so, long argument short then, the answer to my question is "ports on the in= ternet are safe... for now" :) (assuming of course some sensible practices on passwords..!) Andrew --o-- >>> techlists@xxxxxxxxxxxxx 24/05/04 21:45:49 >>> I agree with you completely. And so far, no one has offered any way to break the GINA.=20 JD > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx=20 > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Henry Sieff > Sent: Tuesday, 25 May 2004 5:36 a.m. > To: 'thin@xxxxxxxxxxxxx'=20 > Subject: [THIN] Re: Port/box Security >=20 > Consultants will tell you not to do this. >=20 > They will tell you there are better ways - use CSG etc, a VPN, etc. >=20 > It all comes down to the same old security equation that=20 > covers everything > else: >=20 > Is the chance of the exploit times the cost of a successful=20 > exploit greater then the cost of the solution (both in=20 > implementation and in terms of impact to productivity). >=20 > If no, then fuggedaboutit, if yes, then implement. >=20 > Now, your question of successful attacks against the GINA: >=20 > Are there any? Well, there are some GINA replacement attacks,=20 > which are really just privelege elevation attacks. There WERE=20 > some DoS attacks which are no longer exposed, but no - truth=20 > be told, the GINA is not particularly easy to attack in and=20 > of itself. I would rate the chances of this exploit pretty=20 > darn low, considering that there aren't any known ones out=20 > there, and if there were, it would be used A BUNCH. >=20 > I suppose once somebody has figured out that you are using a=20 > citrix server they could fire up the old dictionary and try=20 > attacking well known accounts; hence, meticulous adherence to=20 > best practices wrt to password policies and account disabling=20 > and security options is essential. Letting only port 1494 or=20 > 3389 is also a good thing. Disable (not rename) admin, create=20 > an equivalent called something completely random, etc. >=20 > Truth be told, if you follow the NSA guidelines, have the=20 > proper audit policy and actually do something with the logs=20 > besides delete them once a week :-), there is absolutely=20 > nothing to worry about. Password/user guessing attempts look=20 > like, well, a kid trying to guess usernames and passwords.=20 > Its very easy to spot in audit logs, and if you're really=20 > worried these can be monitored in real time if you put some=20 > work into log centralization solutions. >=20 > Be paranoid, fer sure, but almost all exploits are the result=20 > of not applying a patch somewhere along the line. Plenty to=20 > worry about there. The issue of exposing the GINA is, imo,=20 > (to quote somebody else on this thread) moronic. Anytime=20 > somebody warns you about this, put on your best innocent=20 > smile and ask for some proof-of-concept of a way to break the=20 > GINA. Then sit back and watch them stutter. >=20 > Henry >=20 > > -----Original Message----- > > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On=20 > > Behalf Of Jeff Durbin > > Sent: Friday, May 21, 2004 6:05 PM > > To: thin@xxxxxxxxxxxxx=20 > > Subject: [THIN] Re: Port/box Security > >=20 > >=20 > > Let's say you did see the login prompt, either via ICA or=20 > RDP. How=20 > > would you use a dictionary attack if you didn't have a=20 > username and a=20 > > password hash? Or, maybe what I'm asking is, how would that=20 > help you=20 > > get a username and a password hash which you could use a=20 > > dictionary/brute force attack on? > > You know me - when it comes to paranoia, I'm up there=20 > with the worst=20 > > of them, but I'm not sure how getting a windows login screen hurts=20 > > you. Unless that specific situation can somehow be used to get a=20 > > username and password hash, I don't see the danger (unless=20 > there's a=20 > > protocol vulnerability that can be exploited, in which case WI/CSG=20 > > insulates you from it). > > As an aside, and to illustrate how many companies do=20 > this, consider=20 > > this: > > One of my customers moved physical locations, and his ISP=20 > changed his=20 > > IP address. I didn't know the new IP addresses of his=20 > Terminal Server=20 > > and couldn't reach the administrator. I figured it might be=20 > close to=20 > > his old address, so I port-scanned 253 IP addresses looking=20 > for port=20 > > 3389. I found about 60 servers, so there are a lot of people doing=20 > > this. > >=20 > > JD > >=20 > >=20 > >=20 > > > -----Original Message----- > > > From: thin-bounce@xxxxxxxxxxxxx=20 > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > > > Sent: Friday, 21 May 2004 6:51 a.m. > > > To: thin@xxxxxxxxxxxxx=20 > > > Subject: [THIN] Re: Port/box Security > > >=20 > > > =20 > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > >=20 > > > To say that you have never experienced this, doesn't mean that it=20 > > > doesn't happen. Just do a search on http://neworder.box.sk for=20 > > > CITRIX or ICA and you will find a few exploits/hacks. =20 > Can you say=20 > > > for sure that no one has EVER attempted to log into your=20 > systems? =20 > > > If I did a port scan on your external IP range and saw=20 > that 1494 was=20 > > > open, or 3389, or if my port scanner attempted a telnet=20 > to that port=20 > > > to see if any banner was presented for the service and I get the=20 > > > ^ICA prompt, I know that I need the ICA client to connect=20 > to that IP=20 > > > address. Bam. I have a logon prompt. I can then try to use a=20 > > > dictionary attack attempt to guess usernames and=20 > passwords. OR, if=20 > > > you have the XML service open to the internet or the ICA Browser=20 > > > service (1604/UDP), all I would need to do is capture or=20 > attempt a=20 > > > redirect (hijack) the TCP/UDP connection to my machine. I could=20 > > > then attempt to crack the password. > > >=20 > > > Again, there is a lot of "attempting" here. I would=20 > rather be safe=20 > > > knowing that I had SG in place or a VPN in place that is securing=20 > > > the communications. Also, what's to say that I cannot get the=20 > > > source of the connection, and break into that machine? How many=20 > > > users out there have firewalls in place? > > > Not many. With Windows XP SP2, the firewall will be enabled by=20 > > > default. That's a good thing. We will see how robust=20 > that firewall=20 > > > is. That's also for another discussion. > > >=20 > > > Chris > > >=20 > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx=20 > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K > > > Coffman Jr - > > > > Info From Data Corporation > > > > Sent: Thursday, May 20, 2004 11:38 AM > > > > To: thin@xxxxxxxxxxxxx=20 > > > > Subject: [THIN] Re: Port/box Security > > > >=20 > > > > While I completely agree with you in theory, in=20 > practice this has=20 > > > > never caused us a problem. I've suggested to my clients > > > that it may > > > > be a matter of time before this port gets exploited, to > > > date we've had > > > > 0 issues and have been running this way for years. > > > >=20 > > > > Can anyone provide concrete reasons not to expose 1494 to the=20 > > > > internet? > > > >=20 > > > > PS - Don't jump all over me here, I'm all in favor of=20 > exposing as=20 > > > > little as possible to the net... I just need more ammo > > to convince > > > > those with the purse strings. > > > >=20 > > > > - Bob Coffman > > > >=20 > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx=20 > > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch > > > > Sent: Thursday, May 20, 2004 12:01 PM > > > > To: thin@xxxxxxxxxxxxx=20 > > > > Subject: [THIN] Re: Port/box Security > > > >=20 > > > >=20 > > > >=20 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > >=20 > > > > The cost of hardware is negligible once someone high up > > understands > > > > the security implications. Also, these two services can > > run on the > > > > same server, and don't require much (PIV with 512MB of > > RAM would be > > > > sufficient for almost 1000 connections). > > > >=20 > > > > And, notice that I said "WI AND SG". I would never > > > recommend running > > > > just WI, unless it was for internal users only. > > > > Exposing the ICA port to the Internet is just asking for > > trouble. =20 > > > > Especially if you are also wanting Program Neighborhood > > > access (either > > > > XML or 1604/UDP). > > > >=20 > > > > Chris > > > >=20 > > > >=20 > > > >=20 > > > > ******************************************************** > > > > This Week's Sponsor - Tarantella Secure Global Desktop=20 > Tarantella=20 > > > > Secure Global Desktop Terminal Server Edition Free > > Terminal Service > > > > Edition software with 2 years maintenance. > > > > http://www.tarantella.com/ttba=20 > > > > ********************************************************** > > > > Useful Thin Client Computing Links are available at: > > > > http://thin.net/links.cfm=20 > > > > *********************************************************** > > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > > Vacation mode > > > > use the below link: > > > > http://thin.net/citrixlist.cfm=20 > > >=20 > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 8.0.3 > > > Comment: Public PGP Key for Chris Lynch > > >=20 > > > iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK > > > jVFNAPrlJdIEcLdr+f0rsFY4 > > > =3Drs5a > > > -----END PGP SIGNATURE----- > > >=20 > > >=20 > > > ******************************************************** > > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella=20 > > > Secure Global Desktop Terminal Server Edition Free=20 > Terminal Service=20 > > > Edition software with 2 years maintenance. > > > http://www.tarantella.com/ttba=20 > > > ********************************************************** > > > Useful Thin Client Computing Links are available at: > > > http://thin.net/links.cfm=20 > > > *********************************************************** > > > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation=20 > > > mode use the below link: > > > http://thin.net/citrixlist.cfm=20 > > >=20 > >=20 > > ******************************************************** > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella=20 > > Secure Global Desktop Terminal Server Edition Free Terminal Service=20 > > Edition software with 2 years maintenance. > > http://www.tarantella.com/ttba=20 > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm=20 > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or=20 > Vacation mode=20 > > use the below link: > > http://thin.net/citrixlist.cfm=20 > >=20 > ******************************************************** > This Week's Sponsor - Tarantella Secure Global Desktop=20 > Tarantella Secure Global Desktop Terminal Server Edition Free=20 > Terminal Service Edition software with 2 years maintenance. > http://www.tarantella.com/ttba=20 > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm=20 > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or=20 > Vacation mode use the below link: > http://thin.net/citrixlist.cfm=20 >=20 ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba=20 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm=20 *********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm=20 =20 ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm