Renaming the administrator account, has always been an important security
step to take with all NT/2000 Systems. This should always be done, no
matter if you have an exposure or not.
Please don't think that by renaming the administrator account and putting a
legal banner up you are protected from this attack. The current version
can't handle the legal banner, but another will be out soon. Filtering RDP
is an excellent idea as Doug Luxom has suggested. RDP in itself is a very
insecure protocol and has been the target of many attacks. Disabling RDP
would be advisable in all cases unless you truly need it.
When you are implementing your RDP filter you should also be filtering
several other ports such as Windows File & Print Sharing, SQL Server, FTP,
Web, etc. There is no reason that workstations should be able to be
communicated with from the outside world on those ports. (Remember to allow
the workstations to communicate to servers on those ports though)
-tim
----
Timothy D. First, MCSE, CNA [log in to unmask]
Information Technologist II (517) 353-4420 x335
Administrative Information Services Fax: (517) 355-5176
Michigan State University
-----Original Message-----
From: John Valenti [mailto:[log in to unmask]]
Sent: Tuesday, June 04, 2002 12:22 PM
To: [log in to unmask]
Subject: W2k Terminal services protection
hi,
I saw a message on the UNISOG mailing list about a security "tool" being
developed that would brute force attack terminal services. I've been using
terminal services for remote access to my servers, so this concerned me.
Basically it grinds through, testing passwords on the administrator account
(which apparently canned be locked out for too many bad password attempts).
Unless you watch your log files closely, you might never notice.
The web page describing TSgrinder is at
http://www.hammerofgod.com/download.htm
One nice thing about the developer is that he mentions ways to prevent this
tool from working. Two of them are renaming the admin account and setting
the pre-login legal notice.
I had already renamed the admin account on my domain, I think now I will go
through all the workstations and rename those admin accounts too.
More information on setting the legal notice is at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q101063
I ran the following .reg file on all my systems offering a terminal services
connection:
-------- legal-notice.reg --------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"="Important Notice:"
"LegalNoticeText"="No Unauthorized Access Allowed!"
----------------------------------------------------------------------------
------------------------------
Hopefully this keeps me at least two steps ahead of the people that have
blank passwords on the admin account. If anyone has further thoughts on
this, please let me know. And this info also applies to the remote console
feature in WinXP Pro.
-jav
* John Valenti Systems Analyst, Labor & Industrial Relations *
* 408 S Kedzie Hall, Michigan State University, E. Lansing, MI 48824 *
* (517) 353-1807 fax (517) 355-7656 [log in to unmask] *
|
