I agree with you completely. And so far, no one has offered any way to break the GINA. JD > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Henry Sieff > Sent: Tuesday, 25 May 2004 5:36 a.m. > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: Port/box Security > > Consultants will tell you not to do this. > > They will tell you there are better ways - use CSG etc, a VPN, etc. > > It all comes down to the same old security equation that > covers everything > else: > > Is the chance of the exploit times the cost of a successful > exploit greater then the cost of the solution (both in > implementation and in terms of impact to productivity). > > If no, then fuggedaboutit, if yes, then implement. > > Now, your question of successful attacks against the GINA: > > Are there any? Well, there are some GINA replacement attacks, > which are really just privelege elevation attacks. There WERE > some DoS attacks which are no longer exposed, but no - truth > be told, the GINA is not particularly easy to attack in and > of itself. I would rate the chances of this exploit pretty > darn low, considering that there aren't any known ones out > there, and if there were, it would be used A BUNCH. > > I suppose once somebody has figured out that you are using a > citrix server they could fire up the old dictionary and try > attacking well known accounts; hence, meticulous adherence to > best practices wrt to password policies and account disabling > and security options is essential. Letting only port 1494 or > 3389 is also a good thing. Disable (not rename) admin, create > an equivalent called something completely random, etc. > > Truth be told, if you follow the NSA guidelines, have the > proper audit policy and actually do something with the logs > besides delete them once a week :-), there is absolutely > nothing to worry about. Password/user guessing attempts look > like, well, a kid trying to guess usernames and passwords. > Its very easy to spot in audit logs, and if you're really > worried these can be monitored in real time if you put some > work into log centralization solutions. > > Be paranoid, fer sure, but almost all exploits are the result > of not applying a patch somewhere along the line. Plenty to > worry about there. The issue of exposing the GINA is, imo, > (to quote somebody else on this thread) moronic. Anytime > somebody warns you about this, put on your best innocent > smile and ask for some proof-of-concept of a way to break the > GINA. Then sit back and watch them stutter. > > Henry > > > -----Original Message----- > > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On > > Behalf Of Jeff Durbin > > Sent: Friday, May 21, 2004 6:05 PM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: Port/box Security > > > > > > Let's say you did see the login prompt, either via ICA or > RDP. How > > would you use a dictionary attack if you didn't have a > username and a > > password hash? Or, maybe what I'm asking is, how would that > help you > > get a username and a password hash which you could use a > > dictionary/brute force attack on? > > You know me - when it comes to paranoia, I'm up there > with the worst > > of them, but I'm not sure how getting a windows login screen hurts > > you. Unless that specific situation can somehow be used to get a > > username and password hash, I don't see the danger (unless > there's a > > protocol vulnerability that can be exploited, in which case WI/CSG > > insulates you from it). > > As an aside, and to illustrate how many companies do > this, consider > > this: > > One of my customers moved physical locations, and his ISP > changed his > > IP address. I didn't know the new IP addresses of his > Terminal Server > > and couldn't reach the administrator. I figured it might be > close to > > his old address, so I port-scanned 253 IP addresses looking > for port > > 3389. I found about 60 servers, so there are a lot of people doing > > this. > > > > JD > > > > > > > > > -----Original Message----- > > > From: thin-bounce@xxxxxxxxxxxxx > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > > > Sent: Friday, 21 May 2004 6:51 a.m. > > > To: thin@xxxxxxxxxxxxx > > > Subject: [THIN] Re: Port/box Security > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > To say that you have never experienced this, doesn't mean that it > > > doesn't happen. Just do a search on http://neworder.box.sk for > > > CITRIX or ICA and you will find a few exploits/hacks. > Can you say > > > for sure that no one has EVER attempted to log into your > systems? > > > If I did a port scan on your external IP range and saw > that 1494 was > > > open, or 3389, or if my port scanner attempted a telnet > to that port > > > to see if any banner was presented for the service and I get the > > > ^ICA prompt, I know that I need the ICA client to connect > to that IP > > > address. Bam. I have a logon prompt. I can then try to use a > > > dictionary attack attempt to guess usernames and > passwords. OR, if > > > you have the XML service open to the internet or the ICA Browser > > > service (1604/UDP), all I would need to do is capture or > attempt a > > > redirect (hijack) the TCP/UDP connection to my machine. I could > > > then attempt to crack the password. > > > > > > Again, there is a lot of "attempting" here. I would > rather be safe > > > knowing that I had SG in place or a VPN in place that is securing > > > the communications. Also, what's to say that I cannot get the > > > source of the connection, and break into that machine? How many > > > users out there have firewalls in place? > > > Not many. With Windows XP SP2, the firewall will be enabled by > > > default. That's a good thing. We will see how robust > that firewall > > > is. That's also for another discussion. > > > > > > Chris > > > > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K > > > Coffman Jr - > > > > Info From Data Corporation > > > > Sent: Thursday, May 20, 2004 11:38 AM > > > > To: thin@xxxxxxxxxxxxx > > > > Subject: [THIN] Re: Port/box Security > > > > > > > > While I completely agree with you in theory, in > practice this has > > > > never caused us a problem. I've suggested to my clients > > > that it may > > > > be a matter of time before this port gets exploited, to > > > date we've had > > > > 0 issues and have been running this way for years. > > > > > > > > Can anyone provide concrete reasons not to expose 1494 to the > > > > internet? > > > > > > > > PS - Don't jump all over me here, I'm all in favor of > exposing as > > > > little as possible to the net... I just need more ammo > > to convince > > > > those with the purse strings. > > > > > > > > - Bob Coffman > > > > > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch > > > > Sent: Thursday, May 20, 2004 12:01 PM > > > > To: thin@xxxxxxxxxxxxx > > > > Subject: [THIN] Re: Port/box Security > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > The cost of hardware is negligible once someone high up > > understands > > > > the security implications. Also, these two services can > > run on the > > > > same server, and don't require much (PIV with 512MB of > > RAM would be > > > > sufficient for almost 1000 connections). > > > > > > > > And, notice that I said "WI AND SG". I would never > > > recommend running > > > > just WI, unless it was for internal users only. > > > > Exposing the ICA port to the Internet is just asking for > > trouble. > > > > Especially if you are also wanting Program Neighborhood > > > access (either > > > > XML or 1604/UDP). > > > > > > > > Chris > > > > > > > > > > > > > > > > ******************************************************** > > > > This Week's Sponsor - Tarantella Secure Global Desktop > Tarantella > > > > Secure Global Desktop Terminal Server Edition Free > > Terminal Service > > > > Edition software with 2 years maintenance. > > > > http://www.tarantella.com/ttba > > > > ********************************************************** > > > > Useful Thin Client Computing Links are available at: > > > > http://thin.net/links.cfm > > > > *********************************************************** > > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > > Vacation mode > > > > use the below link: > > > > http://thin.net/citrixlist.cfm > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 8.0.3 > > > Comment: Public PGP Key for Chris Lynch > > > > > > iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK > > > jVFNAPrlJdIEcLdr+f0rsFY4 > > > =rs5a > > > -----END PGP SIGNATURE----- > > > > > > > > > ******************************************************** > > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella > > > Secure Global Desktop Terminal Server Edition Free > Terminal Service > > > Edition software with 2 years maintenance. > > > http://www.tarantella.com/ttba > > > ********************************************************** > > > Useful Thin Client Computing Links are available at: > > > http://thin.net/links.cfm > > > *********************************************************** > > > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation > > > mode use the below link: > > > http://thin.net/citrixlist.cfm > > > > > > > ******************************************************** > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella > > Secure Global Desktop Terminal Server Edition Free Terminal Service > > Edition software with 2 years maintenance. > > http://www.tarantella.com/ttba > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode > > use the below link: > > http://thin.net/citrixlist.cfm > > > ******************************************************** > This Week's Sponsor - Tarantella Secure Global Desktop > Tarantella Secure Global Desktop Terminal Server Edition Free > Terminal Service Edition software with 2 years maintenance. > http://www.tarantella.com/ttba > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm