Sure. And you have all of your IIS patches installed so it must be okay to allow 80 to your servers in the LAN.=20 After all, we can't tell you how to "break" www if it's patched. R -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Rogers Sent: Tuesday, May 25, 2004 4:02 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Port/box Security so, long argument short then, the answer to my question is "ports on the in=3D ternet are safe... for now" :) (assuming of course some sensible practices on passwords..!) Andrew --o-- >>> techlists@xxxxxxxxxxxxx 24/05/04 21:45:49 >>> I agree with you completely. And so far, no one has offered any way to break the GINA.=3D20 JD > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx=3D20 > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Henry Sieff > Sent: Tuesday, 25 May 2004 5:36 a.m. > To: 'thin@xxxxxxxxxxxxx'=3D20 > Subject: [THIN] Re: Port/box Security >=3D20 > Consultants will tell you not to do this. >=3D20 > They will tell you there are better ways - use CSG etc, a VPN, etc. >=3D20 > It all comes down to the same old security equation that=3D20 > covers everything > else: >=3D20 > Is the chance of the exploit times the cost of a successful=3D20 > exploit greater then the cost of the solution (both in=3D20 > implementation and in terms of impact to productivity). >=3D20 > If no, then fuggedaboutit, if yes, then implement. >=3D20 > Now, your question of successful attacks against the GINA: >=3D20 > Are there any? Well, there are some GINA replacement attacks,=3D20 > which are really just privelege elevation attacks. There WERE=3D20 > some DoS attacks which are no longer exposed, but no - truth=3D20 > be told, the GINA is not particularly easy to attack in and=3D20 > of itself. I would rate the chances of this exploit pretty=3D20 > darn low, considering that there aren't any known ones out=3D20 > there, and if there were, it would be used A BUNCH. >=3D20 > I suppose once somebody has figured out that you are using a=3D20 > citrix server they could fire up the old dictionary and try=3D20 > attacking well known accounts; hence, meticulous adherence to=3D20 > best practices wrt to password policies and account disabling=3D20 > and security options is essential. Letting only port 1494 or=3D20 > 3389 is also a good thing. Disable (not rename) admin, create=3D20 > an equivalent called something completely random, etc. >=3D20 > Truth be told, if you follow the NSA guidelines, have the=3D20 > proper audit policy and actually do something with the logs=3D20 > besides delete them once a week :-), there is absolutely=3D20 > nothing to worry about. Password/user guessing attempts look=3D20 > like, well, a kid trying to guess usernames and passwords.=3D20 > Its very easy to spot in audit logs, and if you're really=3D20 > worried these can be monitored in real time if you put some=3D20 > work into log centralization solutions. >=3D20 > Be paranoid, fer sure, but almost all exploits are the result=3D20 > of not applying a patch somewhere along the line. Plenty to=3D20 > worry about there. The issue of exposing the GINA is, imo,=3D20 > (to quote somebody else on this thread) moronic. Anytime=3D20 > somebody warns you about this, put on your best innocent=3D20 > smile and ask for some proof-of-concept of a way to break the=3D20 > GINA. Then sit back and watch them stutter. >=3D20 > Henry >=3D20 > > -----Original Message----- > > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On=3D20 > > Behalf Of Jeff Durbin > > Sent: Friday, May 21, 2004 6:05 PM > > To: thin@xxxxxxxxxxxxx=3D20 > > Subject: [THIN] Re: Port/box Security > >=3D20 > >=3D20 > > Let's say you did see the login prompt, either via ICA or=3D20 > RDP. How=3D20 > > would you use a dictionary attack if you didn't have a=3D20 > username and a=3D20 > > password hash? Or, maybe what I'm asking is, how would that=3D20 > help you=3D20 > > get a username and a password hash which you could use a=3D20 > > dictionary/brute force attack on? > > You know me - when it comes to paranoia, I'm up there=3D20 > with the worst=3D20 > > of them, but I'm not sure how getting a windows login screen hurts=3D20 > > you. Unless that specific situation can somehow be used to get = a=3D20 > > username and password hash, I don't see the danger (unless=3D20 > there's a=3D20 > > protocol vulnerability that can be exploited, in which case WI/CSG=3D20 > > insulates you from it). > > As an aside, and to illustrate how many companies do=3D20 > this, consider=3D20 > > this: > > One of my customers moved physical locations, and his ISP=3D20 > changed his=3D20 > > IP address. I didn't know the new IP addresses of his=3D20 > Terminal Server=3D20 > > and couldn't reach the administrator. I figured it might be=3D20 > close to=3D20 > > his old address, so I port-scanned 253 IP addresses looking=3D20 > for port=3D20 > > 3389. I found about 60 servers, so there are a lot of people doing=3D20 > > this. > >=3D20 > > JD > >=3D20 > >=3D20 > >=3D20 > > > -----Original Message----- > > > From: thin-bounce@xxxxxxxxxxxxx=3D20 > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > > > Sent: Friday, 21 May 2004 6:51 a.m. > > > To: thin@xxxxxxxxxxxxx=3D20 > > > Subject: [THIN] Re: Port/box Security > > >=3D20 > > > =3D20 > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > >=3D20 > > > To say that you have never experienced this, doesn't mean that it=3D20 > > > doesn't happen. Just do a search on http://neworder.box.sk = for=3D20 > > > CITRIX or ICA and you will find a few exploits/hacks. =3D20 > Can you say=3D20 > > > for sure that no one has EVER attempted to log into your=3D20 > systems? =3D20 > > > If I did a port scan on your external IP range and saw=3D20 > that 1494 was=3D20 > > > open, or 3389, or if my port scanner attempted a telnet=3D20 > to that port=3D20 > > > to see if any banner was presented for the service and I get the=3D20 > > > ^ICA prompt, I know that I need the ICA client to connect=3D20 > to that IP=3D20 > > > address. Bam. I have a logon prompt. I can then try to use = a=3D20 > > > dictionary attack attempt to guess usernames and=3D20 > passwords. OR, if=3D20 > > > you have the XML service open to the internet or the ICA Browser=3D20 > > > service (1604/UDP), all I would need to do is capture or=3D20 > attempt a=3D20 > > > redirect (hijack) the TCP/UDP connection to my machine. I could=3D20 > > > then attempt to crack the password. > > >=3D20 > > > Again, there is a lot of "attempting" here. I would=3D20 > rather be safe=3D20 > > > knowing that I had SG in place or a VPN in place that is securing=3D20 > > > the communications. Also, what's to say that I cannot get = the=3D20 > > > source of the connection, and break into that machine? How many=3D20 > > > users out there have firewalls in place? > > > Not many. With Windows XP SP2, the firewall will be enabled = by=3D20 > > > default. That's a good thing. We will see how robust=3D20 > that firewall=3D20 > > > is. That's also for another discussion. > > >=3D20 > > > Chris > > >=3D20 > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx=3D20 > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K > > > Coffman Jr - > > > > Info From Data Corporation > > > > Sent: Thursday, May 20, 2004 11:38 AM > > > > To: thin@xxxxxxxxxxxxx=3D20 > > > > Subject: [THIN] Re: Port/box Security > > > >=3D20 > > > > While I completely agree with you in theory, in=3D20 > practice this has=3D20 > > > > never caused us a problem. I've suggested to my clients > > > that it may > > > > be a matter of time before this port gets exploited, to > > > date we've had > > > > 0 issues and have been running this way for years. > > > >=3D20 > > > > Can anyone provide concrete reasons not to expose 1494 to = the=3D20 > > > > internet? > > > >=3D20 > > > > PS - Don't jump all over me here, I'm all in favor of=3D20 > exposing as=3D20 > > > > little as possible to the net... I just need more ammo > > to convince > > > > those with the purse strings. > > > >=3D20 > > > > - Bob Coffman > > > >=3D20 > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx=3D20 > > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch > > > > Sent: Thursday, May 20, 2004 12:01 PM > > > > To: thin@xxxxxxxxxxxxx=3D20 > > > > Subject: [THIN] Re: Port/box Security > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > >=3D20 > > > > The cost of hardware is negligible once someone high up > > understands > > > > the security implications. Also, these two services can > > run on the > > > > same server, and don't require much (PIV with 512MB of > > RAM would be > > > > sufficient for almost 1000 connections). > > > >=3D20 > > > > And, notice that I said "WI AND SG". I would never > > > recommend running > > > > just WI, unless it was for internal users only. > > > > Exposing the ICA port to the Internet is just asking for > > trouble. =3D20 > > > > Especially if you are also wanting Program Neighborhood > > > access (either > > > > XML or 1604/UDP). > > > >=3D20 > > > > Chris > > > >=3D20 > > > >=3D20 > > > >=3D20 > > > > ******************************************************** > > > > This Week's Sponsor - Tarantella Secure Global Desktop=3D20 > Tarantella=3D20 > > > > Secure Global Desktop Terminal Server Edition Free > > Terminal Service > > > > Edition software with 2 years maintenance. > > > > http://www.tarantella.com/ttba=3D20 > > > > ********************************************************** > > > > Useful Thin Client Computing Links are available at: > > > > http://thin.net/links.cfm=3D20 > > > > *********************************************************** > > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > > Vacation mode > > > > use the below link: > > > > http://thin.net/citrixlist.cfm=3D20 > > >=3D20 > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 8.0.3 > > > Comment: Public PGP Key for Chris Lynch > > >=3D20 > > > iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK > > > jVFNAPrlJdIEcLdr+f0rsFY4 > > > =3D3Drs5a > > > -----END PGP SIGNATURE----- > > >=3D20 > > >=3D20 > > > ******************************************************** > > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella=3D20 > > > Secure Global Desktop Terminal Server Edition Free=3D20 > Terminal Service=3D20 > > > Edition software with 2 years maintenance. > > > http://www.tarantella.com/ttba=3D20 > > > ********************************************************** > > > Useful Thin Client Computing Links are available at: > > > http://thin.net/links.cfm=3D20 > > > *********************************************************** > > > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation=3D20 > > > mode use the below link: > > > http://thin.net/citrixlist.cfm=3D20 > > >=3D20 > >=3D20 > > ******************************************************** > > This Week's Sponsor - Tarantella Secure Global Desktop = Tarantella=3D20 > > Secure Global Desktop Terminal Server Edition Free Terminal Service=3D20 > > Edition software with 2 years maintenance. > > http://www.tarantella.com/ttba=3D20 > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm=3D20 > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or=3D20 > Vacation mode=3D20 > > use the below link: > > http://thin.net/citrixlist.cfm=3D20 > >=3D20 > ******************************************************** > This Week's Sponsor - Tarantella Secure Global Desktop=3D20 > Tarantella Secure Global Desktop Terminal Server Edition Free=3D20 > Terminal Service Edition software with 2 years maintenance. > http://www.tarantella.com/ttba=3D20 > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm=3D20 > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or=3D20 > Vacation mode use the below link: > http://thin.net/citrixlist.cfm=3D20 >=3D20 ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba=3D20 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm=3D20 *********************************************************** For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm=3D20 =3D20 ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm