[THIN] Re: Port/box Security

From: "Chris Lynch" <lynch00@xxxxxxx>
To: <thin@xxxxxxxxxxxxx>
Date: Sun, 30 May 2004 12:55:10 -0700
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

None.  It won't ever happen!  ;) 

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> Sent: Sunday, May 30, 2004 1:17 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
> Post one that says I'm a genius and we'll see how many times 
> that one shows up. 
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > Sent: Sunday, 30 May 2004 10:56 a.m.
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> >  
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > I haven't sent this message more than once.  I'm really starting to 
> > get annoyed with the email list server that this group resides on.
> > 
> > Jim,  can you get this fixed, or (dare I say it again) can you put 
> > this list on another list server?  I really hate all of the 
> =20 crap, 
> > and messages being sent more than once, or even late delay in 
> > delivery.
> > 
> > Chris
> > 
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > > Sent: Friday, May 28, 2004 12:23 PM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security
> > > 
> > > Ok, you've posted this same message at least three times. 
> > The joke is
> > > getting old.
> > > 
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > > > Sent: Monday, 24 May 2004 11:59 a.m.
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security
> > > > 
> > > >  
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > > 
> > > > Hey moron (and I use that term very loosely, 'cuz a moron
> > has more
> > > > brains than you)!
> > > > 
> > > > Just because I said dictionary attack, doesn't mean that
> > I captured
> > > > data from a TCP or UDP stream, and I was attempting to 
> guess the 
> > > > password hash.  If I get a GINA prompt, I can start 
> using "common"
> > > > usernames (administrator, backup, nimda, etc), and then use a 
> > > > dictionary cracker to come up with common passwords and
> > enter them
> > > > into the prompt.  I agree that WI exposes the same thing,
> > > but at least
> > > > it's one central location, instead of multiple servers.  To
> > > reduce the
> > > > risk further, yes, use 2 factor authentication (SafeWord or RSA 
> > > > tokens).  There have been some GINA exploits in the past
> > (NT4 was a
> > > > prime suspect, don't know of one with Windows 2000).
> > > > 
> > > > The only cost that a company will need to incur is the
> > > hardware (very
> > > > minimal) and the SSL cert (1 or 2, and you can get them cheap).
> > > > 
> > > > My argument wasn't necessarily with exposing GINA (you
> > > really need to
> > > > read the whole email).  I stated that *most* locations have
> > > either the
> > > > UDP port or the XML port open to the internet for ICA Browsing.
> > > > There are a few hacks out there for capturing this info
> > and getting
> > > > the usernames and passwords, as well as enumerating the 
> published 
> > > > applications.  Using WI and CSG eliminate this completely.
> > > > 
> > > > Sheesh, and you called yourself a Senior Engineer.
> > > > 
> > > > Chris
> > > > 
> > > > [INSERT]  Don't the flames start, cuz he and I used to work
> > > with each
> > > > other. [/INSERT]
> > > > 
> > > > > -----Original Message-----
> > > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > > > > Sent: Friday, May 21, 2004 10:36 PM
> > > > > To: thin@xxxxxxxxxxxxx
> > > > > Subject: [THIN] Re: Port/box Security
> > > > > 
> > > > >   Someone who's got any server whose adminstrator password
> > > > is blank or
> > > > > easy has bigger problems than whether or not to expose a TS
> > > > directly
> > > > > to the Internet. I never said it was the right thing to do. 
> > > > Nor did I
> > > > > say this:
> > > > >  
> > > > > "You never knew he was there... so you claim to allow 1494
> > > > to the LAN
> > > > > and have zero issues to date. How would you know?"
> > > > > 
> > > > >   I agree that the risk is decreased if you have a single
> > > point of
> > > > > entry
> > > > > (CSG/WI) to your farm rather than exposing multiple servers
> > > > directly. 
> > > > > However, if anyone does find your WI page, you still have
> > > > 100% of the
> > > > > password guesing risk unless you use two-factor 
> authentication.
> > > > >   Really, my question was whether there was a direct risk
> > > > of exposing
> > > > > the GINA, i.e., can you get a password hash? Chris said
> > > > that exposing
> > > > > the GINA put you at risk for a dictionary attack, and I
> > > > don't see how
> > > > > it does.
> > > > > 
> > > > > JD
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: thin-bounce@xxxxxxxxxxxxx 
> > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of 
> Roger Riggins
> > > > > > Sent: Saturday, 22 May 2004 5:16 p.m.
> > > > > > To: thin@xxxxxxxxxxxxx
> > > > > > Subject: [THIN] Re: Port/box Security
> > > > > > 
> > > > > > Just because a lot of people do it, doesn't mean it's the
> > > > > right thing
> > > > > > to do. One doesn't always need a password hash to score a
> > > > > password. I
> > > > > > *guarantee* that some of the people that are reading these
> > > > > posts have
> > > > > > member servers that are running TS and don't have a local 
> > > > > > administrator password. Some also have passwords that
> > > are easily
> > > > > > guessed on the second or third attempts. Once you're on
> > > > as a local
> > > > > > admin, you can shadow...install a sniffer...browse the
> > > > profiles on
> > > > > > that machine...whatever you want! Oh, you don't use an idle
> > > > > timeout? 
> > > > > > Then he'll shadow a session at 3:00 in the morning when
> > > > > nobody is in
> > > > > > the office.
> > > > > > Maybe it'll be an IT person's session who is a domain admin.
> > > > > > Then he'll create his own domain admin account with an
> > > > obscure name
> > > > > > that you may overlook. Maybe he'll map his client drive and
> > > > > copy your
> > > > > > HR and fiscal databases to his local machine.
> > > > > > 
> > > > > > You never knew he was there... so you claim to allow 1494
> > > > > to the LAN
> > > > > > and have zero issues to date. How would you know?=20
> > > > > > 
> > > > > > Also, if somebody finds 3389 or 1494 open it may prompt
> > > > > them to do a
> > > > > > little social engineering. It's easier than you think. He
> > > > already
> > > > > > knows you run Citrix or TS, right?
> > > > > > 
> > > > > > Can they do the same thing if you're running CSG? Sure,
> > > > but they'll
> > > > > > have a hell of a time finding WI sites with a port scanner.
> > > > > By using
> > > > > > CSG, you're reducing the risk. CSG is FREE!=20
> > > > > > 
> > > > > > Infosec is about best effort. It's our job to give that
> > > > > best effort,
> > > > > > IMHO.=20
> > > > > > 
> > > > > > Good luck,
> > > > > > R=20
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: thin-bounce@xxxxxxxxxxxxx 
> > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > > > > > Sent: Friday, May 21, 2004 6:05 PM
> > > > > > To: thin@xxxxxxxxxxxxx
> > > > > > Subject: [THIN] Re: Port/box Security
> > > > > > 
> > > > > >   Let's say you did see the login prompt, either via ICA or
> > > > > RDP. How
> > > > > > would you use a dictionary attack if you didn't have a
> > > > > username and a
> > > > > > password hash? Or, maybe what I'm asking is, how would that
> > > > > help you
> > > > > > get a username and a password hash which you could use a 
> > > > > > dictionary/brute force attack on?
> > > > > >   You know me - when it comes to paranoia, I'm up there
> > > > > with the worst
> > > > > > of them, but I'm not sure how getting a windows login
> > > > screen hurts
> > > > > > you.
> > > > > > Unless
> > > > > > that specific situation can somehow be used to get a
> > > > username and
> > > > > > password hash, I don't see the danger (unless there's a
> > > protocol
> > > > > > vulnerability that can be exploited, in which case WI/CSG
> > > > insulates
> > > > > > you from it).=20
> > > > > >   As an aside, and to illustrate how many companies do
> > > > > this, consider
> > > > > > this:
> > > > > > One of my customers moved physical locations, and his ISP
> > > > > changed his
> > > > > > IP address. I didn't know the new IP addresses of his
> > > > > Terminal Server
> > > > > > and couldn't reach the administrator. I figured it might be
> > > > > close to
> > > > > > his old address, so I port-scanned 253 IP addresses looking
> > > > > for port
> > > > > > 3389. I found about 60 servers, so there are a lot of
> > > > people doing
> > > > > > this.
> > > > > > 
> > > > > > JD
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > > -----Original Message-----
> > > > > > > From: thin-bounce@xxxxxxxxxxxxx=20 
> > > > > > >[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > > > > > > Sent: Friday, 21 May 2004 6:51 a.m.
> > > > > > > To: thin@xxxxxxxxxxxxx
> > > > > > > Subject: [THIN] Re: Port/box Security =20  =20
> > > -----BEGIN PGP
> > > > > > >SIGNED MESSAGE-----
> > > > > > > Hash: SHA1
> > > > > > >=20
> > > > > > > To say that you have never experienced this, doesn't
> > > > > > mean=20  that it
> > > > > > >doesn't happen.  Just do a search on=20
> > > > > http://neworder.box.sk for
> > > > > > >CITRIX or ICA and you will find a=20  few exploits/hacks.
> > > > > > Can you say
> > > > > > >for sure that no one has=20  EVER attempted to log 
> into your
> > > > > > systems?  
> > > > > > >If I did a port=20  scan on your external IP range and saw
> > > > > that 1494
> > > > > > >was open, or=20  3389, or if my port scanner attempted a
> > > > > > telnet to that
> > > > > > >port=20  to see if any banner was presented for the
> > > > service and I
> > > > > > >get=20  the ^ICA prompt, I know that I need the ICA
> > client to
> > > > > > >connect=20  to that IP address.  Bam.  I have a logon
> > > > > prompt.  I can
> > > > > > >then=20  try to use a dictionary attack attempt to guess
> > > > usernames
> > > > > > >and=20  passwords.  OR, if you have the XML service open
> > > > to the=20
> > > > > > >internet or the ICA Browser service (1604/UDP), all I
> > > > > > would=20  need to
> > > > > > >do is capture or attempt a redirect (hijack) 
> the=20  TCP/UDP
> > > > > > connection
> > > > > > >to my machine.  I could then attempt to=20  crack
> > the password.
> > > > > > >=20
> > > > > > > Again, there is a lot of "attempting" here.  I would
> > > > > rather=20  be
> > > > > > >safe knowing that I had SG in place or a VPN in place
> > > > that=20 is
> > > > > > >securing the communications.  Also, what's to say that I=20
> > > > > > cannot get
> > > > > > >the source of the connection, and break into that=20
> > > > > machine?  How
> > > > > > >many users out there have firewalls in place? =20  
> Not many. 
> > > > > > >With  Windows XP SP2, the firewall will be enabled=20
> > > > by default.
> > > > > >  That's a
> > > > > > >good thing.  We will see how robust=20  that firewall is.  
> > > > > > That's also
> > > > > > >for another discussion.
> > > > > > >=20
> > > > > > > Chris=20
> > > > > > >=20
> > > > > > > > -----Original Message-----
> > > > > > > > From: thin-bounce@xxxxxxxxxxxxx 
> > > > > > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
> > Robert K=20
> > > > > > > Coffman Jr -=20
> > > > > > > > Info From Data Corporation
> > > > > > > > Sent: Thursday, May 20, 2004 11:38 AM
> > > > > > > > To: thin@xxxxxxxxxxxxx
> > > > > > > > Subject: [THIN] Re: Port/box Security =20  While I
> > > > > > completely agree
> > > > > > > >with you in theory, in practice this has=20  never
> > > > caused us a
> > > > > > > >problem.  I've suggested to my clients=20
> > > > > > > that it may=20
> > > > > > > > be a matter of time before this port gets 
> exploited, to=20
> > > > > > > date we've had=20
> > > > > > > > 0 issues and have been running this way for years.
> > > > > > > >=20
> > > > > > > > Can anyone provide concrete reasons not to expose 1494
> > > > > to the=20
> > > > > > > >internet?
> > > > > > > >=20
> > > > > > > > PS - Don't jump all over me here, I'm all in favor of
> > > > > > exposing as=20
> > > > > > > >little as possible to the net...  I just need 
> more ammo to 
> > > > > > > >convince=20  those with the purse strings.
> > > > > > > >=20
> > > > > > > > - Bob Coffman
> > > > > > > >=20
> > > > > > > > -----Original Message-----
> > > > > > > > From: thin-bounce@xxxxxxxxxxxxx 
> > > > > > > >[mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of 
> Chris Lynch
> > > > > > > > Sent: Thursday, May 20, 2004 12:01 PM
> > > > > > > > To: thin@xxxxxxxxxxxxx
> > > > > > > > Subject: [THIN] Re: Port/box Security =20 =20 =20
> > > > > -----BEGIN PGP
> > > > > > > >SIGNED MESSAGE-----
> > > > > > > > Hash: SHA1
> > > > > > > >=20
> > > > > > > > The cost of hardware is negligible once someone high up 
> > > > > > > >understands=20  the security implications.  Also, these
> > > > > > two services
> > > > > > > >can run on the=20  same server, and don't require much
> > > > (PIV with
> > > > > > > >512MB of RAM would be=20  sufficient for almost 1000
> > > > > connections).
> > > > > > > >=20
> > > > > > > > And, notice that I said "WI AND SG".  I would never=20
> > > > > > > recommend running=20
> > > > > > > > just WI, unless it was for internal users only.
> > > > > > > > Exposing the ICA port to the Internet is just asking
> > > > > for trouble. 
> > > > > > > > =20 Especially if you are also wanting Program
> > > Neighborhood=20
> > > > > > > access (either=20
> > > > > > > > XML or 1604/UDP).
> > > > > > > >=20
> > > > > > > > Chris
> > > > > > > >=20
> > > > > > > >=20
> > > > > > > >=20
> > > > > > > > ********************************************************
> > > > > > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > > > > > Tarantella=20
> > > > > > > >Secure Global Desktop Terminal Server Edition Free
> > Terminal
> > > > > > > >Service=20  Edition software with 2 years maintenance.
> > > > > > > > http://www.tarantella.com/ttba
> > > > > > > > 
> **********************************************************
> > > > > > > > Useful Thin Client Computing Links are available at:
> > > > > > > > http://thin.net/links.cfm
> > > > > > > > 
> > ***********************************************************
> > > > > > > > For Archives, to Unsubscribe, Subscribe or set
> > Digest or=20
> > > > > > > Vacation mode=20
> > > > > > > > use the below link:
> > > > > > > > http://thin.net/citrixlist.cfm
> > > > > > >=20
> > > > > > > -----BEGIN PGP SIGNATURE-----
> > > > > > > Version: PGP 8.0.3
> > > > > > > Comment: Public PGP Key for Chris Lynch =20
> > > > > > 
> > > >iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > > > > > > jVFNAPrlJdIEcLdr+f0rsFY4
> > > > > > > =3Drs5a
> > > > > > > -----END PGP SIGNATURE-----
> > > > > > >=20
> > > > > > >=20
> > > > > > > ********************************************************
> > > > > > > This Week's Sponsor - Tarantella Secure Global Desktop=20
> > > > > > Tarantella
> > > > > > >Secure Global Desktop Terminal Server Edition Free=20
> > > > > > Terminal Service
> > > > > > >Edition software with 2 years maintenance.
> > > > > > > http://www.tarantella.com/ttba
> > > > > > > **********************************************************
> > > > > > > Useful Thin Client Computing Links are available at:
> > > > > > > http://thin.net/links.cfm
> > > > > > > 
> ***********************************************************
> > > > > > > For Archives, to Unsubscribe, Subscribe or set 
> Digest or=20
> > > > > >  Vacation
> > > > > > >mode use the below link:
> > > > > > > http://thin.net/citrixlist.cfm =20
> > > > > > 
> > > > > > ********************************************************
> > > > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > > > Tarantella
> > > > > > Secure Global Desktop Terminal Server Edition Free
> > > > Terminal Service
> > > > > > Edition software with 2 years maintenance.
> > > > > > http://www.tarantella.com/ttba
> > > > > > **********************************************************
> > > > > > Useful Thin Client Computing Links are available at:
> > > > > > http://thin.net/links.cfm
> > > > > > ***********************************************************
> > > > > > For Archives, to Unsubscribe, Subscribe or=20 set Digest or
> > > > > Vacation
> > > > > > mode use the below link:
> > > > > > http://thin.net/citrixlist.cfm
> > > > > > ********************************************************
> > > > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > > > Tarantella
> > > > > > Secure Global Desktop Terminal Server Edition Free
> > > > Terminal Service
> > > > > > Edition software with 2 years maintenance.
> > > > > > http://www.tarantella.com/ttba
> > > > > > **********************************************************
> > > > > > Useful Thin Client Computing Links are available at:
> > > > > > http://thin.net/links.cfm
> > > > > > ***********************************************************
> > > > > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > > > > Vacation mode
> > > > > > use the below link:
> > > > > > http://thin.net/citrixlist.cfm
> > > > > > 
> > > > > 
> > > > > ********************************************************
> > > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > Tarantella
> > > > > Secure Global Desktop Terminal Server Edition Free
> > > Terminal Service
> > > > > Edition software with 2 years maintenance.
> > > > > http://www.tarantella.com/ttba
> > > > > **********************************************************
> > > > > Useful Thin Client Computing Links are available at:
> > > > > http://thin.net/links.cfm
> > > > > ***********************************************************
> > > > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > > > Vacation mode
> > > > > use the below link:
> > > > > http://thin.net/citrixlist.cfm
> > > > 
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: PGP 8.0.3
> > > > Comment: Public PGP Key for Chris Lynch
> > > > 
> > > > iQA/AwUBQLE6t29fg+xq5T3MEQJmsACgpGqb7nCW1cW5QldAR54x/nC09kAAoLrv
> > > > dqUd4OjnrLJGZGIO0tlMyEUp
> > > > =o4O5
> > > > -----END PGP SIGNATURE-----
> > > > ********************************************************
> > This Week's
> > > > Sponsor - Tarantella Secure Global Desktop Tarantella
> > Secure Global
> > > > Desktop Terminal Server Edition Free Terminal Service  Edition 
> > > > software with 2 years maintenance.
> > > > > > http://www.tarantella.com/ttba
> > > > **********************************************************
> > > > Useful Thin Client Computing Links are available at:
> > > > http://thin.net/links.cfm
> > > > ***********************************************************
> > > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > > Vacation mode
> > > > use the below link:
> > > > http://thin.net/citrixlist.cfm
> > > > 
> > > 
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella 
> > > Secure Global Desktop Terminal Server Edition Free 
> Terminal Service 
> > > Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode
> > > use the below link:
> > > http://thin.net/citrixlist.cfm
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0.3
> > Comment: Public PGP Key for Chris Lynch
> > 
> > iQA/AwUBQLkVHG9fg+xq5T3MEQLnQgCgio9rYHanhUqs2HWnv/DkdvqRQ8AAmgNW
> > tH43x+/uKFBt8mLmfvkRWcPr
> > =iKDI
> > -----END PGP SIGNATURE-----
> > ******************************************************** This
> > Week's Sponsor - Tarantella Secure Global Desktop Tarantella 
> > Secure Global Desktop Terminal Server Edition Free Terminal
> > Service  Edition software with 2 years maintenance.
> > > > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode 
> > use the below link:
> > http://thin.net/citrixlist.cfm
> > 
> 
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella Secure Global Desktop Terminal Server Edition Free 
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: Public PGP Key for Chris Lynch

iQA/AwUBQLo8HW9fg+xq5T3MEQKjXACfXz5DoznjUdHlgpWuQoPjaNJMGtoAnjVC
0PK6/wOm36zk8BfN1fCU1is8
=bmPl
-----END PGP SIGNATURE-----

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
References:
- [THIN] Re: Port/box Security
  - From: Jeff Durbin
[THIN] Re: Port/box Security

Other related posts:
