Re: Terminal Services Auditing?
From: Mark Burnett (mb_at_xato.net)
Date: 10/28/03
- Previous message: lwolrab_at_deltanet.net: "RE: Coexistance of Windows 2000 and Windows 2003"
- In reply to: Thor: "Re: Terminal Services Auditing?"
- Next in thread: alexandre: "Re: Terminal Services Auditing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <thor@hammerofgod.com>, Erik Birkholz <erik@foundstone.com>, <alexandre@secrel.net.br>, <focus-ms@securityfocus.com> Date: Mon, 27 Oct 2003 17:34:04 -0700
Sorry for jumping in late here, let me clarify some things:
1. Zebedee adds another layer of encryption, authentication, and
auditing for terminal services connections. There are also many other
tools and technologies that do the same thing, but I have always liked
zebedee. Maybe I just like saying the word zebedee.
2. Win2k records the IP address, but only for certain events, like
when you disconnect from or reconnect to a terminal service session.
If I recall correctly, instead of fixing the issue I talked about at
http://www.securityfocus.com/archive/1/240248 Microsoft simply removed
the IP address from many events. Then I'm not sure exactly when, but
the did eventually fix it but didn't add the IP addresses back
everywhere. Win2k3 seems to record the IP address in more events.
3. Win2k and Win2k3 both seem to log the correct IP address in all the
events in the EventLog (if the proper events are audited) but still
shows the client's IP address, not the network IP address making the
connection, in the terminal services manager for that connection.
4. To answer Tim's question about how to spoof the client IP with
TSGrinder, open a VMWare box (using NAT not bridged networking) and
run TSGrinder from there. The terminal services manager will show the
IP address of the VMWare box, not your real public IP address. But the
eventlogs will now record the real IP. If you can avoid logging events
that record the IP (just logoff, don't disconnect and reconnect) you
might just evade detection. It would be much harder to avoid logged IP
addresses on a win2k3 box.
5. You should record terminal service logons with your firewall. Or
even better, use IP address restrictions so everyone can't login. If
you don't have a firewall, you can use windump to record the logins:
windump "tcp dst port 3389 and tcp[13] & 3 !=0"
Mark
On Fri, 24 Oct 2003 17:26:09 -0700, Thor wrote:
> Actually, Win2k3 does log the IP- that long-awaited feature was
> implemented for other logon-types as well, such as remote NetBIOS
> connections. I think what Erik is remembering is the fact that
> Mark determined that the Win2k3 logging mechanism retrieves the IP
> address from the RDP protocol, not from the IP stack. IOW, it is
> possible to "spoof" the client IP in the terminal server logon log
> if you futz with RDP.
>
> I tried to figure out how to do that in TSGrinder, but I'm just not
> smart enough. Looks like I'll have to put Ryan back on the payroll
> )
>
> t
>
>
> ----- Original Message -----
> From: "Erik Birkholz" <erik@foundstone.com>
> To: <alexandre@secrel.net.br> <focus-ms@securityfocus.com> Sent:
> Friday, October 24, 2003 1:13 PM Subject: Re: Terminal Services
> Auditing?
>
>
> It doesn't log the source IP for each connection. Mark Burnett
> wrote a good article about supplementing this short-coming using a
> tool called Zebedee. You can find the article on SecurityFocus.com
>
> Apparently this is not available functionality in Win2003 TS
> either. I haven't tested this yet.
>
> Erik
>
>
> ---------------------------------------
> (Msg from BlackBerry Wireless Handheld)
> ---------------------------------------
> Erik Pace Birkholz - CISSP, MCSE
> Foundstone, Inc.
> Strategic Security
>
>
> Read Special Ops and mount an assault to eradicate network
> negligence today. www.SpecialOpsSeries.com
>
> [Tel] 949.297.5591
> [Cel] 323.252.5916
> [Fax] 949.297.5575
> [pgp] https://www.foundstone.com/pgpkeys/erik-birkholz.asc
>
>
> -----Original Message-----
> From: alexandre <alexandre@secrel.net.br>
> To: focus-ms@securityfocus.com <focus-ms@securityfocus.com> Sent:
> Fri Oct 24 10:05:19 2003 Subject: Terminal Services Auditing?
>
> Hi all,
>
>
> continuing the TS subject, I think that someone is having access to
> one of my servers thru Terminal Services... anyone know how can I
> audit these TS logins?? I looked at the events but didn't find any
> ip logged.
>
> Thanks
>
>
> --------------------------------------------------------------------
> ------- FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management - Make
> firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 -------
> --------------------------------------------------------------------
>
>
> --------------------------------------------------------------------
> ------- FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management - Make
> firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 -------
> --------------------------------------------------------------------
>
>
> --------------------------------------------------------------------
> ------- FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management - Make
> firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 -------
> --------------------------------------------------------------------
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: lwolrab_at_deltanet.net: "RE: Coexistance of Windows 2000 and Windows 2003"
- In reply to: Thor: "Re: Terminal Services Auditing?"
- Next in thread: alexandre: "Re: Terminal Services Auditing?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
