I agree, renamed the Admin account and create a fake Admin account, put very good logging on it. Because any attempts on this account would be attacks.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Steve Tornio > Sent: Tuesday, January 25, 2005 3:29 PM > To: [email protected] > Subject: Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities > > > On Jan 25, 2005, at 2:38 PM, Curt Purdy wrote: > > > Daniel Sichel wrote: > > <snip> > >> Naturally I > >> don't like this answer because of horror stories I have > heard about > >> Terminal server. They claim there are no unfixed > vulnerabilities to > >> Terminal Server on Windows Server 2000 Service Pack 4. > > > > The problem with terminal server is not any vulnerablities > that can be > > exploited, but the fact that administrator can be bruteforced (6 > > attempts followed by reconnect) and that it is screaming > its existence > > on port 3889. > > If you use it, definitely change the port in the registry. > > Of course, one of the very first things you should do on a > Windows box is rename the administrator account, so this kind > of blind brute-forcing is not possible. > > Also, the problem you describe can be exacerbated in that > administrator can be brute-forced without creating a log > entry, by attempting 5 logons and disconnecting before > Windows disconnects and logs after the sixth failure. This > was covered in a talk at Black Hat 2003, when Ryan Russell > and Tim Mullens released TSGrinder. I don't know if they > continued work on it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
