To be specific, it actually doesn't require a "client" cert in the strictest sense. You can configure certificate parameters on the server in such a way that certificate trust chains must be honored (close enough) but if you want true client authentication based on a certificate, you would have to publish the RDP over RPC/HTTP(s) via something like ISA where you can specifically configure a listener to require client authentication certificates to be "presented" to the publisher, but that's not really the same thing.
t >-----Original Message----- >From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- >boun...@lists.grok.org.uk] On Behalf Of Marsh Ray >Sent: Thursday, June 10, 2010 3:44 AM >To: full-disclosure@lists.grok.org.uk >Subject: Re: [Full-disclosure] RDP, can it be done safely? > >On 6/10/2010 4:44 AM, Larry Seltzer wrote: >> All right, I guess you've got a point. I reflexively say VPN at times >> like this because the very few reported RDP attacks I've seen have >> been MITM attacks of the sort that VPNs effectively block. But a >> client certificate/TLS implementation accomplishes the same thing and >> all you have to open is the RDP port. > >MS Terminal Services Gateway can be set up to require client cert >authentication and comes in over SSL/TLS over port 443 (RPC over HTTPS I >think). > >Allowing raw RDP to come in through the firewall is not something I would feel >real good about. > >- Marsh > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/