[THIN] Re: Port/box Security

  • From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Sat, 29 May 2004 07:22:38 +1200

Ok, you've posted this same message at least three times. The joke is
getting old. 

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> Sent: Monday, 24 May 2004 11:59 a.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hey moron (and I use that term very loosely, 'cuz a moron has 
> more brains than you)!
> 
> Just because I said dictionary attack, doesn't mean that I 
> captured data from a TCP or UDP stream, and I was attempting 
> to guess the password hash.  If I get a GINA prompt, I can 
> start using "common"
> usernames (administrator, backup, nimda, etc), and then use a 
> dictionary cracker to come up with common passwords and enter 
> them into the prompt.  I agree that WI exposes the same 
> thing, but at least it's one central location, instead of 
> multiple servers.  To reduce the risk further, yes, use 2 
> factor authentication (SafeWord or RSA tokens).  There have 
> been some GINA exploits in the past (NT4 was a prime suspect, 
> don't know of one with Windows 2000).
> 
> The only cost that a company will need to incur is the hardware (very
> minimal) and the SSL cert (1 or 2, and you can get them cheap).
> 
> My argument wasn't necessarily with exposing GINA (you really 
> need to read the whole email).  I stated that *most* 
> locations have either the UDP port or the XML port open to 
> the internet for ICA Browsing. 
> There are a few hacks out there for capturing this info and 
> getting the usernames and passwords, as well as enumerating 
> the published applications.  Using WI and CSG eliminate this 
> completely.
> 
> Sheesh, and you called yourself a Senior Engineer.
> 
> Chris
> 
> [INSERT]  Don't the flames start, cuz he and I used to work 
> with each other. [/INSERT]
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > Sent: Friday, May 21, 2004 10:36 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> >   Someone who's got any server whose adminstrator password 
> is blank or 
> > easy has bigger problems than whether or not to expose a TS 
> directly 
> > to the Internet. I never said it was the right thing to do. 
> Nor did I 
> > say this:
> >  
> > "You never knew he was there... so you claim to allow 1494 
> to the LAN 
> > and have zero issues to date. How would you know?"
> > 
> >   I agree that the risk is decreased if you have a single point of 
> > entry
> > (CSG/WI) to your farm rather than exposing multiple servers 
> directly. 
> > However, if anyone does find your WI page, you still have 
> 100% of the 
> > password guesing risk unless you use two-factor authentication.
> >   Really, my question was whether there was a direct risk 
> of exposing 
> > the GINA, i.e., can you get a password hash? Chris said 
> that exposing 
> > the GINA put you at risk for a dictionary attack, and I 
> don't see how 
> > it does.
> > 
> > JD
> > 
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Roger Riggins
> > > Sent: Saturday, 22 May 2004 5:16 p.m.
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > > 
> > > Just because a lot of people do it, doesn't mean it's the
> > right thing
> > > to do. One doesn't always need a password hash to score a
> > password. I
> > > *guarantee* that some of the people that are reading these
> > posts have
> > > member servers that are running TS and don't have a local 
> > > administrator password. Some also have passwords that are easily 
> > > guessed on the second or third attempts. Once you're on 
> as a local  
> > > admin, you can shadow...install a sniffer...browse the 
> profiles on  
> > > that machine...whatever you want! Oh, you don't use an idle
> > timeout? 
> > > Then he'll shadow a session at 3:00 in the morning when
> > nobody is in
> > > the office.
> > > Maybe it'll be an IT person's session who is a domain admin.
> > > Then he'll create his own domain admin account with an 
> obscure name  
> > > that you may overlook. Maybe he'll map his client drive and
> > copy your
> > > HR and fiscal databases to his local machine.
> > > 
> > > You never knew he was there... so you claim to allow 1494
> > to the LAN
> > > and have zero issues to date. How would you know?=20
> > > 
> > > Also, if somebody finds 3389 or 1494 open it may prompt
> > them to do a
> > > little social engineering. It's easier than you think. He 
> already  
> > > knows you run Citrix or TS, right?
> > > 
> > > Can they do the same thing if you're running CSG? Sure, 
> but they'll  
> > > have a hell of a time finding WI sites with a port scanner.
> > By using
> > > CSG, you're reducing the risk. CSG is FREE!=20
> > > 
> > > Infosec is about best effort. It's our job to give that
> > best effort,
> > > IMHO.=20
> > > 
> > > Good luck,
> > > R=20
> > > 
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > > Sent: Friday, May 21, 2004 6:05 PM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > > 
> > >   Let's say you did see the login prompt, either via ICA or
> > RDP. How
> > > would you use a dictionary attack if you didn't have a
> > username and a
> > > password hash? Or, maybe what I'm asking is, how would that
> > help you
> > > get a username and a password hash which you could use a 
> > > dictionary/brute force attack on?
> > >   You know me - when it comes to paranoia, I'm up there
> > with the worst
> > > of them, but I'm not sure how getting a windows login 
> screen hurts  
> > > you.
> > > Unless
> > > that specific situation can somehow be used to get a 
> username and  
> > > password hash, I don't see the danger (unless there's a protocol  
> > > vulnerability that can be exploited, in which case WI/CSG 
> insulates  
> > > you from it).=20
> > >   As an aside, and to illustrate how many companies do
> > this, consider
> > > this:
> > > One of my customers moved physical locations, and his ISP
> > changed his
> > > IP address. I didn't know the new IP addresses of his
> > Terminal Server
> > > and couldn't reach the administrator. I figured it might be
> > close to
> > > his old address, so I port-scanned 253 IP addresses looking
> > for port
> > > 3389. I found about 60 servers, so there are a lot of 
> people doing  
> > > this.
> > > 
> > > JD
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx=20  
> > > >[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > > > Sent: Friday, 21 May 2004 6:51 a.m.
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security =20  =20  -----BEGIN PGP 
> > > >SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >=20
> > > > To say that you have never experienced this, doesn't
> > > mean=20  that it
> > > >doesn't happen.  Just do a search on=20
> > http://neworder.box.sk for
> > > >CITRIX or ICA and you will find a=20  few exploits/hacks.
> > > Can you say
> > > >for sure that no one has=20  EVER attempted to log into your
> > > systems?  
> > > >If I did a port=20  scan on your external IP range and saw
> > that 1494
> > > >was open, or=20  3389, or if my port scanner attempted a
> > > telnet to that
> > > >port=20  to see if any banner was presented for the 
> service and I  
> > > >get=20  the ^ICA prompt, I know that I need the ICA client to  
> > > >connect=20  to that IP address.  Bam.  I have a logon
> > prompt.  I can
> > > >then=20  try to use a dictionary attack attempt to guess 
> usernames  
> > > >and=20  passwords.  OR, if you have the XML service open 
> to the=20  
> > > >internet or the ICA Browser service (1604/UDP), all I
> > > would=20  need to
> > > >do is capture or attempt a redirect (hijack) the=20  TCP/UDP
> > > connection
> > > >to my machine.  I could then attempt to=20  crack the password.
> > > >=20
> > > > Again, there is a lot of "attempting" here.  I would
> > rather=20  be
> > > >safe knowing that I had SG in place or a VPN in place 
> that=20 is  
> > > >securing the communications.  Also, what's to say that I=20
> > > cannot get
> > > >the source of the connection, and break into that=20
> > machine?  How
> > > >many users out there have firewalls in place? =20  Not many. 
> > > >With  Windows XP SP2, the firewall will be enabled=20  
> by default.
> > >  That's a
> > > >good thing.  We will see how robust=20  that firewall is.  
> > > That's also
> > > >for another discussion.
> > > >=20
> > > > Chris=20
> > > >=20
> > > > > -----Original Message-----
> > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K=20
> > > > Coffman Jr -=20
> > > > > Info From Data Corporation
> > > > > Sent: Thursday, May 20, 2004 11:38 AM
> > > > > To: thin@xxxxxxxxxxxxx
> > > > > Subject: [THIN] Re: Port/box Security =20  While I
> > > completely agree
> > > > >with you in theory, in practice this has=20  never 
> caused us a  
> > > > >problem.  I've suggested to my clients=20
> > > > that it may=20
> > > > > be a matter of time before this port gets exploited, to=20
> > > > date we've had=20
> > > > > 0 issues and have been running this way for years.
> > > > >=20
> > > > > Can anyone provide concrete reasons not to expose 1494
> > to the=20
> > > > >internet?
> > > > >=20
> > > > > PS - Don't jump all over me here, I'm all in favor of
> > > exposing as=20
> > > > >little as possible to the net...  I just need more ammo to 
> > > > >convince=20  those with the purse strings.
> > > > >=20
> > > > > - Bob Coffman
> > > > >=20
> > > > > -----Original Message-----
> > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > > > > Sent: Thursday, May 20, 2004 12:01 PM
> > > > > To: thin@xxxxxxxxxxxxx
> > > > > Subject: [THIN] Re: Port/box Security =20 =20 =20
> > -----BEGIN PGP
> > > > >SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >=20
> > > > > The cost of hardware is negligible once someone high up 
> > > > >understands=20  the security implications.  Also, these
> > > two services
> > > > >can run on the=20  same server, and don't require much 
> (PIV with  
> > > > >512MB of RAM would be=20  sufficient for almost 1000
> > connections).
> > > > >=20
> > > > > And, notice that I said "WI AND SG".  I would never=20
> > > > recommend running=20
> > > > > just WI, unless it was for internal users only.
> > > > > Exposing the ICA port to the Internet is just asking
> > for trouble. 
> > > > > =20 Especially if you are also wanting Program Neighborhood=20
> > > > access (either=20
> > > > > XML or 1604/UDP).
> > > > >=20
> > > > > Chris
> > > > >=20
> > > > >=20
> > > > >=20
> > > > > ********************************************************
> > > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > > Tarantella=20
> > > > >Secure Global Desktop Terminal Server Edition Free Terminal 
> > > > >Service=20  Edition software with 2 years maintenance.
> > > > > http://www.tarantella.com/ttba
> > > > > **********************************************************
> > > > > Useful Thin Client Computing Links are available at:
> > > > > http://thin.net/links.cfm
> > > > > ***********************************************************
> > > > > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> > > > Vacation mode=20
> > > > > use the below link:
> > > > > http://thin.net/citrixlist.cfm
> > > >=20
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: PGP 8.0.3
> > > > Comment: Public PGP Key for Chris Lynch =20 
> > > >iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > > > jVFNAPrlJdIEcLdr+f0rsFY4
> > > > =3Drs5a
> > > > -----END PGP SIGNATURE-----
> > > >=20
> > > >=20
> > > > ********************************************************
> > > > This Week's Sponsor - Tarantella Secure Global Desktop=20
> > > Tarantella
> > > >Secure Global Desktop Terminal Server Edition Free=20
> > > Terminal Service
> > > >Edition software with 2 years maintenance.
> > > > http://www.tarantella.com/ttba
> > > > **********************************************************
> > > > Useful Thin Client Computing Links are available at:
> > > > http://thin.net/links.cfm
> > > > ***********************************************************
> > > > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> > >  Vacation
> > > >mode use the below link:
> > > > http://thin.net/citrixlist.cfm
> > > >=20
> > > 
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella  
> > > Secure Global Desktop Terminal Server Edition Free 
> Terminal Service  
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or=20 set Digest or
> > Vacation
> > > mode use the below link:
> > > http://thin.net/citrixlist.cfm
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella  
> > > Secure Global Desktop Terminal Server Edition Free 
> Terminal Service  
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode
> > > use the below link:
> > > http://thin.net/citrixlist.cfm
> > > 
> > 
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella 
> > Secure Global Desktop Terminal Server Edition Free Terminal Service 
> > Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode 
> > use the below link:
> > http://thin.net/citrixlist.cfm
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> Comment: Public PGP Key for Chris Lynch
> 
> iQA/AwUBQLE6t29fg+xq5T3MEQJmsACgpGqb7nCW1cW5QldAR54x/nC09kAAoLrv
> dqUd4OjnrLJGZGIO0tlMyEUp
> =o4O5
> -----END PGP SIGNATURE-----
> 
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella Secure Global Desktop Terminal Server Edition Free 
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: