Re: MS Terminal Services open to the world

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 07:09 AM 1/10/2003, Ralph Los wrote:
> Hello all,
>
>         I've got a pretty good client of mine who absolutely refuses to heed
> my warnings about keeping Terminal Services open to the world.  They rely on
> Windows passwords and figure that's strong enough for all their servers
> (management).  Now I'm given the task of auditing their
> security/infrastructure and would like to come up some creative ways to back
> up my point about MS TS open to the Internet being a bad idea.
>
> Any thoughts or input is appreciated.

Just like anything else, if configured poorly, they can get nailed-

However, if they set the encryption level to High, they'll get a 128 bit 
encrypted session...  Of course they should rename the administrator 
account and use strong passwords to thwart BF attacks, and changing the 
default listening port from 3389 to something else helps as well.  If 
possible, the firewall/router should include approved external IP ranges 
that can hit that port, but you obviously can't always to that.   Logon 
banners can help too...

If they take a few simple measures to secure it, terminal services can 
provide a great remote management tool while minimizing the security issues 
associated with it...

hth

T



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPh8EnohsmyD15h5gEQL+FgCeKADeiaeakhhgcMb6kXsNls1ZfXQAoPcv
E0EoKmBGgsoQSI0AepeiPAVd
=7peA
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/