If you want to get silly you could always use certificates with RDP, but why the hassle.
Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 5:34 PM To: NT System Admin Issues Subject: Re: Public TS - opinions? On Tue, Apr 1, 2008 at 5:09 PM, <[EMAIL PROTECTED]> wrote: > Correct me if I am wrong, but isn't RDP 128 bit encrypted ... Gah. Encryption isn't like horsepower. Comparing key sizes doesn't tell you how secure something is. And you can't make something secure just by sprinkling a little cryptology on it. In particular, the size of the session key doesn't matter when there's no host authentication at all, and user authentication is done via a password that's probably got about 10 to 20 bits of entropy if you're lucky. And is probably the user's last name if you're not. Google "man in the middle attack" for just one scenario. But even then, I'd be a lot more worried about the end-points. Most compromises have come from the end-points, not the transport. We're talking about allowing connections from unknown, untrusted, arbitrary clients. Most of which probably already have some kind of malware on them. Keystroke loggers would be especially scary. And can the secondary channels that RDP uses for things like remote printing act as a conduit for malware to the server? > 6. Token, 3rd party authentication Aren't two-factor authentication products also rather expensive? Certainly more-so than, say, OpenVPN, or even the IPsec stuff built-in to Windows, no? That said, the rest of your recommendations are certainly good; I just think that's not where the weaknesses lie. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
