Terminal Services Holes

From: Dan Richardson (dan.richardson@paradise.net.nz)
Date: 11/17/01 

From: "Dan Richardson" <dan.richardson@paradise.net.nz>
To: <pen-test@securityfocus.com>
Subject: Terminal Services Holes
Date: Sat, 17 Nov 2001 14:51:51 +1300
Message-ID: <001001c16f0a$6d6b01d0$0101a8c0@thievery>

Hi all,

I've just been playing around with Terminal Server (in remote
administration mode) to see if an Internet exposed Terminal Server is
really as vulnerable as it appears. I was quite a little alarmed at the
results; but knowing how good NT is at actually logging useful
information on its own I wasn't shocked. if anyone has any information
on how to better log (on the Win2k box itself), please let me know.

On attempting to connect to the box with either a legitimate or bogus
account, the terminal server would accept up to six password attempts
before a forcible disconnection (which is logged in the System log along
with the machine name and I assume IP address- I tested this from a
machine which was on our LAN, but assume it makes little difference on
the net).

This is not as good as it could be, but at least it disconnected me and
logged the attempt.

If I attempted to login 5 times, bailed out of the connection and
checked the logs- *nothing* is reported except in the security logs
*but* it records the failed connection as being from IP address
127.0.0.1 (ie. The local machine- why? because the login is a local
one).

I attempted to connect with 5 bad passwords, disconnect and reconnect
immediately to try another 5 bad passwords- none of this is logged (with
the exception of in the security log which is listed as
pre-authentication failures from 127.0.0.1 ie. pointless) .

What can I say, but roll-on TSGrinder (maybe I should just write my own
:). MS certainly didn't think too hard about security on this one.

 

-Dan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • NT4 terminal server security fix delinquency
    ... Since that time the Windows NT Server 4.0, Terminal Server Edition ... Security Roll-Up has still not been released, ... TSE Fix Status: To be release shortly ... TSE Fix Status: To be released shortly ...
    (NT-Bugtraq)
  • Re: Is Remote Desktop Connection Login secure over wireless?
    ... just double check on Terminal server that the Encryption Level ... For added security you could also add TLS to prevent e.g. ... there are no special configurations or special connection settings ... >>> The secure tunnel is created before you enter your credentials and even ...
    (microsoft.public.windows.server.security)
  • Re: how to secure terminal server, no software installation, and etc
    ... Your Terminal Services Security Website ... > MCSE, CCEA, Microsoft MVP - Terminal Server ... >> Server machine account to the security list of the GPO (keep the ...
    (microsoft.public.windows.terminal_services)
  • Re: redirected printer security changes wont stick
    ... After doing some more searching around, it seems that the security names ... which prints to LPT1. ... for the printer that gets created when they log into the terminal server. ... security tab) that are assigned to a redirected printer when someone logs ...
    (microsoft.public.windows.terminal_services)
  • Re: Non-Admins cant logon to 2kServer in App-Svr mode
    ... Do you know if there was a security template or anything locking down the ... You can run security configuration and analysis to determine the current ... system security settings, and reset any default settings that have been ... > I have not been able to connect to my Win2000 Terminal Server unless I use ...
    (microsoft.public.win2000.termserv.apps)