Re: MS Terminal Services open to the world

From: Deus, Attonbitus <Thor(at)HammerofGod.com>
Date: Fri Jan 10 2003 - 12:36:30 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 07:09 AM 1/10/2003, Ralph Los wrote:
>Hello all,
>
> I've got a pretty good client of mine who absolutely refuses to heed
>my warnings about keeping Terminal Services open to the world. They rely on
>Windows passwords and figure that's strong enough for all their servers
>(management). Now I'm given the task of auditing their
>security/infrastructure and would like to come up some creative ways to back
>up my point about MS TS open to the Internet being a bad idea.
>
>Any thoughts or input is appreciated.

Just like anything else, if configured poorly, they can get nailed-

However, if they set the encryption level to High, they'll get a 128 bit encrypted session... Of course they should rename the administrator account and use strong passwords to thwart BF attacks, and changing the default listening port from 3389 to something else helps as well. If possible, the firewall/router should include approved external IP ranges that can hit that port, but you obviously can't always to that. Logon banners can help too...

If they take a few simple measures to secure it, terminal services can provide a great remote management tool while minimizing the security issues associated with it...

hth

T

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPh8EnohsmyD15h5gEQL+FgCeKADeiaeakhhgcMb6kXsNls1ZfXQAoPcv E0EoKmBGgsoQSI0AepeiPAVd
=7peA
-----END PGP SIGNATURE-----

---

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Tue Jan 21 16:59:47 2003