Remote Desktop security flaw !

[Guest]

A Heads-up: Remote desktop may have a leak

ZoneAlarm popped op with a notification yesterday, saying it detected a new VPN
I immediately shut down my internet connection, and started looking
The systemlog mentioned this

Event Type: Informatio
Event Source: RemoteAcces
Event Category: Non
Event ID: 2015
Date: 22-5-200
Time: 14:57:1
User: N/
Computer: SCORCHE
Description
The user adsl.48241@hccnetbasis successfully established a connection to Internet using the device VPN6-1

This scared the pants off of me, because I have set it such that nobody should be able to remotely connect to my desktop (control panel - system - remote tab - second check-box is empty)

Soo...tentative conclusion is that regardless of this setting, the remote desktop service on my pc does allow access to my pc.

I'm running XP-pro, and run the windows updater client on a daily basis (ie I'm "current")

Kind regards
Leo

 

[Lanwench [MVP - Exchange]]

Remote Desktop ain't VPN.....have you run a scan with updated antivirus
software to check for trojans? Do you ever use VPN to connect to this
computer from the outside (as in, do you recall setting up your computer to
allow inbound connections via VPN?) What's open inbound in ZA and how long
have you been using it? Did you ever connect 'bareback' to the Internet? Are
you on a network that perhaps has unprotected PCs?

 

[Guest]

Thanks for picking this up, LanWench

Please find answers to your questions in-line, below

----- Lanwench [MVP - Exchange] wrote: ----

Remote Desktop ain't VPN....

Leo says: Agreed, but I can only go with both the ZoneAlarm popup, AND the content of the system log message I pasted

have you run a scan with updated antivirus software to check for trojans?

Leo Says: Yes I have (Vexira, up to date), as well as Spybot S&D. Nothing found

Do you ever use VPN to connect to this computer from the outside (as in, do you recall setting up your computer t
allow inbound connections via VPN?)
Leo Says: Nope. I do use remote desktop to connect to a pc that I remotely manage. In this context, my pc is the client, not the server.

What's open inbound in ZA and how long have you been using it?
Leo Says: Been using ZA a couple of years. Regularly run ShieldsUp (www.grc.com) on all service ports. I'm rated "stealth"
I do have open ports above 1024 to allow for gaming on zone.com

Did you ever connect 'bareback' to the Internet?
Leo Says: No, never (perish the thought )

Are you on a network that perhaps has unprotected PCs
Leo Says: My PC is the gate to the family network. It is this machine that runs ICS. All connected pc's have ZA and Vexira running
My Internet connection adsl, using a pptp vpn dial-in into the ISP

 

[Lanwench [MVP - Exchange]]

Thanks for picking this up, LanWench.

No worries!

Please find answers to your questions in-line, below.

----- Lanwench [MVP - Exchange] wrote: -----

Remote Desktop ain't VPN.....

Leo says: Agreed, but I can only go with both the ZoneAlarm popup,
AND the content of the system log message I pasted.

I forget exactly what to check for in the network applet as I never use
VPN/RRAS on Windows but I suspect you can see whether it's enabled in there?

have you run a scan with updated antivirus software to check for
trojans?

Leo Says: Yes I have (Vexira, up to date), as well as Spybot S&D.
Nothing found.

Try a second opinion for viruses at http://housecall.antivirus.com just for
fun.

Do you ever use VPN to connect to this computer from the outside (as
in, do you recall setting up your computer to allow inbound
connections via VPN?) Leo Says: Nope. I do use remote desktop to
connect to a pc that I remotely manage. In this context, my pc is the
client, not the server.

OK, so that won't be it anyway - and as I said, remote desktop is not VPN.

What's open inbound in ZA and how long have you been using it?
Leo Says: Been using ZA a couple of years. Regularly run ShieldsUp
(www.grc.com) on all service ports. I'm rated "stealth". I do have
open ports above 1024 to allow for gaming on zone.com.

Hmm - wondering whether that's a possible culprit.

Did you ever connect 'bareback' to the Internet?
Leo Says: No, never (perish the thought )

You're a wise, wise man.

 

[Guest]

I do have open ports above 1024 to allow for gaming on zone.co
Well, in order to connect to a running process on any machine, it has to run as a listener to a specific port
So in order for someone to start a remote desktop session, the remote desktop server needs to listen to any of the ports listed in KB article Q240429, as those are used when playing on the zone

In effect, I have not opened any ports manually, just allowing Combat Flight Simulator, and the zone-client to run as a server toward the Internet

Summing up
I believe I'm doing what I can to run a secure environment
I was on the zone, playing CFS at the tim
Gameplay stalled, ZA prompted a message about the discovery of a VPN. I disallowed ZA to provide access
Windows log showed a successful connection to my remote desktop server

My concern is
Remote desktop should not run as a server until I tell it to
ZA might be flawed, as I don't believe Remote Desktop Server looks at any of the ports mentioned in KB Q240429 (correct me if I'm wrong pls).

Probable causes
Network side of things
Either Remote desktop listens to a port that is generic in nature (like upnp port 5000
Or ZA has failed. (scary

Application side of things
Remote desktop answers requests by clients even though it is told not to (according to the log message that is)

LanWench, do you know which port the RD service would be listening at

Leo

 

[Lanwench [MVP - Exchange]]

Well, in order to connect to a running process on any machine, it has
to run as a listener to a specific port. So in order for someone to
start a remote desktop session, the remote desktop server needs to
listen to any of the ports listed in KB article Q240429, as those are
used when playing on the zone.

In effect, I have not opened any ports manually, just allowing Combat
Flight Simulator, and the zone-client to run as a server toward the
Internet .

Summing up:
I believe I'm doing what I can to run a secure environment.
I was on the zone, playing CFS at the time
Gameplay stalled, ZA prompted a message about the discovery of a VPN.
I disallowed ZA to provide access. Windows log showed a successful
connection to my remote desktop server.

My concern is:
Remote desktop should not run as a server until I tell it to.
ZA might be flawed, as I don't believe Remote Desktop Server looks at
any of the ports mentioned in KB Q240429 (correct me if I'm wrong
pls).

Probable causes:
Network side of things:
Either Remote desktop listens to a port that is generic in nature

But what you're seeing isn't a remote desktop connection at all - it's an
inbound VPN connection. That's why I suggested looking into your network
properties to see if RRAS was enabled.....

(like upnp port 5000) Or ZA has failed. (scary)

Application side of things:
Remote desktop answers requests by clients even though it is told not
to (according to the log message that is).

LanWench, do you know which port the RD service would be listening at?

Again, if RD is not even enabled it isn't listening (but it's 3389 by
default).

 

[Guest]

Oww...sometimes, I'd like to install a service pack in my old "Brain Mk-1"...

Event Type: Informatio
Event Source: RemoteAcces
Event Category: Non
Event ID: 2015
Date: 21-5-200
Time: 18:49:5
User: N/
Computer: SCORCHE
Description
The user adsl.48241@hccnetbasis successfully established a connection to Internet using the device VPN6-1

That's the message in the log....

Guess who adsl.48241@hccnetbasis is.....
.....me.....

What I've been looking at is the PPTP VPN setup towards my ISP all along..

Gawd, that makes me feel stupid... I appologize Lanwench

Retreating to Siberia in shame..

Le

 

[Lanwench [MVP - Exchange]]

Oww...sometimes, I'd like to install a service pack in my old "Brain
Mk-1"....

Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 21-5-2004
Time: 18:49:57
User: N/A
Computer: SCORCHER
Description:
The user adsl.48241@hccnetbasis successfully established a connection
to Internet using the device VPN6-1.

That's the message in the log.....

Guess who adsl.48241@hccnetbasis is......
....me......

What I've been looking at is the PPTP VPN setup towards my ISP all
along...

Gawd, that makes me feel stupid... I appologize Lanwench !

Retreating to Siberia in shame...

LOL .... Happens to us all; no worries!
The jury will please diregard the previous testimony.