Re: Fwd: Terminal services and remote programs.

[Sat Jagat Singh <flyingdervish () yahoo com>]

Our team regularly breaks into Terminal Servers through social engineering and phishing techniques.  So, measure #1 to 
protect these: require either ipsec vpn to be able to connect to the box or two factor authentication such as RSA or 
Vasco to get on it.

When I have credentials, I have never yet seen a Terminal Server or Citrix Metaframe server on which I wasn't able to 
gain unauthorized access to programs and escalate that to where I could get to most anything, no matter how tightly 
somebody thought it was locked down.  There are dozens of ways to break out of an application jail in Windows.

1) In the programs you mention, just go to the file open dialog box.  Now you basically have a Windows Explorer 
interface.  You can use this to create shortcuts on your desktop to executables that may be otherwise inaccessible, 
browse the network, delete files and more.

2) The help system for the application is basically an Internet Explorer interface.  This has been widely exploited by 
many people to carry out all kinds of mischief.

3) Application vulnerabilities that permit code execution.

Critical measures to prevent these include:
- install the system on an isolated network if possible, or restricted DMZ otherwise;
- such servers should be either standalone or a member of a Windows domain that is used only for administering the 
Terminal Servers;
- ensure that all of the application patches are installed promptly

Other security controls are also relevant, including, personnel controls such as background checks, user account 
management that include promptly deleting obsolete accounts.

To answer your other question, if there is a patch-based vulnerability in the application that someone can exploit to 
execute code, it would typically give them the security context of their own user account.  But I think their have been 
at least a few MS Office vulnerabilities that were exploitable to escalate privileges.  It would depend on the nature 
of the vulnerability.  Typically, MS has gotten better over time at limiting the opportunities to carry out exploits 
and the impact of the exploit when it does succeed.  So, it would be worth considering Windows 2008 to deploy such a 
solution.  While it is largely untested in the wild, it should benefit from Microsoft's improved development and 
testing processes under the "security development lifecycle" and "trustworthy computing" regime.


--- On Fri, 4/25/08, Paul Halliday <paul.halliday () gmail com> wrote:

> From: Paul Halliday <paul.halliday () gmail com>
> Subject: Fwd: Terminal services and remote programs.
> To: pen-test () securityfocus com
> Date: Friday, April 25, 2008, 4:03 PM
> I am just curious if any of you have performed an audit on a
> setup
>  like this:
>
>  In a nutshell, tech services is looking to offer the
> entire
>  Microsoft Office suite and Adobe Creative suite through
> Terminal
>  services.
>
>  My immediate concern is, If there is a vulnerability in
> the remote
>  apps, what will the context be for the attacker?
>
>  Is there anything else I should be looking more closely
> at?
>
>  Thanks.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------