Re: MS Terminal Services open to the world

From: Don Voss (voss@albany.edu)
Date: Fri Jan 10 2003 - 13:13:11 EST


Ralph,

I am not sure if this is the "creative" method you were thinking of ..
but facts, facts, and more facts would be my choice.

You have a broad area to cover. Do you convince them that none of their
material should face the internet ?.. as in no firewall [ my assumption
of no firewall .. . if the TS enabled servers are directly facing net.]
Thus the exposed TS material is just one of the risks they are allowing.

or

Do you show detailed recorded examples of TS exploitation ?

Which leads me to .. is there documentation of TS material being
exploited and how ? I do not know about that so I searched google a bit,
jumped to securityfocus, searched their vulnerabilities database, under
microsoft it showed 2 TSAC activeX issues .. which I am not qualified to
comment on. links below.

Microsoft TSAC ActiveX Control

http://online.securityfocus.com/bid/5952

http://online.securityfocus.com/bid/5554

At the link below, quick glance, there seems to be much info regarding
terminal services functionality.

http://www.ntsecurity.net/Articles/Index.cfm?TopicID=800

and so on.

Of course .. If you are skilled enough and can get the approval to try ..
exploit it yourself. Setup a prove-able test .. get somewhere secure ..
modify a agreed upon parameter / setting. How could they argue with that
?

[ I do not know if or how to if it is possible. I am just offering
logical "proof" options. ]

You may find the terminal services [ with version control, current
patches, etc] ok. Then the facts do not support your warnings, right?

Even so there seems to be enough evidence of other risks, almost to the
point of common sense, not to have servers / services / clients exposed
directly to the net. A inventory of what they have running facing the net
and a list of exploits against those services/OS's/clients .. with some
cost liability numbers should be sobering.

That said .. it may not sway them .. here at the university .. the only
device , as far as I know, they have purchased is a packetteer used to
throttle back the dorms from file sharing outboud congestion. Politics
and money are a big part of these decisions. At least you can give them
hard data to add to the mix.

regards,
/don

On 10 Jan 2003 at 10:09, Ralph Los wrote:

> Hello all,
>
> I've got a pretty good client of mine who absolutely refuses to heed my
> warnings about keeping Terminal Services open to the world. They rely on
> Windows passwords and figure that's strong enough for all their servers
> (management). Now I'm given the task of auditing their
> security/infrastructure and would like to come up some creative ways to
> back up my point about MS TS open to the Internet being a bad idea.
>
> Any thoughts or input is appreciated.
>
> Ralph

_____________________________________________
Don Voss voss@albany.edu
Sr. Programmer Analyst
Geography & Planning Department
The University at Albany, SUNY
Albany, NY, 12222-0100

Jazz music: an intensified feeling of nonchalance.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT