RE: TSAC (Terminal Services Advanced [?] Client)

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 10/10/01


Subject: RE: TSAC (Terminal Services Advanced [?] Client)
Date: Wed, 10 Oct 2001 08:53:12 -0700
Message-ID: <9D884881F5E1F24FB845967851720FC301A6F39D@red-msg-12.redmond.corp.microsoft.com>
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: <Thor@HammerofGod.com>, <Mward@roseglen.com>

Well put Thor,

        I'd also add that you should apply the TS patch to prevent DoS
through that vector:
http://www.microsoft.com/technet/security/bulletin/MS01-040.asp

(Hi2u2, Thor! Wanna discuss the ISA ramifications of this solution?
;-))

* Jim Harrison
MCP(2K), A+, Network+
Services Platform Group
*(425) 705-7275

-----Original Message-----
From: Thor@HammerofGod.com [mailto:Thor@HammerofGod.com]
Sent: Wednesday, October 10, 2001 07:21
To: Mward@roseglen.com
Cc: Jim Harrison (SPG); cscragg@workgroup.net;
florian.duerr@dimensionx.ch; FOCUS-MS@SECURITYFOCUS.COM
Subject: Re: TSAC (Terminal Services Advanced [?] Client)

Go to the Terminal Services Configuration tool, in the Connections node,
and display the properties for the RDP-Tcp connection. There you can
set the encryption level.

TS listens on TCP 3389. That is all you have to open/close to
enable/disable access. You can change the default listen port to
something else (see Q187623) if you would like, but you then have to
change all the client connectors as well. Note that the TSWeb Active X
control only uses 3389 as previously noted in this thread, and can't be
changed, though I am working on a hack for that.

If you put TS live on the net, do a couple of things... Rename the
administrator account to mitigate BF attacks, put a logon banner (helps
for now, but not for long!) and close everything else. If you know that
only certain clients will connect, you should only allow 3389 from those
guys. And audit!

(Hey Jim!!)

----- Original Message -----
From: "Michael Ward" <Mward@roseglen.com>
To: "Jim Harrison (SPG)" <jmharr@microsoft.com>; "Christopher Scragg"
<cscragg@workgroup.net>; <florian.duerr@dimensionx.ch>;
<Thor@HammerofGod.com>; <focus-ms@securityfocus.com>
Sent: Wednesday, October 10, 2001 6:52 AM
Subject: RE: TSAC (Terminal Services Advanced [?] Client)

How do you configure it to use encryption? What ports should be closed
to make sure that the Term. Serv cannot be accessed from the outside
world?

Thanks,

Mike

-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com]
Sent: Tuesday, October 09, 2001 5:16 PM
To: Christopher Scragg; florian.duerr@dimensionx.ch;
Thor@HammerofGod.com; focus-ms@securityfocus.com
Subject: RE: TSAC (Terminal Services Advanced [?] Client)

It's really not all that alarming, unless you let them operate with
default settings. TS can be configured to use 128-bit encryption,
providing all the data obfuscation you could want.

* Jim Harrison
MCP(2K), A+, Network+
Services Platform Group
*(425) 705-7275

-----Original Message-----
From: Christopher Scragg [mailto:cscragg@workgroup.net]
Sent: Tuesday, October 09, 2001 12:29
To: florian.duerr@dimensionx.ch; Thor@HammerofGod.com;
focus-ms@securityfocus.com
Subject: RE: TSAC (Terminal Services Advanced [?] Client)

Lets help Florian for a moment shall we? The mere fact that a
responsible organization would even allow Terminal Connections of any
type through a firewall - be it Citrix or Windows TS without the use of
a VPN is alarming.

Secondly, think outside the box for a moment, Florian. The use for
"multiple server windows" are for connectivity to multiple servers, not
multiple instances of the same session - that would be pointless.

For what it is worth, there is a Pre SP3 patch for Win2k <hold my
breath> available for the memory leaks you speak of. For your
convenience, I have provided a link to the patch:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-040.asp

Christopher Scragg
Chief Technology Officer
Business Information Group
865.777.1382 x222 Local
888.875.4704 x222 Toll Free
865.777.1579 Direct
www.workgroup.net

:-----Original Message-----
:From: Florian Duerr [mailto:florian.duerr@dimensionx.ch]
:Sent: Sunday, October 07, 2001 7:14 PM
:To: Thor@HammerofGod.com; focus-ms@securityfocus.com
:Subject: TSAC (Terminal Services Advanced [?] Client)
:
:
:Hi folks

:- Memory leaks on the Server after about 100 connects and disconnects,
: about 15 MB RAM where just gone ;( .... Do you see the DoS
:possibilities.
: I said "connects", NOT logins!
:- Multiple Windows are nonsense, since the most servers allow anyway
: only two connections (cause of Remote Admin-Mode) *g*