Let's say you did see the login prompt, either via ICA or RDP. How would you use a dictionary attack if you didn't have a username and a password hash? Or, maybe what I'm asking is, how would that help you get a username and a password hash which you could use a dictionary/brute force attack on? You know me - when it comes to paranoia, I'm up there with the worst of them, but I'm not sure how getting a windows login screen hurts you. Unless that specific situation can somehow be used to get a username and password hash, I don't see the danger (unless there's a protocol vulnerability that can be exploited, in which case WI/CSG insulates you from it). As an aside, and to illustrate how many companies do this, consider this: One of my customers moved physical locations, and his ISP changed his IP address. I didn't know the new IP addresses of his Terminal Server and couldn't reach the administrator. I figured it might be close to his old address, so I port-scanned 253 IP addresses looking for port 3389. I found about 60 servers, so there are a lot of people doing this. JD > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch > Sent: Friday, 21 May 2004 6:51 a.m. > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Port/box Security > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > To say that you have never experienced this, doesn't mean > that it doesn't happen. Just do a search on > http://neworder.box.sk for CITRIX or ICA and you will find a > few exploits/hacks. Can you say for sure that no one has > EVER attempted to log into your systems? If I did a port > scan on your external IP range and saw that 1494 was open, or > 3389, or if my port scanner attempted a telnet to that port > to see if any banner was presented for the service and I get > the ^ICA prompt, I know that I need the ICA client to connect > to that IP address. Bam. I have a logon prompt. I can then > try to use a dictionary attack attempt to guess usernames and > passwords. OR, if you have the XML service open to the > internet or the ICA Browser service (1604/UDP), all I would > need to do is capture or attempt a redirect (hijack) the > TCP/UDP connection to my machine. I could then attempt to > crack the password. > > Again, there is a lot of "attempting" here. I would rather > be safe knowing that I had SG in place or a VPN in place that > is securing the communications. Also, what's to say that I > cannot get the source of the connection, and break into that > machine? How many users out there have firewalls in place? > Not many. With Windows XP SP2, the firewall will be enabled > by default. That's a good thing. We will see how robust > that firewall is. That's also for another discussion. > > Chris > > > -----Original Message----- > > From: thin-bounce@xxxxxxxxxxxxx > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K > Coffman Jr - > > Info From Data Corporation > > Sent: Thursday, May 20, 2004 11:38 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: Port/box Security > > > > While I completely agree with you in theory, in practice this has > > never caused us a problem. I've suggested to my clients > that it may > > be a matter of time before this port gets exploited, to > date we've had > > 0 issues and have been running this way for years. > > > > Can anyone provide concrete reasons not to expose 1494 to the > > internet? > > > > PS - Don't jump all over me here, I'm all in favor of exposing as > > little as possible to the net... I just need more ammo to convince > > those with the purse strings. > > > > - Bob Coffman > > > > -----Original Message----- > > From: thin-bounce@xxxxxxxxxxxxx > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch > > Sent: Thursday, May 20, 2004 12:01 PM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: Port/box Security > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > The cost of hardware is negligible once someone high up understands > > the security implications. Also, these two services can run on the > > same server, and don't require much (PIV with 512MB of RAM would be > > sufficient for almost 1000 connections). > > > > And, notice that I said "WI AND SG". I would never > recommend running > > just WI, unless it was for internal users only. > > Exposing the ICA port to the Internet is just asking for trouble. > > Especially if you are also wanting Program Neighborhood > access (either > > XML or 1604/UDP). > > > > Chris > > > > > > > > ******************************************************** > > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella > > Secure Global Desktop Terminal Server Edition Free Terminal Service > > Edition software with 2 years maintenance. > > http://www.tarantella.com/ttba > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode > > use the below link: > > http://thin.net/citrixlist.cfm > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.3 > Comment: Public PGP Key for Chris Lynch > > iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK > jVFNAPrlJdIEcLdr+f0rsFY4 > =rs5a > -----END PGP SIGNATURE----- > > > ******************************************************** > This Week's Sponsor - Tarantella Secure Global Desktop > Tarantella Secure Global Desktop Terminal Server Edition Free > Terminal Service Edition software with 2 years maintenance. > http://www.tarantella.com/ttba > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** This Week's Sponsor - Tarantella Secure Global Desktop Tarantella Secure Global Desktop Terminal Server Edition Free Terminal Service Edition software with 2 years maintenance. http://www.tarantella.com/ttba ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm