Hi all, I've just been playing around with Terminal Server (in remote administration mode) to see if an Internet exposed Terminal Server is really as vulnerable as it appears. I was quite a little alarmed at the results; but knowing how good NT is at actually logging useful information on its own I wasn't shocked. if anyone has any information on how to better log (on the Win2k box itself), please let me know. On attempting to connect to the box with either a legitimate or bogus account, the terminal server would accept up to six password attempts before a forcible disconnection (which is logged in the System log along with the machine name and I assume IP address- I tested this from a machine which was on our LAN, but assume it makes little difference on the net). This is not as good as it could be, but at least it disconnected me and logged the attempt. If I attempted to login 5 times, bailed out of the connection and checked the logs- *nothing* is reported except in the security logs *but* it records the failed connection as being from IP address 127.0.0.1 (ie. The local machine- why? because the login is a local one). I attempted to connect with 5 bad passwords, disconnect and reconnect immediately to try another 5 bad passwords- none of this is logged (with the exception of in the security log which is listed as pre-authentication failures from 127.0.0.1 ie. pointless) . What can I say, but roll-on TSGrinder (maybe I should just write my own :). MS certainly didn't think too hard about security on this one. -Dan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Nov 17 2001 - 09:48:51 PST