[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <optid.4777a5a9a6.58DB1B68E62B9F448DF1A276B0886DF11C6D279F@EX2010.hammerofgod.com>
Date: Thu, 10 Jun 2010 15:38:23 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: RDP, can it be done safely?
So, with TSG things are a bit different. You don't have to have a client cert, but in order to connect to TSG you have to have the MSFT 6.1+ RDP client. As such, the client can test the server's cert and see if you (the client) trusts it. If not, you can't connect.
This differs from a "direct" RDP connection where you have a self-signed or private cert configured on the server in that the server has no means of enforcing a trust chain - It just requires the use of the cert on the server side -- the client gets to make the choice of whether to trust the server or not.
The TSG configuration lets you use self-signed certs (or "private" CA certs), and thus prevent people from connecting if they are not in the trust chain. But it's not based on a "client cert."
The only exception to this I know of is the current beta of the iTap iPhone RDP client. It will let you connect to the TSG server without regard to cert trust. And that's the real distinction here - unless you are using a CLIENT that will enforce a trust, the server-side certificate issuer won't matter. It's always up to the client to trust the server. The server can't say "you must trust me" because the client can always just say "OK, I do" even if it really doesn't.
The only way to require an actual client cert (where it "presents" as in your example) is to use something like ISA to publish the SSL connection to the server - but that will only work with TSWeb services, not the actual TSG services (which I didn't properly explain in my first email - not enough coffee ;).
Make sense?
t
-----Original Message-----
From: Marsh Ray [mailto:marsh@...endedsubset.com]
Sent: Thursday, June 10, 2010 7:30 AM
To: Thor (Hammer of God)
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?
On 6/10/2010 9:10 AM, Thor (Hammer of God) wrote:
> To be specific, it actually doesn't require a "client" cert in the
> strictest sense.
But I thought it could be configured to require a client cert?
> You can configure certificate parameters on the server in such a way
> that certificate trust chains must be honored (close enough)
I don't get your meaning here. What cert chains would the server be validating if not client certs? The server's own?
Or are you saying it's still the client's option to not present a client cert?
> but if you want true client authentication based on a certificate, you
> would have to publish the RDP over RPC/HTTP(s) via something like ISA
> where you can specifically configure a listener to require client
> authentication certificates to be "presented" to the publisher, but
> that's not really the same thing.
I kind of thought we had it configured something like that (but I haven't gotten in too deep yet).
http://technet.microsoft.com/en-us/library/cc731264%28WS.10%29.aspx
Thanks for the heads-up, I'll definitely look at this more closely as I have some projects at work which involve MSTS and TSG.
- Marsh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists