Terminal Services Holes

["Dan Richardson" <dan.richardson () paradise net nz>]

Hi all,

I've just been playing around with Terminal Server (in remote
administration mode) to see if an Internet exposed Terminal Server is
really as vulnerable as it appears. I was quite a little alarmed at the
results; but knowing how good NT is at actually logging useful
information on its own I wasn't shocked. if anyone has any information
on how to better log (on the Win2k box itself), please let me know.

On attempting to connect to the box with either a legitimate or bogus
account, the terminal server would accept up to six password attempts
before a forcible disconnection (which is logged in the System log along
with the machine name and I assume IP address- I tested this from a
machine which was on our LAN, but assume it makes little difference on
the net).

This is not as good as it could be, but at least it disconnected me and
logged the attempt.

If I attempted to login 5 times, bailed out of the connection and
checked the logs- *nothing* is reported except in the security logs
*but* it records the failed connection as being from IP address
127.0.0.1 (ie. The local machine- why? because the login is a local
one). 

I attempted to connect with 5 bad passwords, disconnect and reconnect
immediately to try another 5 bad passwords- none of this is logged (with
the exception of in the security log which is listed as
pre-authentication failures from 127.0.0.1 ie. pointless) .

What can I say, but roll-on TSGrinder (maybe I should just write my own
:). MS certainly didn't think too hard about security on this one.

 

-Dan




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/