Ben I agree with you about where the weakness lies. Let me say its forums like this where we gain the most benefit from those that have vast experience and we are able to flesh out these issues. It's a privilege to be a part of this group.
I understand the encryption part of things. Encryption is just part of the whole picture, you don't paint a picture without the paint, and that's all it is. One color of the picture. I was just making a case for the use of a ssl website vs rdp in terms of public exposure. Same exposure, same encryption, same problems, but we still do it for the business need. Remember who we are talking about, SMB space, until a SMB solution that does not drive a 10 person or under network over 10k for these "add-ons" it's simply not going to happen. They want bang for the buck, and they surely won't sit down in a sales pitch and let you scare them to death as to the why you have to do it. Some will, but most surely do not. The end point side is absolutely valid and where I personally feel where 80% of most problems are going to be in the near future, if not already. Problem is that this has the same effect whether you are dealing with this, a managed VPN, PPTP, IPSEC, whatever the transport is. Then typically you have HUGE holes open between networks instead of bringing it down to just one attack surface. Like you pointed out Ben there is no real 100%, but depending on the policies in place, (near non existent in SMB's, nor will they pay for it initially), budget available (hahah, SMB's hardly ever spent budget dollars just because they may lose it the next year like Corps do) we work to provide them a relatively secure, cost effective, and value adds to their business. As we earn trust and understanding these concepts are easier for them to digest since we already have a relationship in place, but it ALWAYS comes down to dollars, never a budget, what is leaving my wallet as a result of what you are saying, and how is it going to put money back in to replace it or prevent against more leaving. Arguably the last point is where I stand my ground, but sometimes it's not enough. They are just different waters we navigate in the same big ocean. Greg -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 5:34 PM To: NT System Admin Issues Subject: Re: Public TS - opinions? On Tue, Apr 1, 2008 at 5:09 PM, <[EMAIL PROTECTED]> wrote: > Correct me if I am wrong, but isn't RDP 128 bit encrypted ... Gah. Encryption isn't like horsepower. Comparing key sizes doesn't tell you how secure something is. And you can't make something secure just by sprinkling a little cryptology on it. In particular, the size of the session key doesn't matter when there's no host authentication at all, and user authentication is done via a password that's probably got about 10 to 20 bits of entropy if you're lucky. And is probably the user's last name if you're not. Google "man in the middle attack" for just one scenario. But even then, I'd be a lot more worried about the end-points. Most compromises have come from the end-points, not the transport. We're talking about allowing connections from unknown, untrusted, arbitrary clients. Most of which probably already have some kind of malware on them. Keystroke loggers would be especially scary. And can the secondary channels that RDP uses for things like remote printing act as a conduit for malware to the server? > 6. Token, 3rd party authentication Aren't two-factor authentication products also rather expensive? Certainly more-so than, say, OpenVPN, or even the IPsec stuff built-in to Windows, no? That said, the rest of your recommendations are certainly good; I just think that's not where the weaknesses lie. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
