Security Basics mailing list archives
Re: Accessing corporate servers through the web..
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sun, 16 Nov 2003 13:37:42 +0100
On 2003-11-14 Ronish Mehta wrote:
What are the security implications of allowing a server to be accessed from the Web using: (a) Telnet (on a Linux machine): (password is sent in clear text, may be captured by a potential hacker, anyother risks?)
Isn't that bad enough? Anyway: Not only authentication is unencrypted, but the content as well. You can configure the telnet service to use NTLM authentication, but that will affect only authentication and will prevent you from logging in with non-MS telnet apps (AFAIK).
(b) FTP (default FTP service on a Linux machine)
Cleartext passwords. Unless you need anonymous FTP I suggest you rather switch to SFTP.
(c) Terminal Services (win 2K server)
Weak encrpytion, but a lot better than telnet. Citrix MetaFrame is even better, but also more expensive.
(d) VNC (win 2K server)
Most VNC servers I know of don't support encryption (there may be others), so you are again transferring unencrypted data through the net. And I fail to see why one would want to use VNC on a Windows 2000 server. You can work around the problems of weak or no encryption by using VPNs or encrypted tunnels and the like, but that may not be feasible in any case. What are you trying to accomplish, if i might ask? Regards Ansgar Wiechers --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Accessing corporate servers through the web.. Ronish Mehta (Nov 14)
- Re: Accessing corporate servers through the web.. Philip Duldig (Nov 17)
- RE: Accessing corporate servers through the web.. arek (Nov 17)
- Re: Accessing corporate servers through the web.. sNeakEr (Nov 17)
- Re: Accessing corporate servers through the web.. Ronish Mehta (Nov 18)
- Re: Accessing corporate servers through the web.. Ansgar -59cobalt- Wiechers (Nov 17)
- Re: Accessing corporate servers through the web.. Steve (Nov 17)
- <Possible follow-ups>
- Re: Accessing corporate servers through the web.. Chris Berry (Nov 18)
- Re: Accessing corporate servers through the web.. Ansgar -59cobalt- Wiechers (Nov 19)
- Altiris Deployment Server vs. Microsoft SMS ZyberGeek (Nov 23)
- Re: Altiris Deployment Server vs. Microsoft SMS Steve (Nov 24)
- RE: Altiris Deployment Server vs. Microsoft SMS Rod Trent (Nov 25)
- Re: Accessing corporate servers through the web.. Ansgar -59cobalt- Wiechers (Nov 19)
- Re: Accessing corporate servers through the web.. Philip Duldig (Nov 17)