Firewall Wizards mailing list archives

RE: RDP and security

From: "Dan Harp" <dan () brenius com>
Date: Tue, 6 Jan 2004 10:37:43 -0500

Not sure how this specifically relates to firewalls...

However, as stated by MS: "every version of RDP uses RSA Securitys RC4
cipher, a stream cipher designed to efficiently encrypt small amounts of
varying size data. RC4 is designed for secure communications over networks,
and is also used in protocols such as SSL, which encrypts traffic to and
from secure Web sites.

In Windows 2000, administrators can choose to encrypt the data using a 56-
or 128-bit key. Encryption is bi-directional except when using the low
security setting that only encrypts data from the client to the server
(which protects sensitive information such as passwords). The default
setting is medium which uses a 56-bit key to bi-directionally encrypt the
data. 128-bit encryption can be enabled after installing the Windows 2000
High Encryption Pack."

As previously stated, the largest flaw is the lack of pre-Windows
authentication. For a more secure system, a non-Windows authentication
should be first, and then once authenticated, access to the Terminal
Services/Remote Desktop authentication process (connected to Windows
authentication) should be granted.

Without writing your own pre-authentication system, or involving a 3rd
party, you could limit connections to TCP port 3389 based on allowed IP
addresses at your firewall.

Regards,


- Dan

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of GChen () allianz ca
Sent: January 6, 2004 9:21 AM
To: morty () frakir org
Cc: firewall-wizards () nfr com; 
firewall-wizards-admin () honor icsalabs com; TSimons () Delphi-Tech com
Subject: RE: [fw-wiz] RDP and security

Windows 2003 Server may fixed the issue. It supports SSL for 
Terminal Services over the web.

                      TSimons () Delphi-Tech com                 

                      Sent by:                              
To:       morty () frakir org                                    

                      firewall-wizards-admin@honor.i        
cc:       firewall-wizards () nfr com                            

                      csalabs.com                           
Subject:  RE: [fw-wiz] RDP and security                       

                      01/05/2004 08:24 AM                     

In our eyes the biggest design flaw is that there is no 
authentication prior to the windows authentication.  PCs in a 
locked office are more secure than a Terminal Server out on 
the public internet... because you need a key to get into the office.

-----Original Message-----
From: Mordechai T. Abzug [mailto:morty () frakir org]
Sent: Friday, November 21, 2003 12:48 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] RDP and security

Anyone have any strong opinions on the security of RDP 
(Microsoft's terminal server/remote desktop protocol)?  
Poking around on the net, I see that they've had at least one 
design flaw that supposedly hasn't been fixed (ie. server 
identification.)  Any other design problems?

Thanks!

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

                      *******************************

This e-mail and any files transmitted with it are 
confidential and may be privileged and are intended solely 
for the use of the individual or entity to whom they are 
addressed.  If you have received this e-mail in error, please 
notify the sender immediately.  Please note that any views or 
opinions presented in this e-mail are solely those of the 
author and do not necessarily represent those of Allianz 
Canada.  Allianz Canada accepts no liability for any damage 
caused by the transmission of this e-mail.

Ce courriel et tous fichiers qui l'accompagneraient sont 
confidentiels et peuvent faire l'objet d'un privilège.  Ils 
sont destinés uniquement à la personne ou à l'entité à qui 
ils sont adressés.  Si vous avez reçu ce courriel par erreur, 
veuillez en avertir l'expéditeur immédiatement.
Veuillez noter que tous points de vue ou opinions contenus 
dans ce courriel sont uniquement ceux de l'auteur et ne 
représentent pas nécessairement ceux d'Allianz Canada.  
Allianz Canada rejette toute responsabilité au titre de 
dommages entraînés par la transmission de ce courriel.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: RDP and security TSimons (Jan 06)
- RE: RDP and security Timo Proescholdt (Jan 22)
- <Possible follow-ups>
- RE: RDP and security GChen (Jan 06)
  - RE: RDP and security Dan Harp (Jan 22)