hi,
we have been involved in an external-only penetration test involving a site
that had implemented winframe. from the internet we were able to gain
access to all their internal systems through it. including machines that
were not running ip.
to secure it we secured the o/s and implemented strong authentication and
encrypted tunnels.
it seems to be a very good product, just not very secure out of the box.
it basically is a multi-user norton pc-anywhere on steroids. it passes gdi
calls to a remote client (ICA)(transmitting only screen changes). this is
basically what microsoft has in mind for their hydra stuff. so watch out.
primary security risks involved with implementing winframe:
#1 has weak authentication out of the box (multi-use passwords)
#2 has a 'ghost' feature
#3 as far as i know does not encrypt gdi delta's
(someone could write a player to replay gdi calls)
#4 runs on a modified windowsNT platform
(make sure whoever installs it knows how to secure nt)
i hope this is help full.
regards,
john.
At 08:03 PM 7/7/97 -0700, you wrote:
> I have been waiting for a post regarding Winframe. I have had a few
>clients that have implemented Winframe.
>
> What is Winframe? Winframe is an X Windows server hosted on a NT Server.
>The idea is to put the power back at the server and save money by avoiding
>upgrading the clients!!! Of course, the applications are excuted at the
>server and if the network performance is good the end user performance is
>also good!
>
> Beware, the entire technology is based on low bandwidth X windows. I am
>currently is progress of doing an security analysis of Low Bandwidth
>X....But to be truthful I haven't made much progress( I have to work; gets
>in the way )
>
>So I'm with Phil......What are the threats involved with this stuff???
>Is Low Bandwidth X more secure than X windows??? Less secure?? The same??
>
>By-the-way, thus far my recommendations to my clients is as follows;
>
> If clients and server are on the internal net or a point-to-point
>remote office: Allow
>
> If server is outside Firewall, hell no, the stuff is just X windows
> Drop, reject
>
>
>cheers
>
>John Dias
>
>independant consultant
>
>----------
>> From: Phil Burg <Phil .
Burg @
CENTRAL .
colesmyer .
com .
au>
>> To: 'firewalls @
greatcircle .
com' <firewalls @
GreatCircle .
COM>
>> Subject: another Citrix Winframe query
>> Date: Thursday, July 03, 1997 5:38 PM
>>
>> G'day all
>>
>> My apologies if this has been discussed before; I searched the archives
>> but couldn't find this problem.
>>
>> Some of my users want to connect, through our firewall, to a third-party
>> winframe server. The client PCs will be connected to our LAN at the
>> same time as the remote server. I'm wondering if there's a known
>> exposure
>> in the Winframe client software that would allow the client PCs to be
>> compromised ?
>>
>> regards
>> Phil
>> --
>> Phil Burg
>> Technical Analyst
>> Information Systems Security
>> Coles Myer Ltd
>> (03) 9483 7613
>>
-------------------------------------------------------------------------
John Whittaker CREDO NET
Vice President a division of Credo Computer Systems, Inc
-------------------------------------------------------------------------
Providing your business with turnkey solutions
for doing business in the information age.
-------------------------------------------------------------------------
22941 Triton Way, Suite 241, Laguna Hills, CA 92653
(888) 88-CREDO http://www.credo.net
http://www.zoneoftrust.com
|
|
