This plugin tests that the terminal service is vulnerable to the MiM
attack (by checking the rsa key is fixed) but does not test that the
password is weak. So we can't add that to the plugin output because
it is not linked with the test.


Nicolas

Well, I think the goal is to point out vulnerabilities with the service.
As you point out, it may be possible for someone to bruteforce accounts
through terminal services. However, this isn't really a vulnerability.
The results of Nessus do you make you aware that TS is reachable by the
scanner. Your lock out policy, account passwords, and any other number of
things can come into play. That's not what Nessus wants to inform you of.
Otherwise you'd get a lecture for any service that accepts credentials
(SSH, mySQL, Oracle, Web Admin directories, htaccess protected folder,
ftp, etc.).

The scanner is pointing out that the server is suceptible to a MITM attack
that can let an attacker grab all your traffic destined to TS server and
read as it RC4 wasn't applied. The link in the report should be there and
point to http://www.oxid.it/downloads/rdp-gbu.pdf. This does a pretty
good job of explaining the vulnerability and the risks.

Alternatively, if you are looking to protect yourself better. You can
setup firewall ACLs or use IPSec (with ACLs if you want). There's a
number of things you can do to minimize the risk..to include eliminating
it by terming off TS. ;)

Hope that helps.

Steven
securityzone.org