Ralph, I am not sure if this is the "creative" method you were thinking of .. but facts, facts, and more facts would be my choice. You have a broad area to cover. Do you convince them that none of their material should face the internet ?.. as in no firewall [ my assumption of no firewall .. . if the TS enabled servers are directly facing net.] Thus the exposed TS material is just one of the risks they are allowing. or Do you show detailed recorded examples of TS exploitation ? Which leads me to .. is there documentation of TS material being exploited and how ? I do not know about that so I searched google a bit, jumped to securityfocus, searched their vulnerabilities database, under microsoft it showed 2 TSAC activeX issues .. which I am not qualified to comment on. links below. Microsoft TSAC ActiveX Control http://online.securityfocus.com/bid/5952 http://online.securityfocus.com/bid/5554 At the link below, quick glance, there seems to be much info regarding terminal services functionality. http://www.ntsecurity.net/Articles/Index.cfm?TopicID=800 and so on. Of course .. If you are skilled enough and can get the approval to try .. exploit it yourself. Setup a prove-able test .. get somewhere secure .. modify a agreed upon parameter / setting. How could they argue with that ? [ I do not know if or how to if it is possible. I am just offering logical "proof" options. ] You may find the terminal services [ with version control, current patches, etc] ok. Then the facts do not support your warnings, right? Even so there seems to be enough evidence of other risks, almost to the point of common sense, not to have servers / services / clients exposed directly to the net. A inventory of what they have running facing the net and a list of exploits against those services/OS's/clients .. with some cost liability numbers should be sobering. That said .. it may not sway them .. here at the university .. the only device , as far as I know, they have purchased is a packetteer used to throttle back the dorms from file sharing outboud congestion. Politics and money are a big part of these decisions. At least you can give them hard data to add to the mix. regards, /don On 10 Jan 2003 at 10:09, Ralph Los wrote: > Hello all, > > I've got a pretty good client of mine who absolutely refuses to heed my > warnings about keeping Terminal Services open to the world. They rely on > Windows passwords and figure that's strong enough for all their servers > (management). Now I'm given the task of auditing their > security/infrastructure and would like to come up some creative ways to > back up my point about MS TS open to the Internet being a bad idea. > > Any thoughts or input is appreciated. > > Ralph _____________________________________________ Don Voss vossat_private Sr. Programmer Analyst Geography & Planning Department The University at Albany, SUNY Albany, NY, 12222-0100 Jazz music: an intensified feeling of nonchalance. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Jan 11 2003 - 16:34:39 PST