RE: Remote Web Workplace security

["Dana Epp" <dana () vulscan com>]

So apply two factor authentication to auth against the inbound
connection before prompted for the RWW login session. That's exactly
what we do.

We use Cryptocard tokens against a Sonicwall TZ170 in front of the SBS
machine. The firewall communicates with the authentication server on the
SBS box via RADIUS, authorizing RWW, Sharepoint and TS/RDP only after
authing the incoming user. Even if the incoming machine had hostile code
capturing the credentials it is USELESS to them in a follow up session
since the OTP (one time password) is dead. They can't even touch the
Active Directory as the firewall won't let them in.

RWW has other benefits over traditional VPN. First off, you aren't
providing a layer 3 connection to the network. Everything is proxied
through RWW. You have a PASSIVE connection to Outlook Web Access, and
require secondary auth to the corporate intranet, if you need it. And
you don't have to configure ANY software to use it. No VPN client setup
required at all.

RWW is one of the hidden golden gems Microsoft has... And its only
available in Small Business Server. For mobile users it is a much safer
connection than worrying about VPN issues. 


Regards,
Dana Epp 
[Microsoft Security MVP]
http://silverstr.ufies.org/blog/

-----Original Message-----
From: Paul Halliday [mailto:paul.halliday () gmail com] 
Sent: Thursday, March 09, 2006 3:42 AM
To: ROB DIXON
Cc: davidj () comparto com au; security-basics () securityfocus com
Subject: Re: Remote Web Workplace security

My reasoning is that the semantics of the connection method are not as
important as the trust relationship between the connecting host and the
workplace. The pipe to your workplace (regardless of the method that you
use to secure it) is not the weakest link; the connecting party is. From
a due diligence perspective it only makes sense to use a VPN to connect
to your workplace. However, this does not eliminate the more common
threat, which would be a compromised host establishing the connection.

If I rolled something like this out, my last concern would be someone
trying to attack the tunnel itself; this is why we have IDS/IPS. But if
someone makes off with the credentials of the connecting party, or if
the connecting party is no longer in control of their machine, we have
no way to detect or prevent it. Unless you can insure a trust
relationship between the VPN and all machines that will ever connect to
it, worrying about the details of the connection method are the least of
your worries.

On 3/7/06, ROB DIXON <RDIXON () workforcewv org> wrote:
> Hi David,
>
> Without of course illustrating an attack, could you explain your 
> comment regarding "I would fire a keylogger onto your machine far
quicker than attempting to MITM your rdp session."?
> In other words, which connection method are you stating is more
vulnerable to which attack?
> Thanks
>
>
>
> Robert L. Dixon,  CSO
> CHFI A+
> State of West Virginia's
> West Virginia Office of Techonology
> Infrastructure Applications
> Netware/GroupWise Administrator
> Telephone: (304)-558-5472 ex.4225
> Email:rdixon () workforcewv org
> > > > "Paul Halliday" <paul.halliday () gmail com>  >>>
> On 3 Mar 2006 02:09:31 -0000, davidj () comparto com au 
> <davidj () comparto com au> wrote:
>
> > My fellow Sys Admin has been pushing the 'Remote Web Workplace' as
the remote connection option to our clients. Where I prefer the Remote
Desktop through VPN whenever possible.
> >
>
>
>
>
>
>
> > I understand the straight Remote Desktop has RC4 security which is
rather weak. I dont believe this has been improved when using the
'Remote Web Workplace' method? Any I wrong?
> > I want to make it policy that Remote Desktop connections via a VPN
must always be used before the 'Remote Web Workplace', whenever
possible.
> > Am I being paranoid?
>
> Yes you are. I would fire a keylogger onto your machine far quicker 
> than attempting to MITM your rdp session.
>
> > Thanks
> >
> > Dave J
> >
> > --------------------------------------------------------------------
> > ------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
> > The Norwich University program offers unparalleled Infosec 
> > management education and the case study affords you unmatched
consulting experience.
> > Tailor your education to your own professional goals with degree 
> > customizations including Emergency Management, Business Continuity 
> > Planning, Computer Emergency Response Teams, and Digital
Investigations.
> > http://www.msia.norwich.edu/secfocus
> > --------------------------------------------------------------------
> > -------
>
> ----------------------------------------------------------------------
> ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The 
> Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting
experience.
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity 
> Planning, Computer Emergency Response Teams, and Digital
Investigations.
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> -----

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------