public PGP Key for Chris Lynch
> > 
> > iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > jVFNAPrlJdIEcLdr+f0rsFY4
> > =rs5a
> > -----END PGP SIGNATURE-----
> > 
> > 
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop 
> > Tarantella Secure Global Desktop Terminal Server Edition Free 
> > Terminal Service Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or 
> > Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> > 
> 
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop
> Tarantella Secure Global Desktop Terminal Server Edition
> Free Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or 
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: