Why does Terminal Services show up as a medium risk?

Terminal services is considered to be 'medium risk' by us. I'll explain the rationale and then follow up with an explanation how to indicate to the system you are not concerned about this perceived 'risk' and have it removed from the reports and the score.

We consider this a medium risk for the following reasons: - This should not be available on external IP's, and medium risks on external-facing IP's are issues to be fixed. However, it's perfectly acceptable to have it on internal IP's (if the policy of the organization is to allow it), and this goes inline with the fact medium risks are acceptable for internal IP's (High risks are not, though)

  • Medium risks, especially for internal IP's, are not necessarily critical vulnerabilities that need to be fixed - they are issues we want you to acknowledge. If they were critical they would be high risk. If they were negligible they would be low. Terminal services is neither: it's not a critical issue, but it is certainly something we want you to look as say: "Yes, I realize I have terminal services, and yes, it is ok"

  • One other issue terminal services are medium risk is the fact that guessing a valid username and password (possibly using another vulnerability present) allows you to have complete control over the system, as if you were sitting next to it. Unlike file sharing and other logins, terminal services gives you full and unrestricted control - remotely. Again, we realize you know all this, but want to highlight it and have you give it one more thought - can it be filtered to allow only certain IP's to access it? Is the username/password on it tight enough? etc

Following the rationale above, you may find medium risk vulnerabilities that you will want to 'ignore' - that is, you have understood the issue at hand and feel it does not apply to your organization. That is perfectly acceptable and in fact is a natural next step - we don't expect you to fix all medium risks; we just want to let you know they are there. To have the system 'ignore' that issue, go to the portal, visit the 'vulnerabilities summary' page ("Vulnerabilities" tab) and click through to get to the vulnerabilities list related to this server or network. Now, click the checkbox next to the vulnerabilities you want to ignore and scroll down the page to where it says "Mass Ticket creation". Change the state to 'ignore', and optionally document why you decided to ignore this vulnerability (recommended). Click on 'create' and tickets will be created to the vulnerabilities selected - all in 'ignore' state.

The vulnerability will no longer appear in the report and summary, and will not affect the score. If in the future you would like to 'unignore' or to search for these issues specifically (for example, to see the list of machines that have terminal services) you can explicitly search for this issue.

Just to summarize, we don't categorize this as a false positive: the issue is real and is there, but you can correctly say it is irrelevant to your network and 'ignore' it.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk