All right, I guess you've got a point. I reflexively say VPN at times like this because the very few reported RDP attacks I've seen have been MITM attacks of the sort that VPNs effectively block. But a client certificate/TLS implementation accomplishes the same thing and all you have to open is the RDP port.
On Wed, Jun 9, 2010 at 11:58 PM, Thor (Hammer of God) <[email protected]>wrote: > I request that you start thinking about RDS/TS/RDP as a “direct” > technology. Treating access via RDP as something that one must first > VPN/RAS into a corpnet first in order to secure properly obscures what one > might consider obvious: > > > > If you require me to logon to your network via VPN first before I can > subsequently connect to internal RDP resources, one might consider the VPN > endpoint as the primary authentication point. As such, one might logically > conclude that since access was granted via the VPN, that internal access to > RDP resources would be considered “safe.” In this model, what is the > difference between me authenticating to the VPN endpoint as opposed to me > authenticating to an RDP endpoint? > > > > Insofar as the authentication layer is concerned, there really isn’t a > difference. However, when it comes to a network-level “least privilege” > standpoint, I think there are stark differences: The VPN endpoint typically > will give the end user full-stack IP access to resources unless otherwise > specified. RDP endpoints however only require the specified RDP port to > access the host. What happens after a successful connection to the host is > up to the admin. In the case of RDP via TSGateway, we find that one can > deploy a server at the “connection-level” using client certificates – not > only for encryption upon connection, but for validation TO connect in the > first place. > > > > To me, that is an important distinction. > > > > VPN endpoint authentication might lead to the propensity for one to > consider access to down-range resources as authorized. I don’t think you > should do that when you consider the capabilities an attacker has given an > “open pipe” once authenticated versus an single protocol access to a machine > you can tightly control. > > > > I only bring this up because I think one should consider the ramifications > of the “VPN first” model before assuming it grants you some inherent > security. > > > > t > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Larry Seltzer > *Sent:* Wednesday, June 09, 2010 2:20 PM > *To:* [email protected]; Daniel Sichel > > *Cc:* [email protected] > *Subject:* Re: [Full-disclosure] RDP, can it be done safely? > > > > See http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx > > > > If you connect through a VPN it should be as secure as anything else you’re > going to consider. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jeffrey Walton > *Sent:* Wednesday, June 09, 2010 5:04 PM > *To:* Daniel Sichel > *Cc:* [email protected] > *Subject:* Re: [Full-disclosure] RDP, can it be done safely? > > > > Hi Dan, > > > > Where are the users located (local LAN or from an untrusted network such as > the Internet)? > > > > If I recall correctly, RDP encryption is "turned on" from a GPO setting > that applies to the host/server, and not just RDP [or was it strong > encryption?] (corrections, please). So you can get a secure RDP connection > at the cost of possibly breaking other functionality. > > You might find it easier to use another remote access solution. > > > Jeff > > > > On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <[email protected]> > wrote: > > We have a boneheaded group of software developers who even in this day and > age eschew the client server model of software for the easier dumber run it > from the console school of design. So I have this idiotic Windows accounting > application that MUST run on an application server, cannot be run from a > client. Rather than have my accounting department log in directly to the > physical box, I would like to have them use some flavor of terminal services > on my Windows server. My question therefore is, can I turn on RDP safely, > without exposing my Windows server to risk of exploitation? > > Thanks for any help you can give. > > Dan S. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > >
<<image001.gif>>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
