[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <optid.07772764e8.58DB1B68E62B9F448DF1A276B0886DF11C6D264C@EX2010.hammerofgod.com>
Date: Thu, 10 Jun 2010 03:58:23 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: Larry Seltzer <larry@...ryseltzer.com>, "noloader@...il.com"
<noloader@...il.com>, Daniel Sichel <daniels@...derosatel.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: RDP, can it be done safely?
I request that you start thinking about RDS/TS/RDP as a "direct" technology. Treating access via RDP as something that one must first VPN/RAS into a corpnet first in order to secure properly obscures what one might consider obvious:
If you require me to logon to your network via VPN first before I can subsequently connect to internal RDP resources, one might consider the VPN endpoint as the primary authentication point. As such, one might logically conclude that since access was granted via the VPN, that internal access to RDP resources would be considered "safe." In this model, what is the difference between me authenticating to the VPN endpoint as opposed to me authenticating to an RDP endpoint?
Insofar as the authentication layer is concerned, there really isn't a difference. However, when it comes to a network-level "least privilege" standpoint, I think there are stark differences: The VPN endpoint typically will give the end user full-stack IP access to resources unless otherwise specified. RDP endpoints however only require the specified RDP port to access the host. What happens after a successful connection to the host is up to the admin. In the case of RDP via TSGateway, we find that one can deploy a server at the "connection-level" using client certificates - not only for encryption upon connection, but for validation TO connect in the first place.
To me, that is an important distinction.
VPN endpoint authentication might lead to the propensity for one to consider access to down-range resources as authorized. I don't think you should do that when you consider the capabilities an attacker has given an "open pipe" once authenticated versus an single protocol access to a machine you can tightly control.
I only bring this up because I think one should consider the ramifications of the "VPN first" model before assuming it grants you some inherent security.
t
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Larry Seltzer
Sent: Wednesday, June 09, 2010 2:20 PM
To: noloader@...il.com; Daniel Sichel
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?
See http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx
If you connect through a VPN it should be as secure as anything else you're going to consider.
From: full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk> [mailto:full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk>] On Behalf Of Jeffrey Walton
Sent: Wednesday, June 09, 2010 5:04 PM
To: Daniel Sichel
Cc: full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] RDP, can it be done safely?
Hi Dan,
Where are the users located (local LAN or from an untrusted network such as the Internet)?
If I recall correctly, RDP encryption is "turned on" from a GPO setting that applies to the host/server, and not just RDP [or was it strong encryption?] (corrections, please). So you can get a secure RDP connection at the cost of possibly breaking other functionality.
You might find it easier to use another remote access solution.
Jeff
On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <daniels@...derosatel.com<mailto:daniels@...derosatel.com>> wrote:
[cid:image001.gif@...B0814.286A3BD0]
We have a boneheaded group of software developers who even in this day and age eschew the client server model of software for the easier dumber run it from the console school of design. So I have this idiotic Windows accounting application that MUST run on an application server, cannot be run from a client. Rather than have my accounting department log in directly to the physical box, I would like to have them use some flavor of terminal services on my Windows server. My question therefore is, can I turn on RDP safely, without exposing my Windows server to risk of exploitation?
Thanks for any help you can give.
Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
Download attachment "image001.gif" of type "image/gif" (92 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists