RE: TS/3389 risk on Internet

From: Keith T. Morgan (keith.morgan@terradon.com)
Date: Sat Oct 30 2004 - 16:38:25 EDT


People doing this always makes me itchy. I can't speak for the
encryption of the authentication phase for TS, but we've run into
situation with the administrator named "administrator" and free to
brute-force without fear of lock-out. There are some free (though very
slow) TS brute force tools out there.

We've also run into situations where the user email addresses matched
the account login, and the TS is almost always a domain member. Those
accounts *could* be locked out (and some were, for proof of concept.)

I don't know if it's possible to securely offer TS to the internet. It
very well may be possible. But in almost every instance I've seen it
done oh-so-very-wrong. Our nearly universal recommendation is to tunnel
it over IPSEC.

> -----Original Message-----
> From: net sec [mailto:netsec9@hotmail.com]
> Sent: Tuesday, October 26, 2004 5:19 PM
> To: pen-test@securityfocus.com
> Subject: TS/3389 risk on Internet
>
> I have a peer that insists on allowing public access to his Domain
> controller via TS/tcp 3389 over the internet. I know there are some
> documented cases of 'man-in-the-middle' attacks for this
> service but I was
> hoping someone here could help me plead my case as to why
> this is a bad
> idea. Maybe you all disagree and regurlary allow this
> traffic. It just
> doesn't sit well with me. Does anyone know if the
> login/password is sent in
> clear text for TS authentication?
>
> Thanks in advance for any thoughts,
> Nicole
>
> _________________________________________________________________
> On the road to retirement? Check out MSN Life Events for
> advice on how to
> get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
>
> --------------------------------------------------------------
> ----------------
> Internet Security Systems. - Keeping You Ahead of the Threat
>
> When business losses are measured in seconds, Internet
> threats must be stopped before they impact your network. To
> learn how Internet Security Systems keeps organizations ahead
> of the threat with preemptive intrusion prevention, download
> the new whitepaper, Defining the Rules of Preemptive
> Protection, and end your reliance on reactive security technology.
>
> http://www.securityfocus.com/sponsor/ISS_pen-test_041001
> --------------------------------------------------------------
> -----------------
>
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT