RE: MS Terminal Services open to the world

From: Puterbaugh, Mike (Mike.Puterbaugh@53.com)
Date: 01/10/03

  • Next message: Don Voss: "Re: MS Terminal Services open to the world"
    From: "Puterbaugh, Mike" <Mike.Puterbaugh@53.com>
    To: 'Ralph Los' <RLos@enteredge.com>, "'Pen-test@securityfocus.com'" <Pen-test@securityfocus.com>
    Date: Fri, 10 Jan 2003 12:56:23 -0500
    
    

    Terminal Services Security

    Running Terminal Services may expose your domain to significant security
    risks if appropriate precautions are not taken before and during the
    Terminal Server deployment. The book "Hacking Exposed Windows 2000: Network
    Security and Solutions", by Joel Scambray and Stuart McClure, provides
    excellent coverage of Terminal Services security in Chapter 12. After all
    maintenance and hotfixes are applied to your Terminal Server, be sure to
    install and configure the following two utilities, available in the Windows
    2000 Server Resource Kit.

    TsVer.exe Version Limiter is a GUI-based tool that allows you to set whether
    the Terminal Services Client supports version checking. This allows you to
    limit access. Terminal Services Version Monitor (TsVer) is an
    administrative tool for enforcing policies with respect to WinStation client
    build numbers. This tool consists of two components, a wizard for editing
    policies, enabling, and disabling version checking, as well as a dynamic
    link library for enforcing policies. TsVer provides a way for you to
    exercise control over which WinStation clients can connect to your servers.
    Version Limiter features include:

    explicit control over which client builds are permitted on your server.
    easily enabled or disabled.
    option for sending customized messages to rejected clients.
    all failed logon attempts recorded to Windows event log with IP address and
    computer name.
     
    AppSec.exe The Application Security tool is a GUI-based application that
    allows an administrator in a multi-user environment to restrict the access
    of ordinary users to a predefined set of applications on the network.
    Enabling application security using this tool will cause the system to
    reject any attempts by ordinary users to execute a program that they are not
    authorized to use.

    -----Original Message-----
    From: Ralph Los [mailto:RLos@enteredge.com]
    Sent: Friday, January 10, 2003 10:09 AM
    To: 'Pen-test@securityfocus.com'
    Subject: MS Terminal Services open to the world
    Sensitivity: Confidential

    Hello all,

            I've got a pretty good client of mine who absolutely refuses to heed
    my warnings about keeping Terminal Services open to the world. They rely on
    Windows passwords and figure that's strong enough for all their servers
    (management). Now I'm given the task of auditing their
    security/infrastructure and would like to come up some creative ways to back
    up my point about MS TS open to the Internet being a bad idea.

    Any thoughts or input is appreciated.

    Ralph

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/



    Relevant Pages

    • Re: UnauthorizedAccessException when using MSDTC
      ... dispatcher2 is the user logged on the client pc. ... Event Source: Security ... Object Server: SC Manager ... Primary Domain: BLITZ ...
      (microsoft.public.data.ado)
    • Re: Routing and Remote Access - Authentication Failure
      ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
      (microsoft.public.windows.server.networking)
    • Re: WCF security advice (and clarification) needed
      ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
      (microsoft.public.dotnet.framework.webservices)
    • RE: Problems with security requirements in Windows WorkGroups.
      ... "A remote side security requirement was not fulfilled during authentication. ... small chat application between a client and a server ... When I try to use the TCP channel I get the error (with NO inner exception ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: VPN -- the next consumer "turnkey"?
      ... I'm not a security expert. ... "A Hamachi system is comprised of backend servers and end-node ... Server nodes track client's locations and provide ... services without providing Hamachi with a list of client IP's. ...
      (alt.internet.wireless)