-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 None. It won't ever happen! ;) > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin > Sent: Sunday, May 30, 2004 1:17 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Port/box Security > > Post one that says I'm a genius and we'll see how many times > that one shows up. > > > -----Original Message----- > > From: thin-bounce@xxxxxxxxxxxxx > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > > Sent: Sunday, 30 May 2004 10:56 a.m. > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: Port/box Security > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I haven't sent this message more than once. I'm really starting to > > get annoyed with the email list server that this group resides on. > > > > Jim, can you get this fixed, or (dare I say it again) can you put > > this list on another list server? I really hate all of the > =20 crap, > > and messages being sent more than once, or even late delay in > > delivery. > > > > Chris > > > > > -----Original Message----- > > > From: thin-bounce@xxxxxxxxxxxxx > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin > > > Sent: Friday, May 28, 2004 12:23 PM > > > To: thin@xxxxxxxxxxxxx > > > Subject: [THIN] Re: Port/box Security > > > > > > Ok, you've posted this same message at least three times. > > The joke is > > > getting old. > > > > > > > -----Original Message----- > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > > > > Sent: Monday, 24 May 2004 11:59 a.m. > > > > To: thin@xxxxxxxxxxxxx > > > > Subject: [THIN] Re: Port/box Security > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > Hey moron (and I use that term very loosely, 'cuz a moron > > has more > > > > brains than you)! > > > > > > > > Just because I said dictionary attack, doesn't mean that > > I captured > > > > data from a TCP or UDP stream, and I was attempting to > guess the > > > > password hash. If I get a GINA prompt, I can start > using "common" > > > > usernames (administrator, backup, nimda, etc), and then use a > > > > dictionary cracker to come up with common passwords and > > enter them > > > > into the prompt. I agree that WI exposes the same thing, > > > but at least > > > > it's one central location, instead of multiple servers. To > > > reduce the > > > > risk further, yes, use 2 factor authentication (SafeWord or RSA > > > > tokens). There have been some GINA exploits in the past > > (NT4 was a > > > > prime suspect, don't know of one with Windows 2000). > > > > > > > > The only cost that a company will need to incur is the > > > hardware (very > > > > minimal) and the SSL cert (1 or 2, and you can get them cheap). > > > > > > > > My argument wasn't necessarily with exposing GINA (you > > > really need to > > > > read the whole email). I stated that *most* locations have > > > either the > > > > UDP port or the XML port open to the internet for ICA Browsing. > > > > There are a few hacks out there for capturing this info > > and getting > > > > the usernames and passwords, as well as enumerating the > published > > > > applications. Using WI and CSG eliminate this completely. > > > > > > > > Sheesh, and you called yourself a Senior Engineer. > > > > > > > > Chris > > > > > > > > [INSERT] Don't the flames start, cuz he and I used to work > > > with each > > > > other. [/INSERT] > > > > > > > > > -----Original Message----- > > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin > > > > > Sent: Friday, May 21, 2004 10:36 PM > > > > > To: thin@xxxxxxxxxxxxx > > > > > Subject: [THIN] Re: Port/box Security > > > > > > > > > > Someone who's got any server whose adminstrator password > > > > is blank or > > > > > easy has bigger problems than whether or not to expose a TS > > > > directly > > > > > to the Internet. I never said it was the right thing to do. > > > > Nor did I > > > > > say this: > > > > > > > > > > "You never knew he was there... so you claim to allow 1494 > > > > to the LAN > > > > > and have zero issues to date. How would you know?" > > > > > > > > > > I agree that the risk is decreased if you have a single > > > point of > > > > > entry > > > > > (CSG/WI) to your farm rather than exposing multiple servers > > > > directly. > > > > > However, if anyone does find your WI page, you still have > > > > 100% of the > > > > > password guesing risk unless you use two-factor > authentication. > > > > > Really, my question was whether there was a direct risk > > > > of exposing > > > > > the GINA, i.e., can you get a password hash? Chris said > > > > that exposing > > > > > the GINA put you at risk for a dictionary attack, and I > > > > don't see how > > > > > it does. > > > > > > > > > > JD > > > > > > > > > > > -----Original Message----- > > > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of > Roger Riggins > > > > > > Sent: Saturday, 22 May 2004 5:16 p.m. > > > > > > To: thin@xxxxxxxxxxxxx > > > > > > Subject: [THIN] Re: Port/box Security > > > > > > > > > > > > Just because a lot of people do it, doesn't mean it's the > > > > > right thing > > > > > > to do. One doesn't always need a password hash to score a > > > > > password. I > > > > > > *guarantee* that some of the people that are reading these > > > > > posts have > > > > > > member servers that are running TS and don't have a local > > > > > > administrator password. Some also have passwords that > > > are easily > > > > > > guessed on the second or third attempts. Once you're on > > > > as a local > > > > > > admin, you can shadow...install a sniffer...browse the > > > > profiles on > > > > > > that machine...whatever you want! Oh, you don't use an idle > > > > > timeout? > > > > > > Then he'll shadow a session at 3:00 in the morning when > > > > > nobody is in > > > > > > the office. > > > > > > Maybe it'll be an IT person's session who is a domain admin. > > > > > > Then he'll create his own domain admin account with an > > > > obscure name > > > > > > that you may overlook. Maybe he'll map his client drive and > > > > > copy your > > > > > > HR and fiscal databases to his local machine. > > > > > > > > > > > > You never knew he was there... so you claim to allow 1494 > > > > > to the LAN > > > > > > and have zero issues to date. How would you know?=20 > > > > > > > > > > > > Also, if somebody finds 3389 or 1494 open it may prompt > > > > > them to do a > > > > > > little social engineering. It's easier than you think. He > > > > already > > > > > > knows you run Citrix or TS, right? > > > > > > > > > > > > Can they do the same thing if you're running CSG? Sure, > > > > but they'll > > > > > > have a hell of a time finding WI sites with a port scanner. > > > > > By using > > > > > > CSG, you're reducing the risk. CSG is FREE!=20 > > > > > > > > > > > > Infosec is about best effort. It's our job to give that > > > > > best effort, > > > > > > IMHO.=20 > > > > > > > > > > > > Good luck, > > > > > > R=20 > > > > > > > > > > > > -----Original Message----- > > > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin > > > > > > Sent: Friday, May 21, 2004 6:05 PM > > > > > > To: thin@xxxxxxxxxxxxx > > > > > > Subject: [THIN] Re: Port/box Security > > > > > > > > > > > > Let's say you did see the login prompt, either via ICA or > > > > > RDP. How > > > > > > would you use a dictionary attack if you didn't have a > > > > > username and a > > > > > > password hash? Or, maybe what I'm asking is, how would that > > > > > help you > > > > > > get a username and a password hash which you could use a > > > > > > dictionary/brute force attack on? > > > > > > You know me - when it comes to paranoia, I'm up there > > > > > with the worst > > > > > > of them, but I'm not sure how getting a windows login > > > > screen hurts > > > > > > you. > > > > > > Unless > > > > > > that specific situation can somehow be used to get a > > > > username and > > > > > > password hash, I don't see the danger (unless there's a > > > protocol > > > > > > vulnerability that can be exploited, in which case WI/CSG > > > > insulates > > > > > > you from it).=20 > > > > > > As an aside, and to illustrate how many companies do > > > > > this, consider > > > > > > this: > > > > > > One of my customers moved physical locations, and his ISP > > > > > changed his > > > > > > IP address. I didn't know the new IP addresses of his > > > > > Terminal Server > > > > > > and couldn't reach the administrator. I figured it might be > > > > > close to > > > > > > his old address, so I port-scanned 253 IP addresses looking > > > > > for port > > > > > > 3389. I found about 60 servers, so there are a lot of > > > > people doing > > > > > > this. > > > > > > > > > > > > JD > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: thin-bounce@xxxxxxxxxxxxx=20 > > > > > > >[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > > > > > > > Sent: Friday, 21 May 2004 6:51 a.m. > > > > > > > To: thin@xxxxxxxxxxxxx > > > > > > > Subject: [THIN] Re: Port/box Security =20 =20 > > > -----BEGIN PGP > > > > > > >SIGNED MESSAGE----- > > > > > > > Hash: SHA1 > > > > > > >=20 > > > > > > > To say that you have never experienced this, doesn't > > > > > > mean=20 that it > > > > > > >doesn't happen. Just do a search on=20 > > > > > http://neworder.box.sk for > > > > > > >CITRIX or ICA and you will find a=20 few exploits/hacks. > > > > > > Can you say > > > > > > >for sure that no one has=20 EVER attempted to log > into your > > > > > > systems? > > > > > > >If I did a port=20 scan on your external IP range and saw > > > > > that 1494 > > > > > > >was open, or=20 3389, or if my port scanner attempted a > > > > > > telnet to that > > > > > > >port=20 to see if any banner was presented for the > > > > service and I > > > > > > >get=20 the ^ICA prompt, I know that I need the ICA > > client to > > > > > > >connect=20 to that IP address. Bam. I have a logon > > > > > prompt. I can > > > > > > >then=20 try to use a dictionary attack attempt to guess > > > > usernames > > > > > > >and=20 passwords. OR, if you have the XML service open > > > > to the=20 > > > > > > >internet or the ICA Browser service (1604/UDP), all I > > > > > > would=20 need to > > > > > > >do is capture or attempt a redirect (hijack) > the=20 TCP/UDP > > > > > > connection > > > > > > >to my machine. I could then attempt to=20 crack > > the password. > > > > > > >=20 > > > > > > > Again, there is a lot of "attempting" here. I would > > > > > rather=20 be > > > > > > >safe knowing that I had SG in place or a VPN in place > > > > that=20 is > > > > > > >securing the communications. Also, what's to say that I=20 > > > > > > cannot get > > > > > > >the source of the connection, and break into that=20 > > > > > machine? How > > > > > > >many users out there have firewalls in place? =20 > Not many. > > > > > > >With Windows XP SP2, the firewall will be enabled=20 > > > > by default. > > > > > > That's a > > > > > > >good thing. We will see how robust=20 that firewall is. > > > > > > That's also > > > > > > >for another discussion. > > > > > > >=20 > > > > > > > Chris=20 > > > > > > >=20 > > > > > > > > -----Original Message----- > > > > > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of > > Robert K=20 > > > > > > > Coffman Jr -=20 > > > > > > > > Info From Data Corporation > > > > > > > > Sent: Thursday, May 20, 2004 11:38 AM > > > > > > > > To: thin@xxxxxxxxxxxxx > > > > > > > > Subject: [THIN] Re: Port/box Security =20 While I > > > > > > completely agree > > > > > > > >with you in theory, in practice this has=20 never > > > > caused us a > > > > > > > >problem. I've suggested to my clients=20 > > > > > > > that it may=20 > > > > > > > > be a matter of time before this port gets > exploited, to=20 > > > > > > > date we've had=20 > > > > > > > > 0 issues and have been running this way for years. > > > > > > > >=20 > > > > > > > > Can anyone provide concrete reasons not to expose 1494 > > > > > to the=20 > > > > > > > >internet? > > > > > > > >=20 > > > > > > > > PS - Don't jump all over me here, I'm all in favor of > > > > > > exposing as=20 > > > > > > > >little as possible to the net... I just need > more ammo to > > > > > > > >convince=20 those with the purse strings. > > > > > > > >=20 > > > > > > > > - Bob Coffman > > > > > > > >=20 > > > > > > > > -----Original Message----- > > > > > > > > From: thin-bounce@xxxxxxxxxxxxx > > > > > > > >[mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of > Chris Lynch > > > > > > > > Sent: Thursday, May 20, 2004 12:01 PM > > > > > > > > To: thin@xxxxxxxxxxxxx > > > > > > > > Subject: [THIN] Re: Port/box Security =20 =20 =20 > > > > > -----BEGIN PGP > > > > > > > >SIGNED MESSAGE----- > > > > > > > > Hash: SHA1 > > > > > > > >=20 > > > > > > > > The cost of hardware is negligible once someone high up > > > > > > > >understands=20 the security implications. Also, these > > > > > > two services > > > > > > > >can run on the=20 same server, and don't require much > > > > (PIV with > > > > > > > >512MB of RAM would be=20 sufficient for almost 1000 > > > > > connections). > > > > > > > >=20 > > > > > > > > And, notice that I said "WI AND SG". I would never=20 > > > > > > > recommend running=20 > > > > > > > > just WI, unless it was for internal users only. > > > > > > > > Exposing the ICA port to the Internet is just asking > > > > > for trouble. > > > > > > > > =20 Especially if you are also wanting Program > > > Neighborhood=20 > > > > > > > access (either=20 > > > > > > > > XML or 1604/UDP). > > > > > > > >=20 > > > > > > > > Chris > > > > > > > >=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > ******************************************************** > > > > > > > > This Week's Sponsor - Tarantella Secure Global Desktop > > > > > > Tarantella=20 > > > > > > > >Secure Global Desktop Terminal Server Edition Free > > Terminal > > > > > > > >Service=20 Edition software with 2 years maintenance. > > > > > > > > http://www.tarantella.com/ttba > > > > > > > > > ********************************************************** > > > > > > > > Useful Thin Client Computing Links are available at: > > > > > > > > http://thin.net/links.cfm > > > > > > > > > > *********************************************************** > > > > > > > > For Archives, to Unsubscribe, Subscribe or set > > Digest or=20 > > > > > > > Vacation mode=20 > > > > > > > > use the below link: > > > > > > > > http://thin.net/citrixlist.cfm > > > > > > >=20 > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > > > > Version: PGP 8.0.3 > > > > > > > Comment: Public PGP Key for Chris Lynch =20 > > > > > > > > > >iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK > > > > > > > jVFNAPrlJdIEcLdr+f0rsFY4 > > > > > > > =3Drs5a > > > > > > > -----END PGP SIGNATURE----- > > > > > > >=20 > > > > > > >=20 > > > > > > > ******************************************************** > > > > > > > This Week's Sponsor - Tarantella Secure Global Desktop=20 > > > > > > Tarantella > > > > > > >Secure Global Desktop Terminal Server Edition Free=20 > > > > > > Terminal Service > > > > > > >Edition software with 2 years maintenance. > > > > > > > http://www.tarantella.com/ttba > > > > > > > ********************************************************** > > > > > > > Useful Thin Client Computing Links are available at: > > > > > > > http://thin.net/links.cfm > > > > > > > > *********************************************************** > > > > > > > For Archives, to Unsubscribe, Subscribe or set > Digest or=20 > > > > > > Vacation > > > > > > >mode use the below link: > > > > > > > http://thin.net/citrixlist.cfm =20 > > > > > > > > > > > > ******************************************************** > > > > > > This Week's Sponsor - Tarantella Secure Global Desktop > > > > Tarantella > > > > > > Secure Global Desktop Terminal Server Edition Free > > > > Terminal Service > > > > > > Edition software with 2 years maintenance. > > > > > > http://www.tarantella.com/ttba > > > > > > ********************************************************** > > > > > > Useful Thin Client Computing Links are available at: > > > > > > http://thin.net/links.cfm > > > > > > *********************************************************** > > > > > > For Archives, to Unsubscribe, Subscribe or=20 set Digest or > > > > > Vacation > > > > > > mode use the below link: > > > > > > http://thin.net/citrixlist.cfm > > > > > > ******************************************************** > > > > > > This Week's Sponsor - Tarantella Secure Global Desktop > > > > Tarantella > > > > > > Secure Global Desktop Terminal Server Edition Free > > > > Terminal Service > > > > > > Edition software with 2 years maintenance. > > > > > > http://www.tarantella.com/ttba > > > > > > ********************************************************** > > > > > > Useful Thin Client Computing Links are available at: > > > > > > http://thin.net/links.cfm > > > > > > *********************************************************** > > > > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > > > > Vacation mode > > > > > > use the below link: > > > > > > http://thin.net/citrixlist.cfm > > > > > > > > > > > > > > > > ******************************************************** > > > > > This Week's Sponsor - Tarantella Secure Global Desktop > > Tarantella > > > > > Secure Global Desktop Terminal Server Edition Free > > > Terminal Service > > > > > Edition software with 2 years maintenance. > > > > > http://www.tarantella.com/ttba > > > > > ********************************************************** > > > > > Useful Thin Client Computing Links are available at: > > > > > http://thin.net/links.cfm > > > > > *********************************************************** > > > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > > > Vacation mode > > > > > use the below link: > > > > > http://thin.net/citrixlist.cfm > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: PGP 8.0.3 > > > > Comment: Public PGP Key for Chris Lynch > > > > > > > > iQA/AwUBQLE6t29fg+xq5T3MEQJmsACgpGqb7nCW1cW5QldAR54x/nC09kAAoLrv > > > > dqUd4OjnrLJGZGIO0tlMyEUp > > > > =o4O5 > > > > -----END PGP SIGNATURE----- > > > > ******************************************************** > > This Week's > > > > Sponsor - Tarantella Secure Global Desktop Tarantella > > Secure Global > > > > Desktop Terminal Server Edition Free Terminal Service Edition > > > > software with 2 years maintenance. > > > > > > http://www.tarantella.com/ttba > > > > ********************************************************** > > > > Useful Thin Client Computing Links are available at: > > > > http://thin.net/links.cfm > > > > *********************************************************** > > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > > Vacation mode > > > > use the below link: > > > > http://thin.net/citrixlist.cfm > > > > > > > > > > ******************************************************** > > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella > > > Secure Global Desktop Terminal Server Edition Free > Terminal Service > > > Edition software with 2 years maintenance. > > > http://www.tarantella.com/ttba > > > ********************************************************** > > > Useful Thin Client Computing Links are available at: > > > http://thin.net/links.cfm > > > *********************************************************** > > > For Archives, to Unsubscribe, Subscribe or set Digest or > > Vacation mode > > > use the below link: > > > http://thin.net/citrixlist.cfm > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 8.0.3 > > Comment: Public PGP Key for Chris Lynch > > > > iQA/AwUBQLkVHG9fg+xq5T3MEQLnQgCgio9rYHanhUqs2HWnv/DkdvqRQ8AAmgNW > > tH43x+/uKFBt8mLmfvkRWcPr > > =iKDI > > -----END PGP SIGNATURE----- > > ******************************************************** This > > Week's Sponsor - Tarantella Secure Global Desktop Tarantella > > Secure Global Desktop Terminal Server Edition Free Terminal > > Service Edition software with 2 years maintenance. > > > > http://www.tarantella.com/ttba > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode > > use the below link: > > http://thin.net/citrixlist.cfm > > > > ******************************************************** > This Week's Sponsor - Tarantella Secure Global Desktop > Tarantella Secure Global Desktop Terminal Server Edition Free > Terminal Service Edition software with 2 years maintenance. > http://www.tarantella.com/ttba > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQLo8HW9fg+xq5T3MEQKjXACfXz5DoznjUdHlgpWuQoPjaNJMGtoAnjVC 0PK6/wOm36zk8BfN1fCU1is8 =bmPl -----END PGP SIGNATURE----- ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm