Re: MS Terminal Services open to the world

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: Fri Jan 10 2003 - 12:36:30 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 07:09 AM 1/10/2003, Ralph Los wrote:
>Hello all,
>
> I've got a pretty good client of mine who absolutely refuses to heed
>my warnings about keeping Terminal Services open to the world. They rely on
>Windows passwords and figure that's strong enough for all their servers
>(management). Now I'm given the task of auditing their
>security/infrastructure and would like to come up some creative ways to back
>up my point about MS TS open to the Internet being a bad idea.
>
>Any thoughts or input is appreciated.

Just like anything else, if configured poorly, they can get nailed-

However, if they set the encryption level to High, they'll get a 128 bit
encrypted session... Of course they should rename the administrator
account and use strong passwords to thwart BF attacks, and changing the
default listening port from 3389 to something else helps as well. If
possible, the firewall/router should include approved external IP ranges
that can hit that port, but you obviously can't always to that. Logon
banners can help too...

If they take a few simple measures to secure it, terminal services can
provide a great remote management tool while minimizing the security issues
associated with it...

hth

T

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPh8EnohsmyD15h5gEQL+FgCeKADeiaeakhhgcMb6kXsNls1ZfXQAoPcv
E0EoKmBGgsoQSI0AepeiPAVd
=7peA
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT