RE: Remote Desktop vs VPN on Windows 2003

["Roger A. Grimes" <roger () banneretcs com>]

I know all about it.  I use nmap myself-it's in my latest book.
Interestingly, I've only logged 33 source IP addresses using it's
paranoid mode to scan my machines.  Still, only Rhett found the port. It
wasn't as if I didn't think someone could find the port.  There are only
130K ports and port scanners work fast...it was just a matter of time.
But I collected the statistics I needed for my next talk.  It took over
70,000 different probes just to find the port it was on vs. a worm or
dedicated hacker just going straight to port 3389-one probe.  Do the
math.

I don't need to keep just real people out...99.9% of ALL attacks hitting
Joe corporate America are automated attacks.  

The truth is you will NEVER keep the dedicated hacker out.  I get paid
to hack for my real job. I've NEVER not broken into a site or web site
I've been hired to hack.

But my clients, EVERY ONE of them, have been worm, virus, trojan,
spybot-free because of my basic security recommendations. Corporations
around the world are spending money on fancy IDSs, deep scanning
firewalls, and network access control, while at the same time allowing
their end-users to be logged into their PCs as local admins and not even
coming close to understanding NTFS permissions 101. The best bang for
the buck security isn't some new fancy device or technique, but a better
understanding of the free, basic stuff.

Every one of you who keep saying that security by obscurity is no
security lives in a world where repeating non-sensical mantras makes you
feel warm and fuzzy while your clients and companies keep fighting worm
after worm.

Security by obscurity isn't great security by itself, but it does work
and add value.

BTW, Windows IT Pro will be sponsoring a Hack IIS 6 contest in April,
with prizes.  It will only be secured using Microsoft tools and
Microsoft recommendations. I welcome each of you to participate.  More
than a port scan will be involved.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: Anonymous [mailto:pix535 () gmail com] 
Sent: Tuesday, January 18, 2005 3:44 PM
Cc: security-basics () securityfocus com
Subject: Re: Remote Desktop vs VPN on Windows 2003

Greetings,

You are right, but yet this is a false sense of security. It's like the
gate of 3 foot tall. It won't keep real people out.

And for your RDP port, i'm sure you are familiar with nmap -sS -p
1-65535 -T paranoid

It would find it, unless protected by IP's acl.




Roger A. Grimes wrote:
> Security through obscurity is a type of security, and it works...just 
> not in a vacuum...and not alone.
>
> Almost all major Internet worms would have be rendered defenseless by 
> simply changing the port number one port up. 99.9% of hacks are 
> automated using worms, viruses, and malicious scripts.  Almost of of 
> them (9999.99%) only look on the default port.  Fastest worm ever..SQL

> Slammer...only worked on the default SQL port. Code Red...only port
80.
> Spambots look for ports 25 and 80. FTP exploits ONLY look for port 21.

> I could go on and on.
>
> Security by obscurity works, and works well. Come find my RDP port on 
> my domain at banneretcs.com.  Prize (free book) to the first person 
> who finds it. Go.
>
> Roger
>
> **********************************************************************
> **
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> **********************************************************************
> **
> ****
>
>
>
> -----Original Message-----
> From: Paris E. Stone [mailto:pstone () alhurra com]
> Sent: Tuesday, January 18, 2005 10:40 AM
> To: Roger A. Grimes; Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> "Security through Obscurity" i.e. put it on a different port, is not 
> security at all.
>
> Rdesktop on the internet, is generally a bad idea, no matter what port

> it runs on.
>
>
> Put a firewall in front of it if possible, if not, run a software 
> firewall and then add openvpn.
>
> www.openvpn.net is free, and will allow IPSEC connectivity that you 
> can use to access the machine, then you get MSTSC(remote desktop) 
> access over the tunnel.
>
> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Friday, January 14, 2005 5:16 PM
> To: Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> I can think of NO reason not to use Remote Desktop.  Remote Desktop is

> fast and secure.  Everything is encrypted past the logon name. To get 
> additional security assurance, change the default TCP port from 3389 
> to something randomly high...like 58645 (which you can do with a 
> regedit on the server...just google it).  Then add the new port number

> to your server address...like www.example.com:58645.
>
> Roger
>
> **********************************************************************
> **
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> **********************************************************************
> **
> ****
>
>
>
> -----Original Message-----
> From: Jeff Randall [mailto:Jeff.Randall () ksg-llc net]
> Sent: Thursday, January 13, 2005 3:23 PM
> To: security-basics () securityfocus com
> Subject: Remote Desktop vs VPN on Windows 2003
>
> I have setup a web server running win2k3 and was curious about 
> remotely accessing it with an XP box.  Only one requirement, it has to
be FREE.
> =20
>
> Here is what I have setup and as of now working but I would like in 
> the end to only run one.
>
> 1.    RRAS using PPTP.  It's not a DC so I use local accounts.
> 2.    VNC.  TiteVNC to be specific.
> 3.    Remote Desktop - went into the admin tools and set the
> encryption level to high.
>
> Please no crazy setups like upgrade to DC and run IAS for Radius or 
> running IPSEC tunnels, just would like peoples thoughts on the 
> security level of each of these programs and what they feel are the
most secure.
> If you can get specific about encryption, keys, key lengths, that 
> would be great.  Thanks