On Jan 25, 2005, at 2:38 PM, Curt Purdy wrote:
Daniel Sichel wrote: <snip>Naturally I don't like this answer because of horror stories I have heard about Terminal server. They claim there are no unfixed vulnerabilities to Terminal Server on Windows Server 2000 Service Pack 4.
The problem with terminal server is not any vulnerablities that can be
exploited, but the fact that administrator can be bruteforced (6 attempts
followed by reconnect) and that it is screaming its existence on port 3889.
If you use it, definitely change the port in the registry.
Of course, one of the very first things you should do on a Windows box is rename the administrator account, so this kind of blind brute-forcing is not possible.
Also, the problem you describe can be exacerbated in that administrator can be brute-forced without creating a log entry, by attempting 5 logons and disconnecting before Windows disconnects and logs after the sixth failure. This was covered in a talk at Black Hat 2003, when Ryan Russell and Tim Mullens released TSGrinder. I don't know if they continued work on it.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
