Re: Blocking unauthorized remote access

From: Mike Dorn <mrdorn@xxxxxxxx>
Date: Sun, 24 Sep 2006 03:53:25 -0500

Volker Birk wrote:

Mike Dorn <mrdorn@xxxxxxxx> wrote:

Has anybody seen a comprehensive list of addresses used by the various "services" that allow unauthorized users to remote into their work computers from home, bypassing corporate security? These things work by making an outbound connection from the target PC to a fixed external site. The user then contacts the external site from their home PC or traveling laptop, and the site uses the previously-opened connection to create a remote session for them. It's not caught by normal firewall config, because the outbound ssl connection appears to be legal.

http://www.agroman.net/corkscrew/

With such a tool, any site on the outside can be used.

Obviously, but this is more of a tool for the serious "hacker" type. We're more worried about commercial sites that just sell a "click here to use" service, as any dummy can install them without knowing how it works or investing any serious effort to set it up.

I think, you have a social problem, not a technical one. Try to detect
open sockets or reconnecting sockets after working time and talk to the
people who are installing such things.

Yours,
VB.

Aren't all admin problems really social problems? Unfortunately, with hundreds of users spread thru multiple sites and a complex 7x24 operation, we can't just look for open sockets during "non-working hours". What we can do, however, is look for traffic to specific addresses, once they are known.

.

Follow-Ups:
- Re: Blocking unauthorized remote access
  - From: Moe Trin

References:
- Blocking unauthorized remote access
  - From: Mike Dorn
- Re: Blocking unauthorized remote access
  - From: Volker Birk

Prev by Date: Re: Enable / disable internet access in selected classrooms
Next by Date: Re: Cisco 501 PIX port forwarding (outside DHCP)
Previous by thread: Re: Blocking unauthorized remote access
Next by thread: Re: Blocking unauthorized remote access
Index(es):
- Date
- Thread

Relevant Pages

Re: Connecting a remote workstation to a domain
... If you have more than a couple of remote workstations connecting to the SBS ... server via VPN, you really need to consider a Terminal Server in the main ... "Log in using a dial up connection" checkbox, ... roaming profile then synchronizes with the server over the VPN); ...
(microsoft.public.windows.server.sbs)
Re: Connecting a remote workstation to a domain
... I can remotely join XP Pro computers at the remote ... connection" checkbox so that any user can logon remotely. ... "Log in using a dial up connection" checkbox, either way it loads her cached ... roaming profile then synchronizes with the server over the VPN); ...
(microsoft.public.windows.server.sbs)
Re: autoRepeating Error log ID 20111 (Remote Access)
... PPPoE connection software on the server turns what could/should be a full ... >> A Demand Dial connection to the remote interface Small Business ... >> Event Type: Warning ... >> Event Source: MSSQL$SBSMONITORING ...
(microsoft.public.windows.server.sbs)
RE: Remote Office Configuration Suggestions?
... Welcome to SBS newsgroup. ... I understand that you want to keep the remote office continue working even ... after the main internet connection on the main office is not available. ... If you want to join the remote server to a SBS domain and become a member ...
(microsoft.public.windows.server.sbs)
Re: Problem with Web based client
... Seems like you are having problems accessing the web server on the PC you ... > My remote desktop connection works fine when I connect with a Remote ...
(microsoft.public.windowsxp.work_remotely)