[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] RDP, can it be done safely?
- To: "noloader@xxxxxxxxx" <noloader@xxxxxxxxx>
- Subject: Re: [Full-disclosure] RDP, can it be done safely?
- From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
- Date: Wed, 9 Jun 2010 22:54:57 +0000
When configuring terminal services (actual TS services, not just RD) I try to
plan for a worst-case scenario. As such, I think it pays to consider all users
to be evil, plotting bastards whether they are on the local lan or not.
However, when the users are already on your LAN, and they already have
credentials to access other assets, and/or if they are using the same
credentials to access the RDP resources as they already have, then typically
your threat model would have greater risks outside of the TS boxes themselves.
These types of deployments almost always have technical requirements that drive
your configuration - meaning, sometimes they have to be domain members on the
TS box, sometimes they don't. Then you have the local admin/standard user
issues, and a host of other security problems (no pun intended ;) so without
more details on the application itself, then we'll all be limited in our
recommendations.
t
From: Jeffrey Walton [mailto:noloader@xxxxxxxxx]
Sent: Wednesday, June 09, 2010 3:42 PM
To: Thor (Hammer of God)
Cc: Daniel Sichel; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] RDP, can it be done safely?
Hi Thor,
> This is not correct.
OK. Thanks. Larry posted a very good link.
> And one should note that this has nothing to do with "local" or
> "remote" users: To be pedantic, *all* RDP sessions are "remote."
Local meaning "on the local LAN". The threat model changes considerably when
users are on the LAN.
Jeff
On Wed, Jun 9, 2010 at 6:33 PM, Thor (Hammer of God)
<Thor@xxxxxxxxxxxxxxx<mailto:Thor@xxxxxxxxxxxxxxx>> wrote:
This is not correct. While the default setting for an RDP connection is
"client-negotiate" that does not mean that you will automatically get a no/low
bit encryption session. And one should note that this has nothing to do with
"local" or "remote" users: To be pedantic, *all* RDP sessions are "remote."
You can easily configure the server to require certificate-based TLS encryption
and have a host of other transport security options.
I'm not sure what you mean by "if the users are remote you might find it easier
to user another remote access solution." That makes no sense to me.
Daniel - If I understand your question, your concern with having standard users
connecting up to and running software on a server machine, correct? This is
typically where most people fall short in application deployment via terminal
services. You should certainly make sure that the users are standard user and
that you've properly ACL'd off the application and data. The model you
describe sounds relatively straight-forward in that the server will be a
dedicated application server (if I understand correctly). When you have high
numbers of users where some are local administrators and they all have home
directories with various access points to shares, etc, there are other, more
complicated methods you must consider when deploying TS.
I've done fair amount of work with RDP, so I'm happy to help if you can give me
some more information.
t
From:
full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]
On Behalf Of Jeffrey Walton
Sent: Wednesday, June 09, 2010 2:19 PM
To: Daniel Sichel
Cc: full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] RDP, can it be done safely?
Hi Dainiel,
> You might find it easier to use another remote access solution.
I probably should have elaborated: if users are local, understand that RDP is
probably un-encrypted or weakly encrypted. If the users are remote, you might
find it easier to use another remote access solution.
Jeff
On Wed, Jun 9, 2010 at 5:04 PM, Jeffrey Walton
<noloader@xxxxxxxxx<mailto:noloader@xxxxxxxxx>> wrote:
Hi Dan,
Where are the users located (local LAN or from an untrusted network such as the
Internet)?
If I recall correctly, RDP encryption is "turned on" from a GPO setting that
applies to the host/server, and not just RDP [or was it strong encryption?]
(corrections, please). So you can get a secure RDP connection at the cost of
possibly breaking other functionality.
You might find it easier to use another remote access solution.
Jeff
On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel
<daniels@xxxxxxxxxxxxxxxx<mailto:daniels@xxxxxxxxxxxxxxxx>> wrote:
[cid:image001.gif@01CB07EB.BC847F20]
We have a boneheaded group of software developers who even in this day and age
eschew the client server model of software for the easier dumber run it from
the console school of design. So I have this idiotic Windows accounting
application that MUST run on an application server, cannot be run from a
client. Rather than have my accounting department log in directly to the
physical box, I would like to have them use some flavor of terminal services on
my Windows server. My question therefore is, can I turn on RDP safely, without
exposing my Windows server to risk of exploitation?
Thanks for any help you can give.
Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/