RE: Remote Desktop vs VPN on Windows 2003

["Roger A. Grimes" <roger () banneretcs com>]

Very true.  But 99.999% of the probes and attacks are automated. I run 8
honeypots and they and my firewall logs tell me what my greatest risk is,
and it isn't Johnny-uber hacker.  That's one of the biggest problems with
the security world, 90% of the security defense classes are built to defend
against the dedicated hacker and we wonder why viruses and worms keep
breaking into our networks year-after-year.

I've demonstrated that unless the worm or the hacker was extremely lucky,
I've changed the possible number of ports it would have to scan from 1 to
65k or 130k (if you can include UDP and TCP). I've increased it's work load
by an incredible factor. If Slammer had to scan 130,000 ports on every
machine it touched instead of 1, it would taken just a bit longer than nine
minutes to infect the Internet. If Bank of America would have changed their
default SQL port to anything else, they would have never been touched by
Slammer, suffered the embarassment, and had executives asking for
accountability.  One port change and the victims would have been heros in
their boss' eyes.  Custom code would have to add...what???...:1435 (five
characters) to prevent every SQL scanning worm in existence.  In two years
of running honeypots I've NEVER had a SQL scanning worm try any port but the
defaults.

Tell me again, how my would my suggestion of changing the default ports
would weaken security in any way?

What is frustrating is how "expert" after "expert" keeps telling people that
security through obscurity doesn't work, when clearly it does have its place
in any defense-in-depth system.  Anyone saying different is not thinking
outside the box.

-----Original Message-----
From: Danny Puckett [mailto:dpuckett () comresource com] 
Sent: Tuesday, January 18, 2005 3:54 PM
To: security-basics () securityfocus com
Subject: RE: Remote Desktop vs VPN on Windows 2003

You assume that the only things you need to worry about are automatic worms
and scripts that attack default ports.  This is all well in good but what do
you do if you are singled out by a determined attacker.  If someone takes
the time to closely scan all of your ports they WILL find the service you
think you have hidden so well.  You are much better off using default ports
protected by proven controls like SSH and IPSEC.  I would hate to tell my
manager "Sorry boss, I thought I hid that pretty good."

Danny Puckett
CISSP, MCSE:Security, Security+, CNA

> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Tuesday, January 18, 2005 1:53 PM
> To: Paris E. Stone; Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> Security through obscurity is a type of security, and it works...just 
> not in a vacuum...and not alone.
>
> Almost all major Internet worms would have be rendered defenseless by 
> simply changing the port number one port up. 99.9% of hacks are 
> automated using worms, viruses, and malicious scripts.  Almost of of 
> them (9999.99%) only look on the default port.  Fastest worm ever..SQL 
> Slammer...only worked on the default SQL port. Code Red...only port 80.
> Spambots look for ports 25 and 80. FTP exploits ONLY look for port 21. 
> I could go on and on.
>
> Security by obscurity works, and works well. Come find my RDP port on 
> my domain at banneretcs.com.  Prize (free book) to the first person 
> who finds it. Go.
>
> Roger
>
> **********************************************************************
> **
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> **********************************************************************
> **
> ****
>
>
>
> -----Original Message-----
> From: Paris E. Stone [mailto:pstone () alhurra com]
> Sent: Tuesday, January 18, 2005 10:40 AM
> To: Roger A. Grimes; Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> "Security through Obscurity" i.e. put it on a different port, is not 
> security at all.
>
> Rdesktop on the internet, is generally a bad idea, no matter what port 
> it runs on.
>
>
> Put a firewall in front of it if possible, if not, run a software 
> firewall and then add openvpn.
>
> www.openvpn.net is free, and will allow IPSEC connectivity that you 
> can use to access the machine, then you get MSTSC(remote desktop) 
> access over the tunnel.
>
> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Friday, January 14, 2005 5:16 PM
> To: Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> I can think of NO reason not to use Remote Desktop.  Remote Desktop is 
> fast and secure.  Everything is encrypted past the logon name. To get 
> additional security assurance, change the default TCP port from 3389 
> to something randomly high...like 58645 (which you can do with a 
> regedit on the server...just google it).  Then add the new port number 
> to your server address...like www.example.com:58645.
>
> Roger
>
> **********************************************************************
> **
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> **********************************************************************
> **
> ****
>
>
>
> -----Original Message-----
> From: Jeff Randall [mailto:Jeff.Randall () ksg-llc net]
> Sent: Thursday, January 13, 2005 3:23 PM
> To: security-basics () securityfocus com
> Subject: Remote Desktop vs VPN on Windows 2003
>
> I have setup a web server running win2k3 and was curious about 
> remotely accessing it with an XP box.  Only one requirement, it has to be
FREE.
> =20
>
> Here is what I have setup and as of now working but I would like in 
> the end to only run one.
>
> 1.    RRAS using PPTP.  It's not a DC so I use local accounts.
> 2.    VNC.  TiteVNC to be specific.
> 3.    Remote Desktop - went into the admin tools and set the
> encryption level to high.
>
> Please no crazy setups like upgrade to DC and run IAS for Radius or 
> running IPSEC tunnels, just would like peoples thoughts on the 
> security level of each of these programs and what they feel are the most
secure.
> If you can get specific about encryption, keys, key lengths, that 
> would be great.  Thanks

Attachment: smime.p7s
Description: