Security Basics mailing list archives
Re: Accessing corporate servers through the web..
From: "Philip Duldig" <maninwhite () tpg com au>
Date: Sat, 15 Nov 2003 11:47:19 +1030
From a naive perspective such as my own:
(a) Telnet (on a Linux machine): (password is sent in clear text, may be captured by a potential hacker, any other risks?)
Username and Password for unprivileged user is captured i.e.: username: bob password: fluffy simple solution: block telnet. make them use ssh. FTP (default FTP service on a Linux machine) FTP exploit is discovered in the FTPd ie: Denial of Service (you lose the server for a while) Account/Root exploit (you lose everything) naughty person uses "bob/fluffy" and gets hold of your "TOP SECRET BUSINESS PLANS VERSION 4.doc"
(c) Terminal Services (win 2K server)
Terminal Services RDP 5.0 (thats the 2k version) supports a decent application layer encryption (from my limited understanding) which is cool but doesnt stop naughty person using your "bob/fluffy" login and getting console access to your server (which is actually what terminal services *is*) and exploiting some strange case your strong group policy setup missed. (its sooo easy to miss something trivial that opens up exploitable paths. securing a console under 2000 is _hard_)
(d) VNC (win 2K server)
VNC eep. Well ive not used VNC on a 2k server before but does this not just give a view/control of the current physical console session? How does it handle passwords? Are they kept in sync with your password directory? (yet another silly program to cycle passwords with otherwise) I know under linux the VNC server acts like an Xserver and so can host multiple sessions for each user but does it act like Terminal Services/Citrix Metaframe under 2k server? Investigate if it has any application layer security/encryption and make sure it is not just going to give a yahoo with the password Administrator access to the console of your server. (Not good.) If you just want remote access to your console stick to RDP. I find it slick, fast, clean with clients for most operating systems (handheld, win16/32, mac, linux) ( not as many as VNC tho. :( ) Im thinking that if you want external daemons to be accessible to the world you need to set some kind of policy such as NO plaintext logins in any daemon. (Get rid of telnet and replace with SSH) Refuse to provide access to a service if it does not implement application layer encryption. (prevent username/password leakage) Have a look at VPN's?
Thanks for ur help, Rgds
Hope this ranting promotes some kind of discussion? Thanks folks, Philip Duldig --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Accessing corporate servers through the web.. Ronish Mehta (Nov 14)
- Re: Accessing corporate servers through the web.. Philip Duldig (Nov 17)
- RE: Accessing corporate servers through the web.. arek (Nov 17)
- Re: Accessing corporate servers through the web.. sNeakEr (Nov 17)
- Re: Accessing corporate servers through the web.. Ronish Mehta (Nov 18)
- Re: Accessing corporate servers through the web.. Ansgar -59cobalt- Wiechers (Nov 17)
- Re: Accessing corporate servers through the web.. Steve (Nov 17)
- <Possible follow-ups>
- Re: Accessing corporate servers through the web.. Chris Berry (Nov 18)
- Re: Accessing corporate servers through the web.. Ansgar -59cobalt- Wiechers (Nov 19)
- Altiris Deployment Server vs. Microsoft SMS ZyberGeek (Nov 23)
- Re: Altiris Deployment Server vs. Microsoft SMS Steve (Nov 24)
- RE: Altiris Deployment Server vs. Microsoft SMS Rod Trent (Nov 25)
- Re: Accessing corporate servers through the web.. Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Accessing corporate servers through the web.. Philip Duldig (Nov 17)