The data sent over the network doesn't seem to depend on the security level you have configured on your Terminal Server: the data is sent before the encrypted phase begins (before the session key negotiation). You can see in clear text the client name and the server license ID root (52310-005-2479922-00001 instead of 52310-005-2479922-04749 for example), but also the server domain, the server name and the server IP address after the "ncacn_np:" named pipe keyword: ncacn_np:194.41.26.111 You can also observe some data that look like a public key exchange. For more information about exchanged data, you can try to get the Microsoft RDP specification document. This document isn't public and I don't have it yet: see http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rd pspec.asp Or you can look at the rdesktop source code: http://www.rdesktop.org ___________________________________________ Patrick Chambet - MCP IT Security Consulting EdelWeb - ON-X Consulting Group http://www.edelweb.fr - http://www.on-x.com ----- Original Message ----- From: "Pybus, David" <DPybus@colt-telecom.com> What security level have you set the terminal server to as if it is set to low it will be sending back a lot more than just its machine name unencrypted? Normally you wouldn't expose Terminal Services to the net so exposing things like a machine name are no worse than in the NetBios situation you mentioned. More importantly when exposing a TS machine to the net by default you give anyone who can connect the opportunity to brute force the local administrator account. This has to be prevent by configuring Terminal Services not allow the local admin account to logon and using other accounts instead which can be configure to lock after three failed attempt, or whatever else your policy dictates. Also something I have never seen anything about anywhere is how Terminal Services implements its key generation/exchange. As there is no indication that any type asymetric authentication occurs it seems reasonable to assume that Terminal Services are also probably vulnerable to man in the middle attacks. Food for thought, David Pybus
This archive was generated by hypermail 2b30 : Sat Jan 19 2002 - 11:08:49 PST