OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jim Harrison (SPG) (jmharrmicrosoft.com)
Date: Wed Oct 10 2001 - 10:53:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Well put Thor,

            I'd also add that you should apply the TS patch to prevent DoS
    through that vector:
    http://www.microsoft.com/technet/security/bulletin/MS01-040.asp

    (Hi2u2, Thor! Wanna discuss the ISA ramifications of this solution?
    ;-))

    * Jim Harrison
    MCP(2K), A+, Network+
    Services Platform Group
    *(425) 705-7275

    -----Original Message-----
    From: ThorHammerofGod.com [mailto:ThorHammerofGod.com]
    Sent: Wednesday, October 10, 2001 07:21
    To: Mwardroseglen.com
    Cc: Jim Harrison (SPG); cscraggworkgroup.net;
    florian.duerrdimensionx.ch; FOCUS-MSSECURITYFOCUS.COM
    Subject: Re: TSAC (Terminal Services Advanced [?] Client)

    Go to the Terminal Services Configuration tool, in the Connections node,
    and display the properties for the RDP-Tcp connection. There you can
    set the encryption level.

    TS listens on TCP 3389. That is all you have to open/close to
    enable/disable access. You can change the default listen port to
    something else (see Q187623) if you would like, but you then have to
    change all the client connectors as well. Note that the TSWeb Active X
    control only uses 3389 as previously noted in this thread, and can't be
    changed, though I am working on a hack for that.

    If you put TS live on the net, do a couple of things... Rename the
    administrator account to mitigate BF attacks, put a logon banner (helps
    for now, but not for long!) and close everything else. If you know that
    only certain clients will connect, you should only allow 3389 from those
    guys. And audit!

    (Hey Jim!!)

    ----- Original Message -----
    From: "Michael Ward" <Mwardroseglen.com>
    To: "Jim Harrison (SPG)" <jmharrmicrosoft.com>; "Christopher Scragg"
    <cscraggworkgroup.net>; <florian.duerrdimensionx.ch>;
    <ThorHammerofGod.com>; <focus-mssecurityfocus.com>
    Sent: Wednesday, October 10, 2001 6:52 AM
    Subject: RE: TSAC (Terminal Services Advanced [?] Client)

    How do you configure it to use encryption? What ports should be closed
    to make sure that the Term. Serv cannot be accessed from the outside
    world?

    Thanks,

    Mike

    -----Original Message-----
    From: Jim Harrison (SPG) [mailto:jmharrmicrosoft.com]
    Sent: Tuesday, October 09, 2001 5:16 PM
    To: Christopher Scragg; florian.duerrdimensionx.ch;
    ThorHammerofGod.com; focus-mssecurityfocus.com
    Subject: RE: TSAC (Terminal Services Advanced [?] Client)

    It's really not all that alarming, unless you let them operate with
    default settings. TS can be configured to use 128-bit encryption,
    providing all the data obfuscation you could want.

    * Jim Harrison
    MCP(2K), A+, Network+
    Services Platform Group
    *(425) 705-7275

    -----Original Message-----
    From: Christopher Scragg [mailto:cscraggworkgroup.net]
    Sent: Tuesday, October 09, 2001 12:29
    To: florian.duerrdimensionx.ch; ThorHammerofGod.com;
    focus-mssecurityfocus.com
    Subject: RE: TSAC (Terminal Services Advanced [?] Client)

    Lets help Florian for a moment shall we? The mere fact that a
    responsible organization would even allow Terminal Connections of any
    type through a firewall - be it Citrix or Windows TS without the use of
    a VPN is alarming.

    Secondly, think outside the box for a moment, Florian. The use for
    "multiple server windows" are for connectivity to multiple servers, not
    multiple instances of the same session - that would be pointless.

    For what it is worth, there is a Pre SP3 patch for Win2k <hold my
    breath> available for the memory leaks you speak of. For your
    convenience, I have provided a link to the patch:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
    ity/bulletin/MS01-040.asp

    Christopher Scragg
    Chief Technology Officer
    Business Information Group
    865.777.1382 x222 Local
    888.875.4704 x222 Toll Free
    865.777.1579 Direct
    www.workgroup.net

    :-----Original Message-----
    :From: Florian Duerr [mailto:florian.duerrdimensionx.ch]
    :Sent: Sunday, October 07, 2001 7:14 PM
    :To: ThorHammerofGod.com; focus-mssecurityfocus.com
    :Subject: TSAC (Terminal Services Advanced [?] Client)
    :
    :
    :Hi folks

    :- Memory leaks on the Server after about 100 connects and disconnects,
    : about 15 MB RAM where just gone ;( .... Do you see the DoS
    :possibilities.
    : I said "connects", NOT logins!
    :- Multiple Windows are nonsense, since the most servers allow anyway
    : only two connections (cause of Remote Admin-Mode) *g*