Remember that RDP, without significant, purposeful curtailing, can redirect all kinds of things including drives, printers and the clipboard. Not that anyone here would ever redirect a drive over an RDP session, of course, but it could create another opportunity for malware propagation beyond the obvious ones of password compromise, etc.
<aside> When I first rolled out remote desktop gateway, and gave some of our users access to their work PCs without our old Cisco VPN, I was astounded by the number of questions similar to "Why can't I print at home?", "Why can't I copy and paste from work to home?", etc. </aside> On Tue, Feb 28, 2012 at 9:16 PM, Ben Scott <[email protected]> wrote: > On Tue, Feb 28, 2012 at 8:59 PM, Richard Stovall <[email protected]> > wrote: > >>> One other thing that I've been mulling over along with the other > >>> credentials is a set of VMs on which to run them. Want to manage > >>> AD/DNS/WINS/CA? RDP into this Win7 VM with the correct tools on it. > > > > If the machine you're using to launch the RDP sessions is compromised, > > what's the point? If you trust that machine, why not just run the tools > > directly from it? > > That's one of the things I'm mulling. > > I think ultimately it depends on what threat(s) we're defending > against. If the concern is related to malware (esp. trojan horses, > etc. acquired during web browsing or other day-to-day) this may help > limit propagation. Malware that captures keystrokes and also provides > some way to invoke RDP for the attacker could still hijack the > operator's privileges, but that's a much harder problem for the > attacker. This would also funnel attacks in to a relatively small > channel (RDP) which could be more closely policed by the good guys. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
