[THIN] Re: Port/box Security

  • From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Sat, 22 May 2004 17:35:40 +1200

  Someone who's got any server whose adminstrator password is blank or easy
has bigger problems than whether or not to expose a TS directly to the
Internet. I never said it was the right thing to do. Nor did I say this:
 
"You never knew he was there... so you claim to allow 1494 to the LAN and
have zero issues to date. How would you know?"

  I agree that the risk is decreased if you have a single point of entry
(CSG/WI) to your farm rather than exposing multiple servers directly.
However, if anyone does find your WI page, you still have 100% of the
password guesing risk unless you use two-factor authentication. 
  Really, my question was whether there was a direct risk of exposing the
GINA, i.e., can you get a password hash? Chris said that exposing the GINA
put you at risk for a dictionary attack, and I don't see how it does.

JD

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Roger Riggins
> Sent: Saturday, 22 May 2004 5:16 p.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
> Just because a lot of people do it, doesn't mean it's the 
> right thing to do. One doesn't always need a password hash to 
> score a password. I
> *guarantee* that some of the people that are reading these 
> posts have member servers that are running TS and don't have 
> a local administrator password. Some also have passwords that 
> are easily guessed on the second or third attempts. Once 
> you're on as a local admin, you can shadow...install a 
> sniffer...browse the profiles on that machine...whatever you 
> want! Oh, you don't use an idle timeout? Then he'll shadow a 
> session at 3:00 in the morning when nobody is in the office. 
> Maybe it'll be an IT person's session who is a domain admin.
> Then he'll create his own domain admin account with an 
> obscure name that you may overlook. Maybe he'll map his 
> client drive and copy your HR and fiscal databases to his 
> local machine.
> 
> You never knew he was there... so you claim to allow 1494 to 
> the LAN and have zero issues to date. How would you know?=20
> 
> Also, if somebody finds 3389 or 1494 open it may prompt them 
> to do a little social engineering. It's easier than you 
> think. He already knows you run Citrix or TS, right?
> 
> Can they do the same thing if you're running CSG? Sure, but 
> they'll have a hell of a time finding WI sites with a port 
> scanner. By using CSG, you're reducing the risk. CSG is FREE!=20
> 
> Infosec is about best effort. It's our job to give that best 
> effort, IMHO.=20
> 
> Good luck,
> R=20
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> Sent: Friday, May 21, 2004 6:05 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
>   Let's say you did see the login prompt, either via ICA or 
> RDP. How would you use a dictionary attack if you didn't have 
> a username and a password hash? Or, maybe what I'm asking is, 
> how would that help you get a username and a password hash 
> which you could use a dictionary/brute force attack on?
>   You know me - when it comes to paranoia, I'm up there with 
> the worst of them, but I'm not sure how getting a windows 
> login screen hurts you.
> Unless
> that specific situation can somehow be used to get a username 
> and password hash, I don't see the danger (unless there's a 
> protocol vulnerability that can be exploited, in which case 
> WI/CSG insulates you from it).=20
>   As an aside, and to illustrate how many companies do this, consider
> this:
> One of my customers moved physical locations, and his ISP 
> changed his IP address. I didn't know the new IP addresses of 
> his Terminal Server and couldn't reach the administrator. I 
> figured it might be close to his old address, so I 
> port-scanned 253 IP addresses looking for port 3389. I found 
> about 60 servers, so there are a lot of people doing this.
> 
> JD
> 
> 
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx=20
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > Sent: Friday, 21 May 2004 6:51 a.m.
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> >=20
> > =20
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >=20
> > To say that you have never experienced this, doesn't 
> mean=20  that it 
> >doesn't happen.  Just do a search on=20  http://neworder.box.sk for 
> >CITRIX or ICA and you will find a=20  few exploits/hacks.  
> Can you say 
> >for sure that no one has=20  EVER attempted to log into your 
> systems?  
> >If I did a port=20  scan on your external IP range and saw that 1494 
> >was open, or=20  3389, or if my port scanner attempted a 
> telnet to that 
> >port=20  to see if any banner was presented for the service and I 
> >get=20  the ^ICA prompt, I know that I need the ICA client to 
> >connect=20  to that IP address.  Bam.  I have a logon prompt.  I can 
> >then=20  try to use a dictionary attack attempt to guess usernames 
> >and=20  passwords.  OR, if you have the XML service open to the=20  
> >internet or the ICA Browser service (1604/UDP), all I 
> would=20  need to 
> >do is capture or attempt a redirect (hijack) the=20  TCP/UDP 
> connection 
> >to my machine.  I could then attempt to=20  crack the password.
> >=20
> > Again, there is a lot of "attempting" here.  I would rather=20  be 
> >safe knowing that I had SG in place or a VPN in place that=20  is 
> >securing the communications.  Also, what's to say that I=20  
> cannot get 
> >the source of the connection, and break into that=20  machine?  How 
> >many users out there have firewalls in place? =20  Not many.  With 
> >Windows XP SP2, the firewall will be enabled=20  by default. 
>  That's a 
> >good thing.  We will see how robust=20  that firewall is.  
> That's also 
> >for another discussion.
> >=20
> > Chris=20
> >=20
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K=20
> > Coffman Jr -=20
> > > Info From Data Corporation
> > > Sent: Thursday, May 20, 2004 11:38 AM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security =20  While I 
> completely agree 
> > >with you in theory, in practice this has=20  never caused us a 
> > >problem.  I've suggested to my clients=20
> > that it may=20
> > > be a matter of time before this port gets exploited, to=20
> > date we've had=20
> > > 0 issues and have been running this way for years.
> > >=20
> > > Can anyone provide concrete reasons not to expose 1494 to the=20  
> > >internet?
> > >=20
> > > PS - Don't jump all over me here, I'm all in favor of 
> exposing as=20  
> > >little as possible to the net...  I just need more ammo to 
> > >convince=20  those with the purse strings.
> > >=20
> > > - Bob Coffman
> > >=20
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > > Sent: Thursday, May 20, 2004 12:01 PM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security =20 =20 =20  -----BEGIN PGP 
> > >SIGNED MESSAGE-----
> > > Hash: SHA1
> > >=20
> > > The cost of hardware is negligible once someone high up 
> > >understands=20  the security implications.  Also, these 
> two services 
> > >can run on the=20  same server, and don't require much (PIV with 
> > >512MB of RAM would be=20  sufficient for almost 1000 connections).
> > >=20
> > > And, notice that I said "WI AND SG".  I would never=20
> > recommend running=20
> > > just WI, unless it was for internal users only.
> > > Exposing the ICA port to the Internet is just asking for trouble. 
> > > =20 Especially if you are also wanting Program Neighborhood=20
> > access (either=20
> > > XML or 1604/UDP).
> > >=20
> > > Chris
> > >=20
> > >=20
> > >=20
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella=20  
> > >Secure Global Desktop Terminal Server Edition Free Terminal 
> > >Service=20  Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> > Vacation mode=20
> > > use the below link:
> > > http://thin.net/citrixlist.cfm
> >=20
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.3
> > Comment: Public PGP Key for Chris Lynch =20  
> >iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > jVFNAPrlJdIEcLdr+f0rsFY4
> > =3Drs5a
> > -----END PGP SIGNATURE-----
> >=20
> >=20
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop=20  
> Tarantella 
> >Secure Global Desktop Terminal Server Edition Free=20  
> Terminal Service 
> >Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or=20 
>  Vacation 
> >mode use the below link:
> > http://thin.net/citrixlist.cfm
> >=20
> 
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella Secure Global Desktop Terminal Server Edition Free 
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or=20 set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella Secure Global Desktop Terminal Server Edition Free 
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: