hi,
I saw a message on the UNISOG mailing list about a security
"tool" being developed that would brute force attack terminal
services. I've been using terminal services for remote access to my
servers, so this concerned me. Basically it grinds through, testing
passwords on the administrator account (which apparently canned be locked
out for too many bad password attempts). Unless you watch your log files
closely, you might never notice.
The web page describing TSgrinder is at
http://www.hammerofgod.com/download.htm
One nice thing about the developer is that he mentions ways to prevent
this tool from working. Two of them are renaming the admin account and
setting the pre-login legal notice.
I had already renamed the admin account on my domain, I think now I will
go through all the workstations and rename those admin accounts
too.
More information on setting the legal notice is at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q101063
I ran the following .reg file on all my systems offering a terminal
services connection:
-------- legal-notice.reg
--------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"="Important Notice:"
"LegalNoticeText"="No Unauthorized Access
Allowed!"
----------------------------------------------------------------------------------------------------------
Hopefully this keeps me at least two steps ahead of the people that have
blank passwords on the admin account. If anyone has further thoughts on
this, please let me know. And this info also applies to the remote
console feature in WinXP Pro.
-jav
* 408 S Kedzie Hall, Michigan State University, E. Lansing, MI 48824
*
* (517) 353-1807 fax (517) 355-7656
[log in to unmask] *