Security Basics mailing list archives
RE: Remote Desktop vs VPN on Windows 2003
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 19 Jan 2005 12:38:47 -0500
Only honeypot port is 33001. I turned off my other 7 honeypots (I use Honeyd, KFSensor, and real OSs). Ports 25 and 110 are real. 27374 is IDS device doing a bit of deep packet scanning to detect real vs. fact trojan scans. Other ports are false positives. This is common on any port scanner. I've yet to find the port scanning tool that is 100% reliable. They all make assumptions and they are produce false-positives. I can usually tell what port scanning tool someone is using against me (in this case it is Nmap from a nix environment) by looking at the false-positive list. So again, if there was a scanning worm that did look for all ports because we made them random by default, it would significantly slow down the worm (or hacker) and would result in many false-positives (there are more false-positives than real ports in this report) that they would never be able to exploit. It's win-win for me and my clients. Again, I consult for tons of companies. Lots of them have SQL databases attached to the Internet. We take 60 seconds to change the default SQL port for their engines. NONE got infected with Slammer. None are being broken into by SQL password scanning worms. I had one client who literally left the SA password as sa for six months. They were not broken into. Why? Defense in depth-putting in to place additional synergistic (sp?) layers to catch what one misses (or helping fix our stupid human mistakes). Changing B2B services to random ports is just one part of a defense plan and it does add security to a defense. Alone, it would be suicide to a dedicated attacker. For malicious mobile code (worms, viruses, trojans, and bots), not such a bad decision. Good bang for the buck. -----Original Message----- From: Paris E. Stone [mailto:pstone () alhurra com] Sent: Wednesday, January 19, 2005 11:07 AM To: rgrant () nextsequence com; Roger A. Grimes; Jeff Randall; security-basics () securityfocus com Subject: RE: Remote Desktop vs VPN on Windows 2003 All those open MS ports?!?!?! WTF? That is just crazy! OK, this is a honeypot, there is no way this is a real production host, no way. -----Original Message----- From: Rhett Grant [mailto:rgrant () nextsequence com] Sent: Tuesday, January 18, 2005 6:22 PM To: Paris E. Stone; 'Roger A. Grimes'; 'Jeff Randall'; security-basics () securityfocus com Subject: RE: Remote Desktop vs VPN on Windows 2003 Hi Roger, 68.106.158.136:33000 WinXP Pro 68.106.158.136:33001 Win2003 Enterprise Here is what the rest of my scan picked up PORT STATE SERVICE 25/tcp open smtp 110/tcp open pop-3 111/tcp filtered rpcbind 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 27374/tcp filtered subseven 33000/tcp open unknown 33001/tcp open unknown 33002/tcp filtered unknown 33003/tcp filtered unknown If someone was looking to hack your network your security through obscurity would not work (yes you can get around the simple virus's with are only looked for certain ports). All it means is someone have to spend 5 more mins discovering what these open ports are. And there are so many auditing tools out there that can automate telling me what these open ports are. I just chose a simple port scan. Will this kind of security work??? For a novice or script kiddies, maybe...., but not someone that has an interest in your network, no way. Just my 2ยข I would take Paris advice and put some real security up. By the way, what book is it? ;) Rhett -----Original Message----- From: Paris E. Stone [mailto:pstone () alhurra com] Sent: Tuesday, January 18, 2005 2:20 PM To: Roger A. Grimes; Jeff Randall; security-basics () securityfocus com Subject: RE: Remote Desktop vs VPN on Windows 2003 And that domain (host or domain) is not protected by a firewall? No IDS? No IPS? No honeypots? My error in my original post was not in being clear, so, restated. Security through Obscurity, by it's self is not security at all. -----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Tuesday, January 18, 2005 1:53 PM To: Paris E. Stone; Jeff Randall; security-basics () securityfocus com Subject: RE: Remote Desktop vs VPN on Windows 2003 Security through obscurity is a type of security, and it works...just not in a vacuum...and not alone. Almost all major Internet worms would have be rendered defenseless by simply changing the port number one port up. 99.9% of hacks are automated using worms, viruses, and malicious scripts. Almost of of them (9999.99%) only look on the default port. Fastest worm ever..SQL Slammer...only worked on the default SQL port. Code Red...only port 80. Spambots look for ports 25 and 80. FTP exploits ONLY look for port 21. I could go on and on. Security by obscurity works, and works well. Come find my RDP port on my domain at banneretcs.com. Prize (free book) to the first person who finds it. Go. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Paris E. Stone [mailto:pstone () alhurra com] Sent: Tuesday, January 18, 2005 10:40 AM To: Roger A. Grimes; Jeff Randall; security-basics () securityfocus com Subject: RE: Remote Desktop vs VPN on Windows 2003 "Security through Obscurity" i.e. put it on a different port, is not security at all. Rdesktop on the internet, is generally a bad idea, no matter what port it runs on. Put a firewall in front of it if possible, if not, run a software firewall and then add openvpn. www.openvpn.net is free, and will allow IPSEC connectivity that you can use to access the machine, then you get MSTSC(remote desktop) access over the tunnel. -----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Friday, January 14, 2005 5:16 PM To: Jeff Randall; security-basics () securityfocus com Subject: RE: Remote Desktop vs VPN on Windows 2003 I can think of NO reason not to use Remote Desktop. Remote Desktop is fast and secure. Everything is encrypted past the logon name. To get additional security assurance, change the default TCP port from 3389 to something randomly high...like 58645 (which you can do with a regedit on the server...just google it). Then add the new port number to your server address...like www.example.com:58645. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Jeff Randall [mailto:Jeff.Randall () ksg-llc net] Sent: Thursday, January 13, 2005 3:23 PM To: security-basics () securityfocus com Subject: Remote Desktop vs VPN on Windows 2003 I have setup a web server running win2k3 and was curious about remotely accessing it with an XP box. Only one requirement, it has to be FREE. =20 Here is what I have setup and as of now working but I would like in the end to only run one. 1. RRAS using PPTP. It's not a DC so I use local accounts. 2. VNC. TiteVNC to be specific. 3. Remote Desktop - went into the admin tools and set the encryption level to high. Please no crazy setups like upgrade to DC and run IAS for Radius or running IPSEC tunnels, just would like peoples thoughts on the security level of each of these programs and what they feel are the most secure. If you can get specific about encryption, keys, key lengths, that would be great. Thanks -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.0 - Release Date: 1/17/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.0 - Release Date: 1/17/2005
Current thread:
- RE: Remote Desktop vs VPN on Windows 2003, (continued)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Frank Hamersley (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Frank Hamersley (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Michael Gale (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Conlan Adams (Jan 20)
- heroes Dave Aronson (Jan 24)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Nero, Nick (Jan 20)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 20)