| Author |
Message |
Fred Blum
Guest
|
 Posted:
Mon Jan 31, 2005 6:47 am Post subject:
TS server security warning |
|
|
I'm studying security issues regarding SBS server setup and came across
disturbing information on TS server security.
Scanners are available that will pin point a terminal server even if the
standard port to listen on has been changed. Tools for Brute Force password
attacks on the administrator account which can't be locked out, are
avaliable aswell. They claim that an IDS system won't pick there attack up.
How to make it safe?
- In ISA only allow TS for a fixed remote IP adresses if this can't be done
make sure that:
- you have strong password security in place, check you domain policy
- you renamed the administrator account
- in the registry HKLM/software/microsoft/windows NT/winlogon set
DontDisplayLastUserName to 1 (Why giev it away at the login prompt?)
- you entered a legal notice in in the registry
HKLM/software/microsoft/windows NT/winlogon LegalNoticeCaption for example
Property of ...
LegalNoticeText for example Unatorised or illegal access forbidden. This
will disrupt a brute force attack program
If you have other measures please post.
Fred |
|
| Back to top |
|
 |
just some guy
Guest
|
| Posted:
Mon Jan 31, 2005 6:47 am Post subject:
RE: TS server security warning |
|
|
Just want to add, take this guys post seriously. I've played with these TS
hacking tools (on my own machines) and they work!!!
"Fred Blum" wrote:
| Quote: |
I'm studying security issues regarding SBS server setup and came across
disturbing information on TS server security.
Scanners are available that will pin point a terminal server even if the
standard port to listen on has been changed. Tools for Brute Force password
attacks on the administrator account which can't be locked out, are
avaliable aswell. They claim that an IDS system won't pick there attack up.
How to make it safe?
- In ISA only allow TS for a fixed remote IP adresses if this can't be done
make sure that:
- you have strong password security in place, check you domain policy
- you renamed the administrator account
- in the registry HKLM/software/microsoft/windows NT/winlogon set
DontDisplayLastUserName to 1 (Why giev it away at the login prompt?)
- you entered a legal notice in in the registry
HKLM/software/microsoft/windows NT/winlogon LegalNoticeCaption for example
Property of ...
LegalNoticeText for example Unatorised or illegal access forbidden. This
will disrupt a brute force attack program
If you have other measures please post.
Fred
|
|
|
| Back to top |
|
|
Mark
Guest
|
| Posted:
Tue Feb 01, 2005 6:01 am Post subject:
Re: TS server security warning |
|
|
Is this an issue if the TS is a member server on an SBS lan?
I.e. if remote users have to VPN in to the SBS server, then launch the RDP
session to the TS member server on the internal LAN subnet, only VPN ports
are open to the Internet, right?
Mark
"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:%234Lu8$2BFHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: |
I'm studying security issues regarding SBS server setup and came across
disturbing information on TS server security.
Scanners are available that will pin point a terminal server even if the
standard port to listen on has been changed. Tools for Brute Force
password attacks on the administrator account which can't be locked out,
are avaliable aswell. They claim that an IDS system won't pick there
attack up.
How to make it safe?
- In ISA only allow TS for a fixed remote IP adresses if this can't be
done make sure that:
- you have strong password security in place, check you domain policy
- you renamed the administrator account
- in the registry HKLM/software/microsoft/windows NT/winlogon set
DontDisplayLastUserName to 1 (Why giev it away at the login prompt?)
- you entered a legal notice in in the registry
HKLM/software/microsoft/windows NT/winlogon LegalNoticeCaption for example
Property of ...
LegalNoticeText for example Unatorised or illegal access forbidden. This
will disrupt a brute force attack program
If you have other measures please post.
Fred
|
|
|
| Back to top |
|
|
Fred Blum
Guest
|
| Posted:
Tue Feb 01, 2005 6:48 am Post subject:
Re: TS server security warning |
|
|
Thanks,
Missed that post. Will try it.
Fred
"Mark" <nospam@nospam.nospam> wrote in message
news:%23y85l%23%23BFHA.1084@tk2msftngp13.phx.gbl...
| Quote: | Is this an issue if the TS is a member server on an SBS lan?
I.e. if remote users have to VPN in to the SBS server, then launch the RDP
session to the TS member server on the internal LAN subnet, only VPN ports
are open to the Internet, right?
Mark
"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:%234Lu8$2BFHA.2540@TK2MSFTNGP09.phx.gbl...
I'm studying security issues regarding SBS server setup and came across
disturbing information on TS server security.
Scanners are available that will pin point a terminal server even if the
standard port to listen on has been changed. Tools for Brute Force
password attacks on the administrator account which can't be locked out,
are avaliable aswell. They claim that an IDS system won't pick there
attack up.
How to make it safe?
- In ISA only allow TS for a fixed remote IP adresses if this can't be
done make sure that:
- you have strong password security in place, check you domain policy
- you renamed the administrator account
- in the registry HKLM/software/microsoft/windows NT/winlogon set
DontDisplayLastUserName to 1 (Why giev it away at the login prompt?)
- you entered a legal notice in in the registry
HKLM/software/microsoft/windows NT/winlogon LegalNoticeCaption for
example Property of ...
LegalNoticeText for example Unatorised or illegal access forbidden. This
will disrupt a brute force attack program
If you have other measures please post.
Fred
|
|
|
| Back to top |
|
|
Fred Blum
Guest
|
| Posted:
Tue Feb 01, 2005 6:48 am Post subject:
Re: TS server security warning |
|
|
In that case it shouldn't be an issue. Only if your TS ports are open to the
internet. For example if your SBS server is setup for remote administration
over the internet.You can scan from www.grc.com follow shields up! and click
All service ports to see what you've exposed..
If this member server set up as TS has no internet IP adress or address
redirected tru ISA it won't be a problem.
Fred
"Mark" <nospam@nospam.nospam> wrote in message
news:%23y85l%23%23BFHA.1084@tk2msftngp13.phx.gbl...
| Quote: | Is this an issue if the TS is a member server on an SBS lan?
I.e. if remote users have to VPN in to the SBS server, then launch the RDP
session to the TS member server on the internal LAN subnet, only VPN ports
are open to the Internet, right?
Mark
"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:%234Lu8$2BFHA.2540@TK2MSFTNGP09.phx.gbl...
I'm studying security issues regarding SBS server setup and came across
disturbing information on TS server security.
Scanners are available that will pin point a terminal server even if the
standard port to listen on has been changed. Tools for Brute Force
password attacks on the administrator account which can't be locked out,
are avaliable aswell. They claim that an IDS system won't pick there
attack up.
How to make it safe?
- In ISA only allow TS for a fixed remote IP adresses if this can't be
done make sure that:
- you have strong password security in place, check you domain policy
- you renamed the administrator account
- in the registry HKLM/software/microsoft/windows NT/winlogon set
DontDisplayLastUserName to 1 (Why giev it away at the login prompt?)
- you entered a legal notice in in the registry
HKLM/software/microsoft/windows NT/winlogon LegalNoticeCaption for
example Property of ...
LegalNoticeText for example Unatorised or illegal access forbidden. This
will disrupt a brute force attack program
If you have other measures please post.
Fred
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in