RE: Remote Desktop vs VPN on Windows 2003

["Frank Hamersley" <terabite () bigpond com>]

-----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Wednesday, 19 January 2005 2:25 PM
> To: Danny Puckett; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> I've demonstrated that unless the worm or the hacker was extremely lucky,
> I've changed the possible number of ports it would have to scan from 1 to
> 65k or 130k (if you can include UDP and TCP). I've increased it's work
load
> by an incredible factor.

False - Not very incredible at all in these days of GHz, botnets and DSL
etc.

> If Slammer had to scan 130,000 ports on every
> machine it touched instead of 1, it would taken just a bit longer than
nine
> minutes to infect the Internet.

True - it would take longer but it would still have happened.

> If Bank of America would have changed their
> default SQL port to anything else, they would have never been touched by
> Slammer, suffered the embarassment, and had executives asking for
> accountability.  One port change and the victims would have been heros in
> their boss' eyes.

False - IMO had Slammer been propagating at a lower rate it is reasonable to
assume it would have taken much longer to draw attention to itself.  The
risk posed by slow insidious attacks when defenders are always facing off
the most urgent threat worries me most (OK I admit extreme paranoid
tendencies).  The practical value of this concern is clearly evidenced in
the long standing military doctrine to consider diversionary attacks when
trying to achieve a difficult objective.

> Custom code would have to add...what???...:1435 (five
> characters) to prevent every SQL scanning worm in existence.  In two years
> of running honeypots I've NEVER had a SQL scanning worm try any port but
the
> defaults.

True - but that is an simple examination of history and is not a safe
inference for future worm behaviour.

> Tell me again, how my would my suggestion of changing the default ports
> would weaken security in any way?

Apologies in advance if this next para seems like a personal attack.  It is
not although it does infer and discuss motive.

The real risk associated with statements like this goes to the issue of
context.  Normally ppl complain that their comments are "taken out of
context" when they try to deflect an attack based on previous public
statements they have made.  Less usual in this case, you are prepared to
debate this point devoid of further context (ie. such as complementary
techniques although at some times they have arisen in the thread).  This
perhaps is a failure borne out of a personal need to conduct a passionate
defence of this specific technique and trying to avoid obfuscation or
confusion arising in the minds of impressionable readers.  The dangers here
is (a) that the simpleton reader will accept your argument as confirming
that this is the only technique required (almost too silly to be believed
but nonetheless probable), (b) that the average reader will place undue
weight on the technique and place less emphasis on other better defensive
measures (especially if resource allocation is constrained as is so often
the case in SMEs), and finally (c) the elite reader will be distracted from
directly addressing the incessant tide of problems, by needing to repeatedly
debate the issue with members of (a) and (b) when trying to get "management"
to focus on their perceived risks.  I'm sure that BoA prior to the slammer
infestation had at least one heretic in the IT team who claimed that the
measures in place at the time were manifestly inadequate.  "I told you so"
from that quarter is worth squat in recovering the banks reputation.

> What is frustrating is how "expert" after "expert" keeps telling people
that
> security through obscurity doesn't work, when clearly it does have its
place
> in any defense-in-depth system.  Anyone saying different is not thinking
> outside the box.

What I find "frustrating" is an "real expert" relying so simply on historic
events to support an argument without actually trying to predict the likely
future situation.  Many years ago I forecast the evolution of hacking from
its original simple and overt "wreckage" mentality (eg BSOD or DOS and DDOS)
attacks (which were sometimes used to extort $) to the more insidious covert
phishing and ownership threats we are currently facing.  Personally I am
more worried about someone covertly phreaking my bank account than facing a
OS reinstall because some script kiddie wiped the MBR.  Just like DOS
evolved to low bandwidth DDOS I feel the next evolution (in fact I thinks
its already here but don't have much first hand evidence) will be phishers
who skim small and "reasonable" amounts from bank accounts with much larger
balances in the hope that the transactions will slip past the owner for
several statement periods before they twig to the problem.  Early birds
certainly catch the worms, but a sharp tug just breaks off the tail whereas
a gentle and inexorable application of pressure often gets the whole worm!

The next probable evolution of this trend is what I call "uneconomic" theft
- where the amounts stolen are below the pain barrier for the financial
institution and they simply reinstate the customers funds (and wear it in
the P&L) rather than spend more $ on staff to investigate than is likely to
be recovered by prosecution.  We consumers end up paying in the end - just
like credit card interest rates cover default and fraudulent activity in
that sector.

There are always more boxes to get out off ("Babushka" or as an emigre
colleague insists "Matryoshka" wise).  I don't claim by any stretch to have
got to the last one yet so I won't claim even "expert" status!


*** Now for an examination of the technique itself ***

At an earlier time I considered port shifting as a reasonable part of a
defence in depth strategy.  However I have moved to a perhaps more
"sophisticated" view recently as evidenced in some part by arguments
tendered above. I now believe the technique is now (if not very soon to be)
completely outdated especially when the trade off in "security vs usability"
is factored.  IMO resourcing the move (or repeated moving) of ports whilst
not onerous is fairly pointless when trying to approach "worlds best
practice" status.  There are other tools and techniques (none of which is
perfect in isolation) that would deliver better "bang for buck".

You only have to look into nature for successful strategies that reinforce
this view.  When swimming the crystal clear waters off Vanuatu the most
highly obvious fish is also one of the most dangerous.  I am referring to
the Lion Fish which swims around at a very leisurely pace as if it owns the
place.  Of course it has defence in depth - (1) the venom, (2) the elongated
fins to increase its exclusion zone, and (3) the stunning colour scheme!
Only idiots worthy of a Darwin award go anywhere these cuties!  NB the
Stonefish (also seen in the same locale and also nasty) is camouflaged but
not for security reasons - it is hunting its prey using stealth!

Hence my current practice is to use standard ports and a minimal footprint
with many layers of defence of which is none is simple obscurity.  I am very
happy for SSH to advertise itself (and even its version) on tcp/22 to any
scanners so they either look for softer targets or at worst waste their time
(and a bit of my log space).  My paranoia keeps me on the lookout for
exploit reports and I tend as a rule to patch early and often even though my
natural tendency is to be a slow adopter to avoid the bleeding edge.

Cheers, Frank.
B.Sc.(Zool)



-----Original Message-----
From: Danny Puckett [mailto:dpuckett () comresource com] 
Sent: Tuesday, January 18, 2005 3:54 PM
To: security-basics () securityfocus com
Subject: RE: Remote Desktop vs VPN on Windows 2003

You assume that the only things you need to worry about are automatic worms
and scripts that attack default ports.  This is all well in good but what do
you do if you are singled out by a determined attacker.  If someone takes
the time to closely scan all of your ports they WILL find the service you
think you have hidden so well.  You are much better off using default ports
protected by proven controls like SSH and IPSEC.  I would hate to tell my
manager "Sorry boss, I thought I hid that pretty good."

Danny Puckett
CISSP, MCSE:Security, Security+, CNA

> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Tuesday, January 18, 2005 1:53 PM
> To: Paris E. Stone; Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> Security through obscurity is a type of security, and it works...just 
> not in a vacuum...and not alone.
>
> Almost all major Internet worms would have be rendered defenseless by 
> simply changing the port number one port up. 99.9% of hacks are 
> automated using worms, viruses, and malicious scripts.  Almost of of 
> them (9999.99%) only look on the default port.  Fastest worm ever..SQL 
> Slammer...only worked on the default SQL port. Code Red...only port 80.
> Spambots look for ports 25 and 80. FTP exploits ONLY look for port 21. 
> I could go on and on.
>
> Security by obscurity works, and works well. Come find my RDP port on 
> my domain at banneretcs.com.  Prize (free book) to the first person 
> who finds it. Go.
>
> Roger
>
> **********************************************************************
> **
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> **********************************************************************
> **
> ****
>
>
>
> -----Original Message-----
> From: Paris E. Stone [mailto:pstone () alhurra com]
> Sent: Tuesday, January 18, 2005 10:40 AM
> To: Roger A. Grimes; Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> "Security through Obscurity" i.e. put it on a different port, is not 
> security at all.
>
> Rdesktop on the internet, is generally a bad idea, no matter what port 
> it runs on.
>
>
> Put a firewall in front of it if possible, if not, run a software 
> firewall and then add openvpn.
>
> www.openvpn.net is free, and will allow IPSEC connectivity that you 
> can use to access the machine, then you get MSTSC(remote desktop) 
> access over the tunnel.
>
> -----Original Message-----
> From: Roger A. Grimes [mailto:roger () banneretcs com]
> Sent: Friday, January 14, 2005 5:16 PM
> To: Jeff Randall; security-basics () securityfocus com
> Subject: RE: Remote Desktop vs VPN on Windows 2003
>
> I can think of NO reason not to use Remote Desktop.  Remote Desktop is 
> fast and secure.  Everything is encrypted past the logon name. To get 
> additional security assurance, change the default TCP port from 3389 
> to something randomly high...like 58645 (which you can do with a 
> regedit on the server...just google it).  Then add the new port number 
> to your server address...like www.example.com:58645.
>
> Roger
>
> **********************************************************************
> **
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security 
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), 
> CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by 
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> **********************************************************************
> **
> ****
>
>
>
> -----Original Message-----
> From: Jeff Randall [mailto:Jeff.Randall () ksg-llc net]
> Sent: Thursday, January 13, 2005 3:23 PM
> To: security-basics () securityfocus com
> Subject: Remote Desktop vs VPN on Windows 2003
>
> I have setup a web server running win2k3 and was curious about 
> remotely accessing it with an XP box.  Only one requirement, it has to be
FREE.
> =20
>
> Here is what I have setup and as of now working but I would like in 
> the end to only run one.
>
> 1.    RRAS using PPTP.  It's not a DC so I use local accounts.
> 2.    VNC.  TiteVNC to be specific.
> 3.    Remote Desktop - went into the admin tools and set the
> encryption level to high.
>
> Please no crazy setups like upgrade to DC and run IAS for Radius or 
> running IPSEC tunnels, just would like peoples thoughts on the 
> security level of each of these programs and what they feel are the most
secure.
> If you can get specific about encryption, keys, key lengths, that 
> would be great.  Thanks