[THIN] Re: Port/box Security
- From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 25 May 2004 08:45:49 +1200
I agree with you completely. And so far, no one has offered any way to
break the GINA.
JD
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Henry Sieff
> Sent: Tuesday, 25 May 2004 5:36 a.m.
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Port/box Security
>
> Consultants will tell you not to do this.
>
> They will tell you there are better ways - use CSG etc, a VPN, etc.
>
> It all comes down to the same old security equation that
> covers everything
> else:
>
> Is the chance of the exploit times the cost of a successful
> exploit greater then the cost of the solution (both in
> implementation and in terms of impact to productivity).
>
> If no, then fuggedaboutit, if yes, then implement.
>
> Now, your question of successful attacks against the GINA:
>
> Are there any? Well, there are some GINA replacement attacks,
> which are really just privelege elevation attacks. There WERE
> some DoS attacks which are no longer exposed, but no - truth
> be told, the GINA is not particularly easy to attack in and
> of itself. I would rate the chances of this exploit pretty
> darn low, considering that there aren't any known ones out
> there, and if there were, it would be used A BUNCH.
>
> I suppose once somebody has figured out that you are using a
> citrix server they could fire up the old dictionary and try
> attacking well known accounts; hence, meticulous adherence to
> best practices wrt to password policies and account disabling
> and security options is essential. Letting only port 1494 or
> 3389 is also a good thing. Disable (not rename) admin, create
> an equivalent called something completely random, etc.
>
> Truth be told, if you follow the NSA guidelines, have the
> proper audit policy and actually do something with the logs
> besides delete them once a week :-), there is absolutely
> nothing to worry about. Password/user guessing attempts look
> like, well, a kid trying to guess usernames and passwords.
> Its very easy to spot in audit logs, and if you're really
> worried these can be monitored in real time if you put some
> work into log centralization solutions.
>
> Be paranoid, fer sure, but almost all exploits are the result
> of not applying a patch somewhere along the line. Plenty to
> worry about there. The issue of exposing the GINA is, imo,
> (to quote somebody else on this thread) moronic. Anytime
> somebody warns you about this, put on your best innocent
> smile and ask for some proof-of-concept of a way to break the
> GINA. Then sit back and watch them stutter.
>
> Henry
>
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
> > Behalf Of Jeff Durbin
> > Sent: Friday, May 21, 2004 6:05 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> >
> >
> > Let's say you did see the login prompt, either via ICA or
> RDP. How
> > would you use a dictionary attack if you didn't have a
> username and a
> > password hash? Or, maybe what I'm asking is, how would that
> help you
> > get a username and a password hash which you could use a
> > dictionary/brute force attack on?
> > You know me - when it comes to paranoia, I'm up there
> with the worst
> > of them, but I'm not sure how getting a windows login screen hurts
> > you. Unless that specific situation can somehow be used to get a
> > username and password hash, I don't see the danger (unless
> there's a
> > protocol vulnerability that can be exploited, in which case WI/CSG
> > insulates you from it).
> > As an aside, and to illustrate how many companies do
> this, consider
> > this:
> > One of my customers moved physical locations, and his ISP
> changed his
> > IP address. I didn't know the new IP addresses of his
> Terminal Server
> > and couldn't reach the administrator. I figured it might be
> close to
> > his old address, so I port-scanned 253 IP addresses looking
> for port
> > 3389. I found about 60 servers, so there are a lot of people doing
> > this.
> >
> > JD
> >
> >
> >
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > > Sent: Friday, 21 May 2004 6:51 a.m.
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > >
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > To say that you have never experienced this, doesn't mean that it
> > > doesn't happen. Just do a search on http://neworder.box.sk for
> > > CITRIX or ICA and you will find a few exploits/hacks.
> Can you say
> > > for sure that no one has EVER attempted to log into your
> systems?
> > > If I did a port scan on your external IP range and saw
> that 1494 was
> > > open, or 3389, or if my port scanner attempted a telnet
> to that port
> > > to see if any banner was presented for the service and I get the
> > > ^ICA prompt, I know that I need the ICA client to connect
> to that IP
> > > address. Bam. I have a logon prompt. I can then try to use a
> > > dictionary attack attempt to guess usernames and
> passwords. OR, if
> > > you have the XML service open to the internet or the ICA Browser
> > > service (1604/UDP), all I would need to do is capture or
> attempt a
> > > redirect (hijack) the TCP/UDP connection to my machine. I could
> > > then attempt to crack the password.
> > >
> > > Again, there is a lot of "attempting" here. I would
> rather be safe
> > > knowing that I had SG in place or a VPN in place that is securing
> > > the communications. Also, what's to say that I cannot get the
> > > source of the connection, and break into that machine? How many
> > > users out there have firewalls in place?
> > > Not many. With Windows XP SP2, the firewall will be enabled by
> > > default. That's a good thing. We will see how robust
> that firewall
> > > is. That's also for another discussion.
> > >
> > > Chris
> > >
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K
> > > Coffman Jr -
> > > > Info From Data Corporation
> > > > Sent: Thursday, May 20, 2004 11:38 AM
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security
> > > >
> > > > While I completely agree with you in theory, in
> practice this has
> > > > never caused us a problem. I've suggested to my clients
> > > that it may
> > > > be a matter of time before this port gets exploited, to
> > > date we've had
> > > > 0 issues and have been running this way for years.
> > > >
> > > > Can anyone provide concrete reasons not to expose 1494 to the
> > > > internet?
> > > >
> > > > PS - Don't jump all over me here, I'm all in favor of
> exposing as
> > > > little as possible to the net... I just need more ammo
> > to convince
> > > > those with the purse strings.
> > > >
> > > > - Bob Coffman
> > > >
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > > > Sent: Thursday, May 20, 2004 12:01 PM
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security
> > > >
> > > >
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > The cost of hardware is negligible once someone high up
> > understands
> > > > the security implications. Also, these two services can
> > run on the
> > > > same server, and don't require much (PIV with 512MB of
> > RAM would be
> > > > sufficient for almost 1000 connections).
> > > >
> > > > And, notice that I said "WI AND SG". I would never
> > > recommend running
> > > > just WI, unless it was for internal users only.
> > > > Exposing the ICA port to the Internet is just asking for
> > trouble.
> > > > Especially if you are also wanting Program Neighborhood
> > > access (either
> > > > XML or 1604/UDP).
> > > >
> > > > Chris
> > > >
> > > >
> > > >
> > > > ********************************************************
> > > > This Week's Sponsor - Tarantella Secure Global Desktop
> Tarantella
> > > > Secure Global Desktop Terminal Server Edition Free
> > Terminal Service
> > > > Edition software with 2 years maintenance.
> > > > http://www.tarantella.com/ttba
> > > > **********************************************************
> > > > Useful Thin Client Computing Links are available at:
> > > > http://thin.net/links.cfm
> > > > ***********************************************************
> > > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > > Vacation mode
> > > > use the below link:
> > > > http://thin.net/citrixlist.cfm
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP 8.0.3
> > > Comment: Public PGP Key for Chris Lynch
> > >
> > > iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > > jVFNAPrlJdIEcLdr+f0rsFY4
> > > =rs5a
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella
> > > Secure Global Desktop Terminal Server Edition Free
> Terminal Service
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation
> > > mode use the below link:
> > > http://thin.net/citrixlist.cfm
> > >
> >
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella
> > Secure Global Desktop Terminal Server Edition Free Terminal Service
> > Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode
> > use the below link:
> > http://thin.net/citrixlist.cfm
> >
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop
> Tarantella Secure Global Desktop Terminal Server Edition Free
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
