lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C10F6EF.4040807@extendedsubset.com>
Date: Thu, 10 Jun 2010 09:30:07 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: RDP, can it be done safely?

On 6/10/2010 9:10 AM, Thor (Hammer of God) wrote:
> To be specific, it actually doesn't require a "client" cert in the
> strictest sense.

But I thought it could be configured to require a client cert?

> You can configure certificate parameters on the
> server in such a way that certificate trust chains must be honored
> (close enough)

I don't get your meaning here. What cert chains would the server be
validating if not client certs? The server's own?

Or are you saying it's still the client's option to not present a client
cert?

> but if you want true client authentication based on a
> certificate, you would have to publish the RDP over RPC/HTTP(s) via
> something like ISA where you can specifically configure a listener to
> require client authentication certificates to be "presented" to the
> publisher, but that's not really the same thing.

I kind of thought we had it configured something like that (but I
haven't gotten in too deep yet).

http://technet.microsoft.com/en-us/library/cc731264%28WS.10%29.aspx

Thanks for the heads-up, I'll definitely look at this more closely as I
have some projects at work which involve MSTS and TSG.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ