Re: Securing RDP - Is it possible?

[Parity <pty.err () gmail com>]

Two-factor auth does nothing to prevent these attacks.  The server can
use 100 different factors to authenticate the client, but if the
client doesn't also authenticate the server, then man-in-the-middle
attacks are still possible.

On Tue, Apr 14, 2009 at 10:25 AM, Ben Little <BLittle () skylight com> wrote:
> You can also use two-factor authentication as a means of helping to
> secure the authentication process.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of David Glosser
> Sent: Tuesday, April 14, 2009 3:38 AM
> To: Chip Panarchy
> Cc: pen-test () securityfocus com
> Subject: Re: Securing RDP - Is it possible?
>
> You can configure better  authentication and  encryption with RDP (for
> example, http://technet.microsoft.com/en-us/library/cc782610.aspx,
> http://support.microsoft.com/kb/275727)
>
> Also change the RDP listening port to something non-standard. That won't
> prevent someone finding the port but should make it a little harder to
> find.
>
>
>
> On Tue, Apr 14, 2009 at 4:27 AM, Chip Panarchy <forumanarchy () gmail com>
> wrote:
> > Hello
> >
> > Is Secure RDP an impossibility?
> >
> > I am now working (WOOT) and they seem to use entirely RDP, almost no
> VNC...
> > This, by my reckoning would make the network most insecure.
> >
> > Would you agree?
> >
> > Or is it possible to Secure RDP?
> >
> > Thanks in advance for sharing ideas on this matter,
> >
> > Panarchy
> >
> > ----------------------------------------------------------------------
> > -- This list is sponsored by: InfoSec Institute
> >
> > Learn all of the latest penetration testing techniques in InfoSec
> Institute's Ethical Hacking class.
> > Totally hands-on course with evening Capture The Flag (CTF) exercises,
> Certified Ethical Hacker and Certified Penetration Tester exams, taught
> by an expert with years of real pen testing experience.
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ----------------------------------------------------------------------
> > --
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec
> Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises,
> Certified Ethical Hacker and Certified Penetration Tester exams, taught
> by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------