Re: RWW Restrictions

From: Therion (therion_at_outlook.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 09:41:47 -0600

Susan et al,

Before I begin, a bit of background: I am fairly new to the concept of
Windows server security as my previous experience is Unix. Don't get me
wrong, I have deployed many Windows servers over the years but the
environments I have deployed in were Corporate Unix shops where all external
facing equipment was Unix. Even in the Exchange situations I always
deployed it internally (until recently) and used Sendmail based gateways. So
it would be an accurate statement to say I have grown in this business with
the idea that Windows is inherently insecure, but that is changing... I am
now heavily focused on the SMB market with Server 2003 products being the
primary solutions.

Now that the resume is out of the way, I would like to get a better
understanding of the security issue brought out here. The debate here
unfortunately turned into arguing the primary "cause" for Larry's incident.
As Susan and others have pointed out, the password was the weakest link. I
will not argue that opinion. However I find myself both embarrassed and
concerned in light of what this has made me realize. The fact the
administrator account cannot be prevented from logging in from these
external tools is to say the least disconcerting, but even worse is that I
am trying to learn how to disable this and coming up empty handed.

I understand the practice of renaming the default admin accounts and the
complexity it adds to potential compromise. A routine both Unix and Windows
admins should practice when feasible. I further understand the passphrase
versus password debates and the importance of strengthening them being
paramount. This may be a simple issue of what school of security you come
from, but I still am finding it hard to understand why this account can not
easily be removed from accessing external tools like RWW. If this were a
capability, I know I would sleep better at night.

The probability of brute forcing a box with a 10+ strong password is
unlikely however it IS doable. The factors that I consider on this path is
how long it would take. I have heard the arguments of how long it takes to
brute force various length passwords with the computers of current. But I
have to say that has little weight with me as I have "witnessed" the use of
distributed processing for this purpose. So the question now takes a new
twist, what services can an attacker get the most cycles with? SMTP Auth
would be my gamble but form requests are right up there. With the average
SBS deployment, this could be done over a weekend and easily go un-noticed.

Now that I have rambled enough, let me be direct in my questions:

1) Am I crazy to be so concerned about the administrator account being
accessible externally?
2) Should I just create monitoring scripts to assess this type thing in the
logs? I would love to hear others that may be doing this.
3) Or am I totally off track and need to re-program my brain... I suspect I
will get a few of these. :-)

P.S. I am very excited and impressed with MS's security efforts as of late,
so I am not bashing MS, rather trying to comprehend what I am dealing with.

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:%23oN3v2cAFHA.2568@TK2MSFTNGP10.phx.gbl...
> SuperGumby [SBS MVP] wrote:
>> RWW Administrator Console.
>>
>> Each machine on the network appears with a list of users allowed to
>> log onto that machine and whether they are allowed to log on locally,
>> remotely or both.
>>
>> In my dreams.
>
> That would be swell, but I'm not sure I'm going to waste a perfectly good
> dream on it. I have lottery winnings I'm very busy imagining. :)
>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>> message news:uE2HMBaAFHA.3940@TK2MSFTNGP09.phx.gbl...
>>> Les Connor [SBS Community Member - SBS MVP] wrote:
>>>> You can dissalow access to all the things you listed, by user. (but
>>>> not all in one place, it takes some poking). But you can't hide the
>>>> links in such a granular manner, at present.
>>>>
>>>> This is an excellent candidate for extending a wizard, but then we'd
>>>> get more whining from the anti-wizard folks ;-0.
>>>
>>> I'd rather have clearly labeled checkboxes in ADUC.
>>>
>>> <whines, gets smacked and sent to room for a time-out>
>>>
>>>
>>>>
>>>>
>>>> "Larry K" <tech@pcmavericks.com> wrote in message
>>>> news:%23mXSWcXAFHA.3824@TK2MSFTNGP10.phx.gbl...
>>>>> 'Cut off your nose to spite your face'
>>>>> The (non) features I want are to be able to allow or disallow users
>>>>> access to OWA, Application Server and/or Connect to my computer in
>>>>> RWW without the
>>>>> all or none mentality. Thanks to all whom chimed in.
>>>>>
>>>>> Larry K
>>>>>
>>>>>
>>>>> "Les Connor [SBS Community Member - SBS MVP]"
>>>>> <les.connor@DEL.cfive.ca> wrote in message
>>>>> news:#vK3kWWAFHA.3016@tk2msftngp13.phx.gbl...
>>>>>> Might still be too big a hammer for the tack he is on ;-).
>>>>>>
>>>>>> Removing the 'connect to my computer' link for some users only
>>>>>> isn't an unreasonable request, I can see where it could be useful.
>>>>>> I don't think it
>>>>>> causes any harm, as the ability to log onto a workstation, and by
>>>>>> whom, can be controlled at the workstation. But some pesky users
>>>>>> are going to push all the buttons and click all the links they are
>>>>>> provided with. Perhaps in a future update or version.....
>>>>>>
>>>>>> --
>>>>>> Les Connor [SBS Community Member - SBS MVP]
>>>>>> -----------------------------------------------------------
>>>>>> SBS Rocks !
>
>