RE: [lists] [Full-Disclosure] Terminal Server vulnerabilities

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 01/25/05

  • Next message: please_reply_to_security_at_sco.com: "[Full-Disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : wu-ftp local users can bypass access restrictions" 
    Date: Tue, 25 Jan 2005 16:06:02 -0600
To: "Steve Tornio" <swtornio@mac.com>, <full-disclosure@lists.netsys.com>

    I agree, renamed the Admin account and create a fake Admin account, put
    very good logging on it. Because any attempts on this account would be
    attacks.

    > -----Original Message-----
    > From: full-disclosure-bounces@lists.netsys.com
    > [mailto:full-disclosure-bounces@lists.netsys.com] On Behalf
    > Of Steve Tornio
    > Sent: Tuesday, January 25, 2005 3:29 PM
    > To: full-disclosure@lists.netsys.com
    > Subject: Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities
    >
    >
    > On Jan 25, 2005, at 2:38 PM, Curt Purdy wrote:
    >
    > > Daniel Sichel wrote:
    > > <snip>
    > >> Naturally I
    > >> don't like this answer because of horror stories I have
    > heard about
    > >> Terminal server. They claim there are no unfixed
    > vulnerabilities to
    > >> Terminal Server on Windows Server 2000 Service Pack 4.
    > >
    > > The problem with terminal server is not any vulnerablities
    > that can be
    > > exploited, but the fact that administrator can be bruteforced (6
    > > attempts followed by reconnect) and that it is screaming
    > its existence
    > > on port 3889.
    > > If you use it, definitely change the port in the registry.
    >
    > Of course, one of the very first things you should do on a
    > Windows box is rename the administrator account, so this kind
    > of blind brute-forcing is not possible.
    >
    > Also, the problem you describe can be exacerbated in that
    > administrator can be brute-forced without creating a log
    > entry, by attempting 5 logons and disconnecting before
    > Windows disconnects and logs after the sixth failure. This
    > was covered in a talk at Black Hat 2003, when Ryan Russell
    > and Tim Mullens released TSGrinder. I don't know if they
    > continued work on it.
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: please_reply_to_security_at_sco.com: "[Full-Disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : wu-ftp local users can bypass access restrictions"

    Relevant Pages

    • Re: Errors after renaming administrator
      ... This is how I have renamed the admin account on all of the servers I set-up, ... the admin account should be renamed "prior" to installing SQL to avoid ... you rename after SQL installation if you need it. ...
      (microsoft.public.windows.server.sbs)
    • Re: Help! Rename Administrator Account
      ... > policies to rename the admin account to fbloggs. ... > I cleared the Domain and Domain Controller group policy rename box. ... > used AD U & C to set the properties on fbloggs back to Administrator. ...
      (microsoft.public.win2000.active_directory)
    • Re: Help! Rename Administrator Account
      ... >> policies to rename the admin account to fbloggs. ... I can now login as Administrator. ...
      (microsoft.public.win2000.active_directory)
    • Re: Faking administrators accounts?
      ... One thought is to rename your admin account, ... >> If you fear intruders coming from the internal network ...
      (microsoft.public.win2000.security)