DS3Circuit

During extensive investigation of the Remote Desktop Protocol (RDP), the protocol used to connect to Windows Terminal Services, we (Cendio Systems) have found that although the information sent over the network is encrypted, there is no verification of the identity of the server when setting up the encryption keys for the session. This means RDP is vulnerable to Man In The Middle attacks (from here on referred to as MITM attacks). The attack works as follows: 1) The client connects to the server, however by some method (DNS spoofing, arp poisioning, etc.) we've fooled it to connect to the MITM instead. The MITM sends the request further to the server. 2) The server sends it's public key and a random salt, in cleartext, again through the MITM. The MITM sends the packet further to the client, but exchanges the public key to another one for which it knows the private part. 3) The client sends a random salt, encrypted with the server public key, to the MITM. 4) The MITM deencrypts the clients random salt with it's private key, encrypts it with the real servers public key and sends it to the server. 5) The MITM now know both the server and the client salt, which is enough information to construct the session keys used for further packets sent between the client and the server. All information sent between the parts can now be read in cleartext. The vulnerability occurs because the clients by no means try to verify the public key of the server, sent in step 2 above. In other protocols, such as the Secure Shell protocol, most client implementations solve this for example by letting the user answer a question whether a specific serverkey fingerprint is valid. The clients we've seen so far for RDP have no way to preinsert a known server key. There is also no interaction with the user in order to verify a key the first time a connection is made to a new server. We have communicated with Microsoft in this matter, and they confirmed 2003-03-19 that the problem do exist in their current implementation. They are currently "investigating the feasability in adding this functionality". They also point out that they do not claim RDP having the functionality of providing server authentication. We feel that Microsoft is not taking this seriously enough. We know there are sites using Terminal Services to transfer sensitive data, and we feel that they need to be informed about this vulnerability in order to be able protect their networks. This is why we publish this information at this moment. We've tested this vulnerability against Windows 2000 Terminal Server, Windows 2000 Advanced Server and the upcoming Windows Server 2003 using both the clients delivered with Windows 2000 and the latest downloadable RDP client from Microsoft. We have reason to believe that the vulnerability exists when running both RDP version 4 and 5, and regardless of terminal server mode. We have developed software that can be used to exploit this vulnerability, but we choose not to release it.

Quote: P.S.=> Isn't there an Administrator's Toolkit full of .msc things called ADMINPAK.MSI that you can download & install that can allegedly repair bogus or broken .msc shortcuts for the MMC console? http://download.microsoft.com/download/c/7/5/c750f1af-8940-44b6-b9eb-d74014e552cd/adminpak.exe Out of curiosity, have you been playing with ACLs and locked yourself of running these tools? Besides the corrupted files APK, the running of these 2 snap-ins is also your goal, correct? Sorry, just a lot to absorb while on the clock ya know

I am buried under a multi site / multi version MS office migration to 2003 that has taken up much of my time. Without the need of 3rd party products, my superiors wish to track the migration dynamically. History: 1000+ users Windows 2000 SP4 Active Directory DFS / GPO Software Deployment. What I would like is to run a vbs login script that pulls exe version numbers, populates a SQL 2000 database, and then an ASP page pulls the data accordingly. I am stuck at how a VBS script would populate a SQL 2000 database. If anyone has some URLs and/or examples. You would certainly be making my life easier. If you need more information then what I have provided, fire away. Thanks as always. Edit: Alex, I hope you have run into this

Busy is an ...... understatement Beautiful set of code. I am gonna go take it into the lab and pull it apart to see what works for us. If you are ever in my area, I owe you a cold one or two I'll keep ya posted on the outcome.

I'll show my "ruff" vbs code here to get the info I am looking for. Thanks for the delphi examples. Looking at their logic always helps. Now I just need to figure out the code to populate a sql 2000 db. I have created a microsoft data link file (udl) file but this is where I get stuck. Thank you so much for the help so far ******************** ******************** Set objFSO = CreateObject("Scripting.FileSystemObject") Dim RunSQL WScript.Echo "Version of Office installed (0 equals none): " & GetOfficeVer() If GetOfficeVer = "2003" Then Wscript.Echo "Version of Outlook: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE11\outlook.exe") Wscript.Echo "Version of Excel: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE11\excel.exe") Wscript.Echo "Version of Word: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE11\winword.exe") Wscript.Echo "Version of PowerPoint: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE11\powerpnt.exe") End If If GetOfficeVer = "2000" Then Wscript.Echo "Version of Outlook: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE\outlook.exe") Wscript.Echo "Version of Excel: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE\excel.exe") Wscript.Echo "Version of Word: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE\winword.exe") Wscript.Echo "Version of PowerPoint: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE\powerpnt.exe") End If If objFSO.FileExists("C:\Program Files\Microsoft Office\OFFICE\frontpg.exe") Then Wscript.Echo "Version of Frontpage: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE\frontpg.exe") Else Wscript.Echo "Frontpage 2000 Not Installed." End If If objFSO.FileExists("C:\Program Files\Microsoft Office\OFFICE11\frontpg.exe") Then Wscript.Echo "Version of Frontpage: " & objFSO.GetFileVersion("C:\Program Files\Microsoft Office\OFFICE11\frontpg.exe") Else Wscript.Echo "Frontpage 2000 Not Installed." End If If RunSQL = 1 then RunSQLInstance End if ' SQL 2000 Database Var Setup Function RunSQLInstance 'Set con=createobject("adodb.connection") 'con.open "file name=dbconnect.udl" 'set cmd=createobject("adodb.command") 'cmd.ActiveConnection=con 'cmd.Commandtype=1 'End Function Dim SQLConnection Dim SQLCommand Set SQLConnection = CreateObject("ADODB.Connection") 'SQL Connection String SQLConnection.Open "Driver={SQL Server};server=(SQLSERVER.MYSITE.edu);database=Office;uid=sa;pwd=anything;" Function GetOfficeVer() RunSQL = 0 sRegPre = "HKLM\SOFTWARE\Microsoft\Office\" sRegPost = "\Common\InstallRoot\" Select Case True Case RegKeyExists(sRegPre & "11.0" & sRegPost) sOfficeVer = "2003" Case RegKeyExists(sRegPre & "10.0" & sRegPost) sOfficeVer = "2002" Case RegKeyExists(sRegPre & "9.0" & sRegPost) sOfficeVer = "2000" Case RegKeyExists(sRegPre & "8.0" & sRegPost) sOfficeVer = "97" Case Else sOfficeVer = "0" End Select GetOfficeVer = sOfficeVer End Function Function RegKeyExists(sRegKey) Set oShell = CreateObject("WScript.Shell") RegKeyExists = True sRegKey = Trim (sRegKey) If Not Right(sRegKey, 1) = "\" Then sRegKey = sRegKey & "\" End if On Error Resume Next RegReadReturn = oShell.RegRead(sRegKey) If Err Then If LCase(Left(err.description,7)) = "invalid" Then 'key not found... RegKeyExists = False End if Err.clear End if On Error Goto 0 End Function EDIT: Damm Smiley Faces [Edited by ds3circuit on 2004-10-21 19:03:25]

moggs if you are in search of resetting your admin password ... use this http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html If you feel that the safe boot option has been corrupted, you can always add switches to your boot.ini to force a safe mode boot using msconfig.exe (under the boot.ini tab) HTH

Oh just save the hassel in the end and buy the mac 8) You wont be able to play LAN games like Halo with PCs, but who cares, chicks dig dem lol

Just a couple of things off the top of my head. 1) Have you tried different types of media? 2) CDRs or CDRWs? 3) Burning at a slower speed? 4) Different software to rule out an aspi.dll compatibility issue? I would also search these forums. http://clone.cd/phpBB/ HTH

Beyond an administrative restriction placed on that file extension, and or a corrupt association within the HK_classes_root. My understanding of MSXML is the following: It is based on security zones and settings. The Access data sources across domains setting allows the user three options: Disable, Enable, or Prompt. The following are the four security zones and their defaults for the Access data sources across domains setting: Internet = Disable, Local intranet = Prompt, Trusted = Enable, Restricted = Disable Also, access is denied if either of the following cross-protocol access is attempted. (https to http access or http to https acces) HTH

http://www.ntcompatible.com/thread28751-1.html

I am guessing that logonui.exe is crashing. SP2 installed? Are the same accounts logging out causing this grey screen? Event logs? Whats the reason for 27 accounts on one machine. It just seems to me to be overkill unless ya got a BIG family

www.lavasoftusa.com http://www.safer-networking.org/en/index.html www.javacoolsoftware.com http://www.hijack-this.net/ Run the tools in safe mode.

Correct. Adding those keys to your workstation should suppress that message. This is generally used in optimizing metaframe servers. But hey if it works for you, give it a whirl.

I would suggest using the Repair installation feature of XP so that you wont lose all your settings. You might want to try this if you feel the need to move your data and/or attempt another recovery (if at least to read the event logs) http://www.nu2.nu/pebuilder/ G'luck

HOW TO: Use the Registry Size Estimator Tool (Dureg.exe) http://support.microsoft.com/?kbid=317382 With regards to the Registry Size Limit value that can be set under the Performance Tab in Windows 2000, this article should explain that. http://support.microsoft.com/?kbid=124594 I would run the typical registry cleaner apps to optimize and shrink your current registry (Registry Healer / CCleaner/ etc) --------------------- On a side not Curley_Boy, if you wish to do some static and dynamic monitoring of your current registry environment, you can 1)WinDiff is a Resource Kit utility that compares files and directories before and after changes. You can use WinDiff with Regedt32 or Regedit to compare before and after results from Registry settings. Both Regedt32 and Regedit have ways of dumping the contents of keys or values to text files. In Regedt32, it is done using the Save Subtree As feature. In Regedit, you can use the Export Registry File feature to create a text .reg file. (From the command line, you can also use Regdmp from the Resource Kit, and the Regedit /e option to do basically the same thing as Regedt32 and Regedit.) The process is pretty straightforward. Create a text file dump of the keys you want to monitor before you make a system change, using one of the methods above. Then make your system change. You may be installing a new application or adding a new service. Any change that affects the Registry (which will be most things!) can be tracked in this way. After you make the change, rerun the dump method on the keys of interest and use WinDiff to compare the difference. 2) WinDiff is great if you want to compare dumps of two Registry trees. However, if you need to compare keys or values in real time against a running system’s Registry, you should familiarize yourself with the reg utility’s compare option. Reg is the Swiss Army knife of Registry tools. The reg compare option replaces the CompReg utility that was available in NT 4.0’s Resource Kit and lets you compare the contents of keys or values on local and remote machines. 3) Regmon lets you spy on Registry activity that a given process creates. RegMon comprises an executable (regmon.exe) and a kernel-mode filter driver (regsys.sys) that installs by default when you first launch RegMon.

Well I can most definitely say that my experience with computers does not go back as far as the two of you. It began with a tandy rs80 that then jumped to a NEC 166 Ready 9702 Series PC. I remember messing with PCs in school that were 486 DX running WFW 3.11 What actually pulled me into computers was programming for zilog processors on the TI-85. I needed a machine to dump the roms and the NEC is what did it. Guess you could say I have been doing PCs for about 9 years.

I would also uninstall and reinstall the latest version of your WinPoet client software.

http://www.wown.com/ I would check to see what mode the access point is running on (Bridge or router mode). What model is it? Secondly, why are you using a cross over cable to connect the switch to the access point? Cross-over cables are meant for PC to PC or switch to switch. Any chance the access point does DHCP? If so make it hand out leases, with itself as the gateway. The 2nd nic on the machine should not a gateway assigned to it. Since static IPs dont rectify the problem, its a routing issue. I would check the cable and check the settings on the access point .... provided your ICS is setup correctly on the PC.

Quote: Originally posted by ds3circuit: I had an insane day with the HelpDesk being "slower" then usual. Well, here's one for you - Thank goodness for it being busy, gets you paid! And, a 100 years from now? Who's going to care! (LOL, hope I am right on the latter statement! You never know!) haha, unfortunately i didnt mean slow as in lack of calls. I meant slow as in the field techs forgetting how to build mailboxes, to run ad-aware, to looking at event logs. As if they all rode the lil yellow bus to work that day ;-). I am of not poking fun at those who do this as a living. I myself still do it when a "forklift" operation occurs within our IT department. In the end, I suppose I only have myself to blame since I didnt build a bulletproof environment and then fully train those techs to support that environment ........ nah lol 8) Well I am impressed the clutch got his MVP in directory services. I see those guys floating about on the net and their knowledge of said MS products is profound.

If ghost is the desired solution then http://service1.symantec.com/SUPPORT/gho...v=&osv_lvl= Altiris, IIRC, uses Sidgen. And SID maintenance is done the MS way through sysprep, which I should mention is the only supported method.

LOL French roast coffee makes me move fast

Depends on your environment. If you have Active Directory, then use a combo of Sysprep (similar hardware) / Syspart (dissimilar hardware) and RIS. If not, then use a deployment solution such as Ghost, Altiris, LanDesk, ettcc Build the image, install the software, test the software, build a default profile, test again, image the master machine, and then deploy.

5379 » How do I programmatically create a printer and printer port by using the PrinterAdmin tool (Prnadmin.dll) and a Visual Basic script in Microsoft Windows 2000? http://www.jsiinc.com/SUBK/tip5300/rh5379.htm

Does the shell make a difference? If you cant start the process from START / RUN and you start regedit from CMD.EXE Have you been playing with local policies on the machine? Can you access your registry with a 3rd party tool? http://www.resplendence.com/reglite Besides running a fully updated AV, I would also run adaware and spybot.

Check to see if your DHCP service is running. If not, try to start the service. If it is a dependency failure, read this article. It is a known issue. DHCP Client Initializes Improperly and Causes an Invalid IP Address http://support.microsoft.com/default.aspx?scid=kb;en-us;812335 HTH