Firewall Wizards mailing list archives
RE: RDP and security
From: "Dan Harp" <dan () brenius com>
Date: Tue, 6 Jan 2004 10:37:43 -0500
Not sure how this specifically relates to firewalls... However, as stated by MS: "every version of RDP uses RSA Securitys RC4 cipher, a stream cipher designed to efficiently encrypt small amounts of varying size data. RC4 is designed for secure communications over networks, and is also used in protocols such as SSL, which encrypts traffic to and from secure Web sites. In Windows 2000, administrators can choose to encrypt the data using a 56- or 128-bit key. Encryption is bi-directional except when using the low security setting that only encrypts data from the client to the server (which protects sensitive information such as passwords). The default setting is medium which uses a 56-bit key to bi-directionally encrypt the data. 128-bit encryption can be enabled after installing the Windows 2000 High Encryption Pack." As previously stated, the largest flaw is the lack of pre-Windows authentication. For a more secure system, a non-Windows authentication should be first, and then once authenticated, access to the Terminal Services/Remote Desktop authentication process (connected to Windows authentication) should be granted. Without writing your own pre-authentication system, or involving a 3rd party, you could limit connections to TCP port 3389 based on allowed IP addresses at your firewall. Regards, - Dan
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of GChen () allianz ca Sent: January 6, 2004 9:21 AM To: morty () frakir org Cc: firewall-wizards () nfr com; firewall-wizards-admin () honor icsalabs com; TSimons () Delphi-Tech com Subject: RE: [fw-wiz] RDP and security Windows 2003 Server may fixed the issue. It supports SSL for Terminal Services over the web. TSimons () Delphi-Tech com Sent by: To: morty () frakir org firewall-wizards-admin@honor.i cc: firewall-wizards () nfr com csalabs.com Subject: RE: [fw-wiz] RDP and security 01/05/2004 08:24 AM In our eyes the biggest design flaw is that there is no authentication prior to the windows authentication. PCs in a locked office are more secure than a Terminal Server out on the public internet... because you need a key to get into the office. -----Original Message----- From: Mordechai T. Abzug [mailto:morty () frakir org] Sent: Friday, November 21, 2003 12:48 AM To: firewall-wizards () nfr com Subject: [fw-wiz] RDP and security Anyone have any strong opinions on the security of RDP (Microsoft's terminal server/remote desktop protocol)? Poking around on the net, I see that they've had at least one design flaw that supposedly hasn't been fixed (ie. server identification.) Any other design problems? Thanks! - Morty _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ******************************* This e-mail and any files transmitted with it are confidential and may be privileged and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error, please notify the sender immediately. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Allianz Canada. Allianz Canada accepts no liability for any damage caused by the transmission of this e-mail. Ce courriel et tous fichiers qui l'accompagneraient sont confidentiels et peuvent faire l'objet d'un privilège. Ils sont destinés uniquement à la personne ou à l'entité à qui ils sont adressés. Si vous avez reçu ce courriel par erreur, veuillez en avertir l'expéditeur immédiatement. Veuillez noter que tous points de vue ou opinions contenus dans ce courriel sont uniquement ceux de l'auteur et ne représentent pas nécessairement ceux d'Allianz Canada. Allianz Canada rejette toute responsabilité au titre de dommages entraînés par la transmission de ce courriel. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: RDP and security TSimons (Jan 06)
- RE: RDP and security Timo Proescholdt (Jan 22)
- <Possible follow-ups>
- RE: RDP and security GChen (Jan 06)
- RE: RDP and security Dan Harp (Jan 22)