lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 9 Jun 2010 16:43:37 -0500
From: Jonathan Leigh <dantevios@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: RDP, can it be done safely?

"My question therefore is, can I turn on RDP safely, without exposing my
Windows server to risk of exploitation?"

Yes. As long as you setup terminal services correctly to only allow clients
that use encrypted RDP clients to log in it is relatively safe to allows
users RDP access. There is an option that allows people using unsafe,
unencrypted RDP clients to log in for legacy compatibility reasons, but it
would be bad to allow that. Make sure they have strong passwords because
most likely you will see in your logs people brute forcing logins to it
every day if you open it up to the WAN. I have seen multiple brute force
attempts to an SSH box I had setup remotely from my house, and I'm not even
running a business. You can set an account lockout policy for RDP to stop
them from attempting so much:
http://www.mobydisk.com/techres/securing_remote_desktop.html .

Now, you also have to take into account users computers at home are probably
not very sanitary, so there is also a risk of their passwords getting
sniffed by keyloggers from malware (especially if these people are so
enthusiastic about using windows). But as far as I know over the wire RDP is
an encrypted protocol so the traffic is safe from being sniffed. If the data
is too sensitive I wouldn't do it myself, but if you're at joe smoe's small
business I'd say go for it.

On Wed, Jun 9, 2010 at 3:35 PM, Daniel Sichel <daniels@...derosatel.com>wrote:

>
>
>
>
> We have a boneheaded group of software developers who even in this day and
> age eschew the client server model of software for the easier dumber run it
> from the console school of design. So I have this idiotic Windows accounting
> application that MUST run on an application server, cannot be run from a
> client.  Rather than have my accounting department log in directly to the
> physical box, I would like to have them use some flavor of terminal services
> on my Windows server. My question therefore is, can I turn on RDP safely,
> without exposing my Windows server to risk of exploitation?
>
>
>
> Thanks for any help you can give.
>
>
>
> Dan S.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
--
Thank you,
Jon Leigh

==========================================================
Email: Dantevios@...il.com
Website: http://www.dantevios.com
Facebook: http://www.facebook.com/dantevios
Gtalk: Dantevios@...il.com
ICQ: 577683269
AIM: Dantevios
MSN: Dantevios@...mail.com
Yahoo: Dantevios@...oo.com
Skype User: Dantevios
Skype #: 662-524-3653
==========================================================

Content of type "text/html" skipped

Download attachment "image001.gif" of type "image/gif" (92 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ