 |
 |
Renaming the administrator account, has always been an important security step to take with all NT/2000 Systems. This should always be done, no matter if you have an exposure or not. Please don't think that by renaming the administrator account and putting a legal banner up you are protected from this attack. The current version can't handle the legal banner, but another will be out soon. Filtering RDP is an excellent idea as Doug Luxom has suggested. RDP in itself is a very insecure protocol and has been the target of many attacks. Disabling RDP would be advisable in all cases unless you truly need it. When you are implementing your RDP filter you should also be filtering several other ports such as Windows File & Print Sharing, SQL Server, FTP, Web, etc. There is no reason that workstations should be able to be communicated with from the outside world on those ports. (Remember to allow the workstations to communicate to servers on those ports though) -tim ---- Timothy D. First, MCSE, CNA [log in to unmask] Information Technologist II (517) 353-4420 x335 Administrative Information Services Fax: (517) 355-5176 Michigan State University -----Original Message----- From: John Valenti [mailto:[log in to unmask]] Sent: Tuesday, June 04, 2002 12:22 PM To: [log in to unmask] Subject: W2k Terminal services protection hi, I saw a message on the UNISOG mailing list about a security "tool" being developed that would brute force attack terminal services. I've been using terminal services for remote access to my servers, so this concerned me. Basically it grinds through, testing passwords on the administrator account (which apparently canned be locked out for too many bad password attempts). Unless you watch your log files closely, you might never notice. The web page describing TSgrinder is at http://www.hammerofgod.com/download.htm One nice thing about the developer is that he mentions ways to prevent this tool from working. Two of them are renaming the admin account and setting the pre-login legal notice. I had already renamed the admin account on my domain, I think now I will go through all the workstations and rename those admin accounts too. More information on setting the legal notice is at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q101063 I ran the following .reg file on all my systems offering a terminal services connection: -------- legal-notice.reg -------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "LegalNoticeCaption"="Important Notice:" "LegalNoticeText"="No Unauthorized Access Allowed!" ---------------------------------------------------------------------------- ------------------------------ Hopefully this keeps me at least two steps ahead of the people that have blank passwords on the admin account. If anyone has further thoughts on this, please let me know. And this info also applies to the remote console feature in WinXP Pro. -jav * John Valenti Systems Analyst, Labor & Industrial Relations * * 408 S Kedzie Hall, Michigan State University, E. Lansing, MI 48824 * * (517) 353-1807 fax (517) 355-7656 [log in to unmask] *