Open-AudIT

What's on your network?
It is currently Wed Jan 17, 2018 9:08 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 12 posts ] 
Author Message
PostPosted: Thu Aug 03, 2006 10:03 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Added detection for Remote Desktop and Terminal Servers.

Should also pick up thin clients like Wyse boxes that run RDP (using the nmap script) but I haven't checked this.

Also added a launcher to allow us to connect from the browser. (This throws back a suitable pre-configured RDP link when we click on the TRUE next to the server we want).

Also updated the admin_config page to switch on and off this feature and Mark's Detect XP without anti-virus.

Grab it from the CSV trunk if you want to try it out.

P.S. Switch the features on in Admin > Config otherwise you won't see them obviously!


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 12:50 am 
Offline
Contributor

Joined: Thu Jul 13, 2006 7:54 am
Posts: 156
Can we add this to system_summary page as well?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 2:51 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
imacs wrote:
Can we add this to system_summary page as well?


Update from the CSV and the image on the summary page of any Windows box is now clickable. Cick it and it will attempt to RDP to it. :? A bit crude because I should check if RDP is running, but since I was working on this anyway I thought I'd share it with you.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 3:01 am 
Yes, it is VERY crude. Might I say that it is detecting every single windows xp machine as running remote desktop? I think that is rediculous. I specifically mentioned a part of WMI where we could check on the remote desktop information, specifically licensing. Remote desktop for windows XP is a complete joke, as only one user can be logged in at a time, so we should not be detecting it, as it gives the admin nothing to gain. I only want to detect terminal servers, not xp machines with the service running (despite the fact that even though it might be running, it might not even be accepting connections!). I don't think this should be a standard feature of OA......... This definitely needs some work, and I would prefer that the work gets completed before getting checked in, especially because I do not want anyone having trouble with features that might not be done.


Top
  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 3:14 am 
Offline
Contributor

Joined: Thu Jul 13, 2006 7:54 am
Posts: 156
Mike why so bitter??

Take a smoke or coffee break :-p


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 5:20 am 
Hmm, smoking is bad for you, so I think I'll skip that! 8) Basically, I don't see terminal servers as something to list on the main page. I mean, it's not critical, you think? The point of that main page is to quickly give you a list of what might be a problem on your network. If anyone is running WinXP, their terminal service is next to useless, so there's no point in tracking it. I'm not sure if power users can even enable it? The only time a terminal server is useful, is on a windows server box. And you should already know what's going on there. Hence, I don't think we *really* need an option to have it on the main page. My thoughts were to add it to the computer menu, similar to how the IIS settings are. Comments?


Top
  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 5:36 am 
Offline
Contributor

Joined: Thu Jul 13, 2006 7:54 am
Posts: 156
I missed the main page part ;-)

It's a nice feature to have at the click of a button... Main page viewing...ehhh not needed but you have the option if you want it


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 5:43 am 
And, I also want to make sure we're not creating a security vulnerability by storing rdp files on the server, which I think is happening (haven't looked too hard).


Top
  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 5:39 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
mikeyrb wrote:
Hmm, smoking is bad for you, so I think I'll skip that! 8) Basically, I don't see terminal servers as something to list on the main page. I mean, it's not critical, you think? The point of that main page is to quickly give you a list of what might be a problem on your network. If anyone is running WinXP, their terminal service is next to useless, so there's no point in tracking it. I'm not sure if power users can even enable it? The only time a terminal server is useful, is on a windows server box. And you should already know what's going on there. Hence, I don't think we *really* need an option to have it on the main page. My thoughts were to add it to the computer menu, similar to how the IIS settings are. Comments?


Well, it is optional, you can swtch it of on the config page. As to storing rdp files on the server, they dont say anything you couldn't work out for yourself. They dont for example have a password, you need to enter that yourself.

I should really put this stuff in a development branch, but we dont have one yet.

Perhaps we should continue this debate on the Devs forum. :lol:


Last edited by A_Hull on Fri Aug 04, 2006 5:52 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 5:41 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
mikeyrb wrote:
Yes, it is VERY crude. Might I say that it is detecting every single windows xp machine as running remote desktop?


The original idea was to highlight machines which might pose a security risk because they were running RDP, in the same way that we detect web servers, ftp and terminal servers.

So even if you think you only have VNC running, this will check to see if you are deluding yourself. The link to connect was just added so I could tell if RDP really was running.

It has proved usefull in another sense because I can now connect to boxes simply by looking them up in OA without having to go back to windows.

The main page tab should only show those that OA has detected as running RDP (check the code and you will see this is the case), could it be that all of your XP boxes ARE running RDP, in which case telling you this is a good thing!

The link on the system_summary page however is not YET checking to see if the box is running RDP, however if you click the link and can't connect... it isn't. If there are any objections I'll remove it from the trunk. No problems.

As I say this should be in the developer branch, and is entirely optional, so if you dont need/like it, just switch it off.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Fri Aug 04, 2006 11:24 pm 
Wrong! :lol: Terminal services on the XP laptop sitting next to me is started, but that doesn't mean you can connect to it. Even with Terminal Services started, XP needs a few entries in the registry before it allows connections. Terminal services is even set to manual, but was started because of two dependents: Fast User Switching Compatibility and Infrared Monitor. Of course, many machines might not have this started, because user switching is disabled on a domain, so it's useless. Why is Infrared Monitor dependent on TS? I have no freaking clue! My point is, though, that terminal services on an xp machine is pretty useless. Only in a beta release did they allow you to have two users connected at once. So, if you connect to an XP machine with RDP, you are forced to lock the other person's session. They cannot unlock it until you disconnect. If you would still like to detect it, I would suggest looking up the necessary registry keys, and checking those to see if connections are enabled. Then you will know if TS is really enabled!


Top
  
Reply with quote  
 Post subject:
PostPosted: Sat Aug 05, 2006 12:39 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
mikeyrb wrote:
Wrong! :lol: Terminal services on the XP laptop sitting next to me is started, but that doesn't mean you can connect to it. Even with Terminal Services started, XP needs a few entries in the registry before it allows connections. Terminal services is even set to manual, but was started because of two dependents: Fast User Switching Compatibility and Infrared Monitor. Of course, many machines might not have this started, because user switching is disabled on a domain, so it's useless. Why is Infrared Monitor dependent on TS? I have no freaking clue! My point is, though, that terminal services on an xp machine is pretty useless. Only in a beta release did they allow you to have two users connected at once. So, if you connect to an XP machine with RDP, you are forced to lock the other person's session. They cannot unlock it until you disconnect. If you would still like to detect it, I would suggest looking up the necessary registry keys, and checking those to see if connections are enabled. Then you will know if TS is really enabled!


Checking the registry key will tell you its enabled, but will it tell you if its getting through the firewall?! I don't know. Perhaps I also need to check if I can open the port. Mind you the same issue exists for most Windows Services including FTP, IIS/Apache etc since we may well have a situation where it seems to be running but aint making it through the firewall. (Checking to see if we can open the port, while very easy from php, obviously depends on the system being ON when we load up the page, so even this is not flawless).

The original idea was simply to see if it was available, and therefore potentially a security risk, the click link then lets us see if it really, genuinely is running and servicing requests, although having the service enabled but not accepting connections is in itself a potential security risk. There is a simple logic to all of this. Hackers dont always play by the rules, best have it disabled if you are not using it...assuming Mr Gates will let you of course.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 12 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group