RE: Terminal Service Port Change?

• From: "Steve Moffat" <steve@xxxxxxxxxx>
• To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 14 Apr 2005 10:00:14 -0300

LOL...why did ya tell him Jimbo...nearly had the password...:))

S 

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Thursday, April 14, 2005 3:26 AM
To: ISA Mailing List
Subject: [isalist] RE: Terminal Service Port Change?

http://www.ISAserver.org

Damn you Harrison!!  How could you have known that!?!  And how did you
know what the source port had to be for the allow rule???

"The force is strong with this one."

I have only two questions for you now:

1) Rare or Medium Rare?
2) Redhead, or Redhead?

T

----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, April 13, 2005 10:09 PM
Subject: [isalist] RE: Terminal Service Port Change?


> http://www.ISAserver.org
>
> Nope - there are those who still believe that it's 42, but I have
> incontrovertible (top fails to fold down) evidence that it's actually
> 43.
>
> -----Original Message-----
> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
> Sent: Wednesday, April 13, 2005 9:36 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Terminal Service Port Change?
>
> http://www.ISAserver.org
>
> It's a trick question!  Its 3389 aint it :P
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, 14 April 2005 1:47 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Terminal Service Port Change?
>
> http://www.ISAserver.org
>
> Methinks yon Timeth doth verily issueth meeth challengeth?
>
> -------------------------------------------------------
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, April 13, 2005 20:20
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Terminal Service Port Change?
>
> http://www.ISAserver.org
>
> Not only am I bigger, I'm taller too!! :-p
>
> Let's be specific here... Say you change the TS listen port to
44332...
> While your most-excellent 10 second 65k port scanner may identity that
> TCP
> 44332 is open, you don't know what it is.  You'll have to connect with
> appropriate RDP connect sequence to find out that it is actually TS -
> (If
> you have a shake-banner-grab that ID's TS on connect, let me know
> please.)
>
> To clarify, when I said "standard scanning," I didn't mean port sweeps
> for
> whatever responds:  I meant people scanning for a particular service.
> Anyone looking for open RDP will scan the IP range for 3389, and
target
> those boxes.  Given that I removed "targeted" attacks from the theater
> of
> threat, I maintain that changing the port buys me time to ID an
attack.
> Leaving it at 3389 does not in this scenario.
>
> And while a worm may certainly scan ports to find the vulnerable
service
> it
> is looking for, it has never been done in any worm whose propagation
was
> a
> threat.  A future worm that targets RDP will look for 3389
specifically,
> as
> propagation speed while keeping noise down it the key goal.  Even if
the
>
> 44332 box is vulnerable, it will not be infected.  Litchfield's
> suggestion
> of rebasing executables to change the jmp address is similar- while a
> worm
> may try to brute force the jmp address, none have *ever* done so.  If
I
> rebased my SQL install, I could have vulnerable instance of MSSQL that
> would
> never fall prey to slammer.  The same logic applies.
>
> As security people, I think that while we must always consider what
> *can* be
> done, we also must look at what *is* being done.  Worm port-sweeps
don't
>
> happen.  General port-sweeps followed by
> "all-service-grab-bag-connect-attempts" don't happen.  Like I said, in
a
>
> directed attack, there is not much help... but if I see RDP cookies on
> the
> wire destined for <> 3389, I know something is up, and I know
> immediately.
>
> Not withstanding your Ninja status, I contend that where appropriate,
> changing the port does indeed give me level of security one does not
> have
> otherwise in most of the "real world" attacks that occur.  So, Neener
> Neener. ;)
>
> Specific to that point Mr Dory, (legal disclaimer: this applies to
Greg,
>
> Steve, Jim, and Tom only) if you can tell me what port I'm listening
for
> RDP
> at my corporate network on, I'll buy you a steak dinner at the Union
> Grill
> along with a '91 Alexander Valley Silver Oak.  I'll even get some
> strippers
> to join us (though I have no idea why you people in Seattle call them
> "strip
> bars" when they don't strip, and they ain't bars!)  Hell, I'll do it
> anyway
> since you're helping with my Blackhat Training!  Man, there's this one
> girl
> who... Oh, sorry... I digress.
>
> :------P
>
> t
>
>
>
>
> ----- Original Message ----- 
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, April 13, 2005 7:00 PM
> Subject: [isalist] RE: Terminal Service Port Change?
>
>
>> http://www.ISAserver.org
>>
>> Normally I don't disagree with Tim cuz he's bigger than me, but given
>> that port scanning is absurdly simple (every script-kiddie worth
their
>> salt can do it in their sleep) I can't see the value in port changing
>> for its own sake.
>> Even I can write a tool that will scan all 65365 TCP and UDP ports in
>> less than 10 seconds.
>> It takes very little more to make a few fingerprinting tests that
will
>> tell me what lives at a listening port.
>> The time it takes to make sure everyone and everything involved knows
>> how to use it and that it's properly documented, etc., etc. just
makes
>> it not worth the time any more.
>> If you have to do this because of resource restrictions, then so be
> it;
>> but don't play "port-games" just because you can.
>>
>> -------------------------------------------------------
>>   Jim Harrison
>>   MCP(NT4, W2K), A+, Network+, PCG
>>   http://isaserver.org/Jim_Harrison/
>>   http://isatools.org
>>   Read the help / books / articles!
>> -------------------------------------------------------
>>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Wednesday, April 13, 2005 18:08
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: Terminal Service Port Change?
>>
>> http://www.ISAserver.org
>>
>> Joking aside, there is actually a very valid reason to change default
>> ports
>> for services where applicable, and that is to avoid "standard"
> scanning
>> and/or worm activity.   Greg is absolutely correct in that obscuring
a
>> service via port change will not thwart a directed attack, but
> security
>> through obscurity does work as long as the target remains obscure.
> RDP
>>
>> services on alt ports are difficult to detect unless you can hit the
> box
>>
>> with RCP and are an admin (without port scanning by instantiating a
TS
>> handle), or unless you can hit the box with NetBIOS and proxy
requests
>> for
>> server registration through the Master Browser (even with null
> sessions
>> on
>> weak Win2k installs).
>>
>> To speak to that old argument, I would say to do *both* if you can.
> Of
>> course, you are right in that some programs don't like alt ports (or
>> more
>> directly, some *clients* don't like alt ports) but when it comes to
>> remote
>> admin of servers, I have no problem at all, and in fact would
> recommend,
>>
>> changing the default ports just to add that extra level of raising
the
>> fruit.  (That's not a Navy term, Jim!)
>>
>> T
>>
>>
>>
>> ----- Original Message ----- 
>> From: Ball, Dan
>> To: [ISAserver.org Discussion List]
>> Sent: Wednesday, April 13, 2005 5:17 PM
>> Subject: [isalist] RE: Terminal Service Port Change?
>>
>>
>> http://www.ISAserver.org
>>
>> Yep, goes back to the same old argument, do you hide the port to make
> it
>>
>> harder to find, or just rely upon the security in place to make a
> known
>> port
>> safe?  I prefer to leave "most" things at their default port, makes
it
>> easier for me to do my job, some programs don't like using alternate
>> ports.
>>
>>
>>
>>
>> From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
>> Sent: Wednesday, April 13, 2005 18:12
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: Terminal Service Port Change?
>>
>> http://www.ISAserver.org
>> True, but if your going to leave rdp unprotected, or anything for
that
>> matter, we'll find it.. no matter what port you hide it on.
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> thor@xxxxxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>> jim@xxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>> All mail to and from this domain is GFI-scanned.
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com
>> Leading Network Software Directory: http://www.serverfiles.com
>> No.1 Exchange Server Resource Site: http://www.msexchange.org
>> Windows Security Resource Site: http://www.windowsecurity.com/
>> Network Security Library: http://www.secinf.net/
>> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List
as:
>
>> thor@xxxxxxxxxxxxxxx
>> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> greg@xxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

The haggis is unusual in that it is neither consistently nocturnal nor diurnal, 
but instead is active at dawn and dusk (crepuscular), with occasional forays 
forth during the day and night. 

Other related posts:

• » Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?
• » RE: Terminal Service Port Change?

1. Home
2. isalist
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---