lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 9 Jun 2010 18:58:36 -0400
From: Larry Seltzer <larry@...ryseltzer.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>, noloader@...il.com, 
	Daniel Sichel <daniels@...derosatel.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: RDP, can it be done safely?

I might  be able to buy you one beer with the money, but it won’t be
anything good.



*From:* Thor (Hammer of God) [mailto:Thor@...merofgod.com]
*Sent:* Wednesday, June 09, 2010 6:56 PM
*To:* Larry Seltzer; noloader@...il.com; Daniel Sichel
*Cc:* full-disclosure@...ts.grok.org.uk
*Subject:* RE: [Full-disclosure] RDP, can it be done safely?



And you didn’t include me??  I’m HURT!  ;)

t



*From:* Larry Seltzer [mailto:larry@...ryseltzer.com]
*Sent:* Wednesday, June 09, 2010 3:54 PM
*To:* Thor (Hammer of God); noloader@...il.com; Daniel Sichel
*Cc:* full-disclosure@...ts.grok.org.uk
*Subject:* RE: [Full-disclosure] RDP, can it be done safely?



<digression>

10 years ago I wrote a book on Terminal Services for Windows 2000. Believe
it or not, I still get trivial royalties on it, $6.81 for the first quarter
of this year, and the book has been out of print for years.



Someone out there in 2010 is buying a book on Windows 2000, sucking out the
last copies of it left in the channel.

</digression>



*From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Thor (Hammer of
God)
*Sent:* Wednesday, June 09, 2010 6:33 PM
*To:* noloader@...il.com; Daniel Sichel
*Cc:* full-disclosure@...ts.grok.org.uk
*Subject:* Re: [Full-disclosure] RDP, can it be done safely?



This is not correct.  While the default setting for an RDP connection is
“client-negotiate” that does not mean that you will automatically get a
no/low bit encryption session.   And one should note that this has nothing
to do with “local” or “remote” users:  To be pedantic, **all** RDP sessions
are “remote.”  You can easily configure the server to require
certificate-based TLS encryption and have a host of other transport security
options.



I’m not sure what you mean by “if the users are remote you might find it
easier to user another remote access solution.”  That makes no sense to me.



Daniel – If I understand your question, your concern with having standard
users connecting up to and running software on a server machine, correct?
This is typically where most people fall short in application deployment via
terminal services.   You should certainly make sure that the users are
standard user and that you’ve properly ACL’d off the application and data.
The model you describe sounds relatively straight-forward in that the server
will be a dedicated application server (if I understand correctly).  When
you have high numbers of users where some are local administrators and they
all have home directories with various access points to shares, etc, there
are other, more complicated methods you must consider when deploying TS.



I’ve done fair amount of work with RDP, so I’m happy to help if you can give
me some more information.



t



*From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Jeffrey Walton
*Sent:* Wednesday, June 09, 2010 2:19 PM
*To:* Daniel Sichel
*Cc:* full-disclosure@...ts.grok.org.uk
*Subject:* Re: [Full-disclosure] RDP, can it be done safely?



Hi Dainiel,



> You might find it easier to use another remote access solution.

I probably should have elaborated: if users are local, understand that RDP
is probably un-encrypted or weakly encrypted. If the users are remote, you
might find it easier to use another remote access solution.

Jeff

On Wed, Jun 9, 2010 at 5:04 PM, Jeffrey Walton <noloader@...il.com> wrote:

Hi Dan,



Where are the users located (local LAN or from an untrusted network such as
the Internet)?



If I recall correctly, RDP encryption is "turned on" from a GPO setting that
applies to the host/server, and not just RDP [or was it strong encryption?]
(corrections, please). So you can get a secure RDP connection at the cost of
possibly breaking other functionality.

You might find it easier to use another remote access solution.


Jeff



On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <daniels@...derosatel.com>
wrote:

   We have a boneheaded group of software developers who even in this day
and age eschew the client server model of software for the easier dumber run
it from the console school of design. So I have this idiotic Windows
accounting application that MUST run on an application server, cannot be run
from a client.  Rather than have my accounting department log in directly to
the physical box, I would like to have them use some flavor of terminal
services on my Windows server. My question therefore is, can I turn on RDP
safely, without exposing my Windows server to risk of exploitation?

Thanks for any help you can give.

Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

Download attachment "image001.gif" of type "image/gif" (92 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ