Re: BEFVP41 -2003 SBS Help Please
From: Jeff Middleton [SBS-MVP] (jeff_at_cfisolutions.com)
Date: 08/18/04
- Next message: Eriq Neale [MSFT]: "RE: Exchange Queues (SBS2003)"
- Previous message: bob: "Mobil User Best Practice Question"
- In reply to: 1723 port Attacked Lino: "Re: BEFVP41 -2003 SBS Help Please"
- Next in thread: MarkC: "Re: BEFVP41 -2003 SBS Help Please"
- Reply: MarkC: "Re: BEFVP41 -2003 SBS Help Please"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 18 Aug 2004 07:54:19 -0500
Couple of things to keep in mind about exposed ports, VPN, and security
concerns:
+ 1723 is authentication, it doesn't pass the data stream. Therefore, you
only get to talk to the authentication code. It's very small amount of code,
not likely to be hacked, rarely has it been mentioned in vulnerabilities
(read:bugs, buffer overruns, etc.) It's not likely to be "busted open".
+ VPN data travels on a GRE port opened only on demand following
authentication, and it's fully encrypted if you follow best practices, and a
point to point link that is hard to fake or intercept as a stream in
real-time.
+ 1723 is an authentication port, if someone authenticated, they get in.
That's the purpose of the port. Therefore, you want to make sure that you
use strong passwords for any account you grant Dial-in/Logon Remote
permissions.
+ With Windows as the authenticator, password guessing on 1723 can be
prevented by policy which disables logon for a period of time after 3 or 10
bad attempts. This can be set differently for Dial-in than for local logon.
+ If you prevent a hacker from having more than a couple of tries, they
can't dictionary attack without triggering Security Audit alerts you can
monitor.
+ As always, web security isn't accomplished by simply locking every port
out that is possible, it requires monitoring the use of any open ports.
Detection and Auditing are not options, they are part of the security
concept.
The biggest risk of VPN exposed ports is that someone will use a much lower
level security breach to gain a username/password combo, then return to try
it on the VPN. For instance, if you don't properly protect your Exchange
server from relay, you can have username guessing performed against it by a
hacker simply attempting relay mail by authenticating with a username the
know or suspect is good. When the email finally relays, they know they have
found a username/password match. If that same user has VPN rights, then they
have an authcode for the VPN.
The way you prevent that from happening to you is with best practices:
+ Monitor exposed authentication ports and processes, or lock them down.
+ Change passwords frequently on user/pass combos that are exposed to
public, and highspeed connection authentications (that could be dictionary
attacked). This shortens the time cycle required to guess and breach in a
slow attack method.
+ Beat your users into submission. Do not share passwords or use them in a
casual manner. Don't use your phone number. Don't use one as your secret
word at the bank, the gym, your house alarm, your AOL account, your PC at
work, you VCR....and above all, don't write it down where people can glance
at it and steal it.
+ Monitor exposed authentication methods for inappropriate activity
+ Did I mention monitoring?
"1723 port Attacked Lino" <1723 port Attacked
Lino@discussions.microsoft.com> wrote in message
news:28F47CA1-1746-4EDD-9CA1-6901DD725892@microsoft.com...
> Mark,
> Is there any way that port 1723 could be attacked from Internet/Public
> network. Example by using Nmap from from Linux or Win version some "bad
guy"
> out there could see the PPTP is open not filter... I have not try to
attack
> my self. therefore I'm not confident to implement this method.. could you
help
> (As you know Hping2 program these is not thing you could hide your port or
> how many interfaces/NIC have in the server if has Public IP address)
> Lino
>
> "MarkC" wrote:
>
> > You are better off using the SBS to manage the vpn sessions for many
> > reasons.
> > MarkC
> >
> >
> > "Lino" <Lino@discussions.microsoft.com> wrote in message
> > news:08794185-41A9-42A2-88AB-8FAFBEAFB6D5@microsoft.com...
> > > Please comment:
> > > Method 1: VPN Internet User --> Linksys VPN --> SBS 2003
> > > Figure: on VPN Box enable PPTP Pass Through and Port Forwarding 1723
to
> > SBS
> > > 2003.
> > > Out Come: This method is okay, it works fine. But VPN authetication is
> > > handle by SBS 2003 not Linksys VPN router itself. In this case I don't
see
> > > the effective of this VPN.
> > >
> > > --> Help/Comment: How could I setup so that Linksys VPN Box handle the
> > > authentication as I know it should be IPSec
> > >
> >
> >
> >
- Next message: Eriq Neale [MSFT]: "RE: Exchange Queues (SBS2003)"
- Previous message: bob: "Mobil User Best Practice Question"
- In reply to: 1723 port Attacked Lino: "Re: BEFVP41 -2003 SBS Help Please"
- Next in thread: MarkC: "Re: BEFVP41 -2003 SBS Help Please"
- Reply: MarkC: "Re: BEFVP41 -2003 SBS Help Please"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
