In 2011 I spent a little time working on improvements [1] in Nmap’s LDAP code. At some point during the work I stumbled across a way to work around Active Directory’s requirement for a secure connection when creating users via LDAP. This may be useful when abusing testing an Active Directory environment where your only access is over LDAP without TLS support. I’d meant to write this up at the time but didn’t. I recently had to recreate the process so I thought I’d create a blog post as a form of documentation.
Category: TLS
Hardening Microsoft Remote Desktop Services (RDS)
As systems administrators we are often tasked with implementing countermeasures to mitigate risks that we can’t completely address. The intent of this post is to cover methods of reducing the risk presented by having Remote Desktop Services (formerly Terminal Services) available on the network.
The risks that I will cover are:
- Man in the Middle attacks
- Sniffing / Traffic capture
- Brute Force Attacks
- Information Disclosure
This post was updated 2019.05.28 to fix broken links, add commentary for Windows 2016 and Windows 2019, and add instructions for enabling CredSSP for WinXP as a client since the Microsoft link is dead.
Challenges for 2015
I think that for the rest of this year and early next year we are going to see quite a few challenges that will cause shifts in our platforms and user computing base. Some of these, such as the end of support for Windows XP and Server 2003, we have seen coming for quite a while and knew we had a deadline. Others were more along the lines of ‘yeah, thats bad and we will fix it some day’. Over the last two years these slow burning ‘some day’ issues have been fully ignited due to the Snowden releases and several SSL/TLS vulnerabilities turning the theoretical risk into practical and operational problems.
I don’t plan on going into too much detail here but what I want to do is to provide a list of some challenges that I think many of us will be facing over the next 12 months or so.
Challenges for 2015: End of support for Windows XP
If you provide support for an organization or an external customer user base then you are likely still having to support machines running Windows XP. Microsoft mainstream support for Windows XP ended on April 14, 2009 and extended support ended on April 8, 2014 [1]. This presented an immediate impact in that you could no longer contact Microsoft for support, paid or otherwise. The long term impacts will compound over time as security and operational needs require that we implement technologies that Windows XP does not support.
Unfortunately, so long as the OS is still working today it can be difficult to convince management and customers to upgrade. The intent of this post is to help make a business case for upgrading to a newer operating system by highlighting some of the challenges that XP users and those that support them will experience in 2015 and early 2016.
Using Nmap to find x509 (SSL/TLS) certificates that have SHA-1 and MD5 based signatures
A couple of months ago there was quite a bit of press about Google and Mozilla becoming more aggressive about how they handle x509 (SSL/TLS) certificates that have SHA-1 based signatures. The background for this is linked in the references section at the end of this post. In short, the SHA-1 cryptographic hash algorithm is considered too weak to be safely used as part of the public web PKI.
The impact for site operators and network security teams is that over the next two years browser users will begin to see warnings that indicate that a site is secure but with errors when it uses a SHA-1 certificate that expires after January 1, 2016. Sites will be flagged as insecure if the SHA-1 certificate expires after January 1, 2017. This is something that requires action now as certificates are generally bought or generated with at least a one year life but in many cases organizations are using 2, 3, or 5 year certificates.
Faded Lab 