Re: Accessing corporate servers through the web..

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2003-11-14 Ronish Mehta wrote:
> What are the security implications of allowing a server to be accessed
> from the Web using:
>
> (a) Telnet (on a Linux machine): (password is sent in clear text, may
>     be captured by a potential hacker, anyother risks?)

Isn't that bad enough?

Anyway: Not only authentication is unencrypted, but the content as well.
You can configure the telnet service to use NTLM authentication, but
that will affect only authentication and will prevent you from logging
in with non-MS telnet apps (AFAIK).

> (b) FTP (default FTP service on a Linux machine)

Cleartext passwords. Unless you need anonymous FTP I suggest you
rather switch to SFTP.

> (c) Terminal Services (win 2K server)

Weak encrpytion, but a lot better than telnet. Citrix MetaFrame is even
better, but also more expensive.

> (d) VNC (win 2K server)

Most VNC servers I know of don't support encryption (there may be
others), so you are again transferring unencrypted data through the net.
And I fail to see why one would want to use VNC on a Windows 2000
server.

You can work around the problems of weak or no encryption by using VPNs
or encrypted tunnels and the like, but that may not be feasible in any
case. What are you trying to accomplish, if i might ask?

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------