Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Remote connections

from [Matt Ostiguy] Network Security [Permanent Link]
Subject: Re: Remote connections
Date: Fri, 15 Oct 2004 11:25:52 -0400 
On Thu, 14 Oct 2004 23:54:37 -0700, GuidoZ <uberguidoz@gmail.com> wrote:

Why not? I don't know of any current exploit for RDP set to high
encryption, and even if there were any, connections may very well be
shielded by encrypted tunnels.


I'm not aware of any currently either, but as their track record
proves, that's meaningless. It was more of a retorical question and a
snide remark - please excuse it.


Thor@hammerofgod was working on a brute forcer for term serv/RDP
stuff. Haven't checked on it in awhile, but he recommended
implementing a standard login banner to slow it down, and password
lockouts, both of which are very very good ideas in general.

I haven't fully tested tightvnc, but another appeal of RDP/TS (beyond
its speed advantage, provided you connect with 256 color as opposed to
high bit depth) is with proper audit logging set up, you can generate
the following:

10/13/2004 3:23:24 PM 683 8 Success Audit event 2 Security
USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAAA)|Unknown|CLIENTPCNAMEHERE|a.b.c.d
SERVERNAMEHERE Session disconnected from winstation: User Name:
USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAAA) Session
Name: Unknown Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d

10/13/2004 4:34:55 PM 682 8 Success Audit event 2 Security
USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAA)|RDP-Tcp#4|CLIENTPCNAMEHERE|a.b.c.d
SERVERNAMEHERE Session reconnected to winstation: User Name:
USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAA) Session
Name: RDP-Tcp#4 Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d

That is from win2k, pulled with logparser. Having full audit
functionality in the native logging facilities is nice.

That all said, vnc vs rdp vs whathaveyou - a good starting assumption
is that everything should only be accessible via the vpn, if at all.
If it should be accessible through firewall without vpn, they ought to
be a stunning reason for it.

Matt

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Interesting thing about ICF and SP2, Moser, Scott
Next by Date:  Re: Interesting thing about ICF and SP2, Matt Ostiguy
Previous by Thread:  Re: Remote connections, GuidoZ
Next by Thread:  Re: Remote connections, Joshua Dale
Indexes:  [Date] [Thread] [Top] [All Lists]