Re: PcAnywhere connection

Wed, 12 Jun 2002 22:20:38 -0700 



ecklesd wrote:
> 
> By the way, Mikael, if you are going to include text from messages 
> written by others on this list, please include ALL pertinent 
> information.

Why? I consistently snip out anything I'm not directly responding to
from all posts.  It increases readability and decreases list volume.

> "Please remember the security implications of allowing such 
>  connections to your pcANYWHERE server."

This time around I _will_ address this by adding a couple of more
direct points of my own:

- Enforce strict password policies for the pcanywhere server.
  Script kiddies _love_ running password crackers against remote
  desktop products to use the boxes as DDoS zombies. [1]

- Consider limiting the source IP spans that you allow to talk
  to the pcanywhere port. It reduces exposure, even though it
  is in no way bullet proof.

- Consider auditing the remote boxes that get to log on to your 
  internal machines, and protecting them with at least a personal
  firewall. (Although this buys you next to nothing against trojans, 
  as many have proven.)

- Consider tunneling the pcanywhere connection through an stunnel
  or SSH tunnel. Assuming your client boxes probably won't have *nix 
  boxes nearby for terminating the stunnel, I'd probably go with the
  SSH tunnel. I've personally found SecureCRT to work great for SSH 
  tunneling from windows boxes, although I'm sure a search in the
  archives would turn up plenty more.

- If pcanywhere supports [2] password caching, it might be a very 
  good idea to force the switch OFF (through regedit scripts) in 
  logon scripts or somesuch that the average joe won't know how 
  to work around. If you're using an SSH tunnel, it might also be
  a good idea to force password caching off in the SSH app aswell.

  

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

[1] A recent DDoS episode I experienced involved 50+ boxes, all of
  which had pcANYWHERE or MS Terminal Services running on them,
  cramming a steady 3Mbps stream down our pipe. Too bad our pipe
  was 12 Mbps.

[2] "is plauged with" is probably a better term than "supports"
-- 
Firewalls mailing list - [ [EMAIL PROTECTED] ]
To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
























					Reply via email to