[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] RDP, can it be done safely?

To: Larry Seltzer <larry@xxxxxxxxxxxxxxxx>, "noloader@xxxxxxxxx" <noloader@xxxxxxxxx>, Daniel Sichel <daniels@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] RDP, can it be done safely?
From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
Date: Thu, 10 Jun 2010 03:58:23 +0000

I request that you start thinking about RDS/TS/RDP as a "direct" technology.  
Treating access via RDP as something that one must first VPN/RAS into a corpnet 
first in order to secure properly obscures what one might consider obvious:

If you require me to logon to your network via VPN first before I can 
subsequently connect to internal RDP resources, one might consider the VPN 
endpoint as the primary authentication point.  As such, one might logically 
conclude that since access was granted via the VPN, that internal access to RDP 
resources would be considered "safe."  In this model, what is the difference 
between me authenticating to the VPN endpoint as opposed to me authenticating 
to an RDP endpoint?

Insofar as the authentication layer is concerned, there really isn't a 
difference.  However, when it comes to a network-level "least privilege" 
standpoint, I think there are stark differences:  The VPN endpoint typically 
will give the end user full-stack IP access to resources unless otherwise 
specified.  RDP endpoints however only require the specified RDP port to access 
the host.  What happens after a successful connection to the host is up to the 
admin.   In the case of RDP via TSGateway, we find that one can deploy a server 
at the "connection-level" using client certificates - not only for encryption 
upon connection, but for validation TO connect in the first place.

To me, that is an important distinction.

VPN endpoint authentication might lead to the propensity for one to consider 
access to down-range resources as authorized.  I don't think you should do that 
when you consider the capabilities an attacker has given an "open pipe" once 
authenticated versus an single protocol access to a machine you can tightly 
control.

I only bring this up because I think one should consider the ramifications of 
the "VPN first" model before assuming it grants you some inherent security.

t

From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Larry Seltzer
Sent: Wednesday, June 09, 2010 2:20 PM
To: noloader@xxxxxxxxx; Daniel Sichel
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] RDP, can it be done safely?

See http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

If you connect through a VPN it should be as secure as anything else you're 
going to consider.

From: 
full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]
 On Behalf Of Jeffrey Walton
Sent: Wednesday, June 09, 2010 5:04 PM
To: Daniel Sichel
Cc: full-disclosure@xxxxxxxxxxxxxxxxx<mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] RDP, can it be done safely?

Hi Dan,

Where are the users located (local LAN or from an untrusted network such as the 
Internet)?

If I recall correctly, RDP encryption is "turned on" from a GPO setting that 
applies to the host/server, and not just RDP [or was it strong encryption?] 
(corrections, please). So you can get a secure RDP connection at the cost of 
possibly breaking other functionality.
You might find it easier to use another remote access solution.

Jeff

On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel 
<daniels@xxxxxxxxxxxxxxxx<mailto:daniels@xxxxxxxxxxxxxxxx>> wrote:
[cid:image001.gif@01CB0814.286A3BD0]
We have a boneheaded group of software developers who even in this day and age 
eschew the client server model of software for the easier dumber run it from 
the console school of design. So I have this idiotic Windows accounting 
application that MUST run on an application server, cannot be run from a 
client.  Rather than have my accounting department log in directly to the 
physical box, I would like to have them use some flavor of terminal services on 
my Windows server. My question therefore is, can I turn on RDP safely, without 
exposing my Windows server to risk of exploitation?
Thanks for any help you can give.
Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] RDP, can it be done safely?
  - From: Larry Seltzer
- Re: [Full-disclosure] RDP, can it be done safely?
  - From: Jeffrey Walton

References:
- [Full-disclosure] RDP, can it be done safely?
  - From: Daniel Sichel
- Re: [Full-disclosure] RDP, can it be done safely?
  - From: Jeffrey Walton
- Re: [Full-disclosure] RDP, can it be done safely?
  - From: Larry Seltzer

Prev by Date: Re: [Full-disclosure] RDP, can it be done safely?
Next by Date: [Full-disclosure] PR09-17: Juniper Secure Access seriers (Juniper IVE) authenticated XSS & REDIRECTION
Previous by thread: Re: [Full-disclosure] RDP, can it be done safely?
Next by thread: Re: [Full-disclosure] RDP, can it be done safely?
Index(es):
- Date
- Thread