Full Disclosure mailing list archives
Re: RDP, can it be done safely?
From: Larry Seltzer <larry () larryseltzer com>
Date: Thu, 10 Jun 2010 05:44:27 -0400
All right, I guess you've got a point. I reflexively say VPN at times like this because the very few reported RDP attacks I've seen have been MITM attacks of the sort that VPNs effectively block. But a client certificate/TLS implementation accomplishes the same thing and all you have to open is the RDP port. On Wed, Jun 9, 2010 at 11:58 PM, Thor (Hammer of God) <Thor () hammerofgod com>wrote:
I request that you start thinking about RDS/TS/RDP as a “direct” technology. Treating access via RDP as something that one must first VPN/RAS into a corpnet first in order to secure properly obscures what one might consider obvious: If you require me to logon to your network via VPN first before I can subsequently connect to internal RDP resources, one might consider the VPN endpoint as the primary authentication point. As such, one might logically conclude that since access was granted via the VPN, that internal access to RDP resources would be considered “safe.” In this model, what is the difference between me authenticating to the VPN endpoint as opposed to me authenticating to an RDP endpoint? Insofar as the authentication layer is concerned, there really isn’t a difference. However, when it comes to a network-level “least privilege” standpoint, I think there are stark differences: The VPN endpoint typically will give the end user full-stack IP access to resources unless otherwise specified. RDP endpoints however only require the specified RDP port to access the host. What happens after a successful connection to the host is up to the admin. In the case of RDP via TSGateway, we find that one can deploy a server at the “connection-level” using client certificates – not only for encryption upon connection, but for validation TO connect in the first place. To me, that is an important distinction. VPN endpoint authentication might lead to the propensity for one to consider access to down-range resources as authorized. I don’t think you should do that when you consider the capabilities an attacker has given an “open pipe” once authenticated versus an single protocol access to a machine you can tightly control. I only bring this up because I think one should consider the ramifications of the “VPN first” model before assuming it grants you some inherent security. t *From:* full-disclosure-bounces () lists grok org uk [mailto: full-disclosure-bounces () lists grok org uk] *On Behalf Of *Larry Seltzer *Sent:* Wednesday, June 09, 2010 2:20 PM *To:* noloader () gmail com; Daniel Sichel *Cc:* full-disclosure () lists grok org uk *Subject:* Re: [Full-disclosure] RDP, can it be done safely? See http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx If you connect through a VPN it should be as secure as anything else you’re going to consider. *From:* full-disclosure-bounces () lists grok org uk [mailto: full-disclosure-bounces () lists grok org uk] *On Behalf Of *Jeffrey Walton *Sent:* Wednesday, June 09, 2010 5:04 PM *To:* Daniel Sichel *Cc:* full-disclosure () lists grok org uk *Subject:* Re: [Full-disclosure] RDP, can it be done safely? Hi Dan, Where are the users located (local LAN or from an untrusted network such as the Internet)? If I recall correctly, RDP encryption is "turned on" from a GPO setting that applies to the host/server, and not just RDP [or was it strong encryption?] (corrections, please). So you can get a secure RDP connection at the cost of possibly breaking other functionality. You might find it easier to use another remote access solution. Jeff On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <daniels () ponderosatel com> wrote: We have a boneheaded group of software developers who even in this day and age eschew the client server model of software for the easier dumber run it from the console school of design. So I have this idiotic Windows accounting application that MUST run on an application server, cannot be run from a client. Rather than have my accounting department log in directly to the physical box, I would like to have them use some flavor of terminal services on my Windows server. My question therefore is, can I turn on RDP safely, without exposing my Windows server to risk of exploitation? Thanks for any help you can give. Dan S. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: RDP, can it be done safely?, (continued)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
- Re: RDP, can it be done safely? Benji (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
- Re: RDP, can it be done safely? Benji (Jun 09)
- Re: RDP, can it be done safely? Benji (Jun 09)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 10)
- Re: RDP, can it be done safely? Marsh Ray (Jun 10)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
- Re: RDP, can it be done safely? Marsh Ray (Jun 10)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
- Re: RDP, can it be done safely? J. Ottosson (Jun 10)
- Re: RDP, can it be done safely? Cor Rosielle (Jun 10)