Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: RDP and security

RE: RDP and security

From: Dan Harp <dan_at_brenius.com>
Date: Tue, 6 Jan 2004 10:37:43 -0500

Not sure how this specifically relates to firewalls...

However, as stated by MS: "every version of RDP uses RSA Security’s RC4
cipher, a stream cipher designed to efficiently encrypt small amounts of
varying size data. RC4 is designed for secure communications over networks,
and is also used in protocols such as SSL, which encrypts traffic to and
from secure Web sites.

In Windows 2000, administrators can choose to encrypt the data using a 56-
or 128-bit key. Encryption is bi-directional except when using the ‘low’
security setting that only encrypts data from the client to the server
(which protects sensitive information such as passwords). The default
setting is “medium” which uses a 56-bit key to bi-directionally encrypt the
data. 128-bit encryption can be enabled after installing the Windows 2000
High Encryption Pack."

As previously stated, the largest flaw is the lack of pre-Windows
authentication. For a more secure system, a non-Windows authentication
should be first, and then once authenticated, access to the Terminal
Services/Remote Desktop authentication process (connected to Windows
authentication) should be granted.

Without writing your own pre-authentication system, or involving a 3rd
party, you could limit connections to TCP port 3389 based on allowed IP
addresses at your firewall.

Regards,

- Dan

> -----Original Message-----
> From: firewall-wizards-admin_at_honor.icsalabs.com
> [mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf
> Of GChen_at_allianz.ca
> Sent: January 6, 2004 9:21 AM
> To: morty_at_frakir.org
> Cc: firewall-wizards_at_nfr.com;
> firewall-wizards-admin_at_honor.icsalabs.com; TSimons_at_Delphi-Tech.com
> Subject: RE: [fw-wiz] RDP and security
>
>
>
>
> Windows 2003 Server may fixed the issue. It supports SSL for
> Terminal Services over the web.
>
>
>
>
>
> TSimons_at_Delphi-Tech.com
>
>
> Sent by:
> To: morty_at_frakir.org
>
> firewall-wizards-admin_at_honor.i
> cc: firewall-wizards_at_nfr.com
>
> csalabs.com
> Subject: RE: [fw-wiz] RDP and security
>
>
>
>
>
>
>
> 01/05/2004 08:24 AM
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> In our eyes the biggest design flaw is that there is no
> authentication prior to the windows authentication. PCs in a
> locked office are more secure than a Terminal Server out on
> the public internet... because you need a key to get into the office.
>
> -----Original Message-----
> From: Mordechai T. Abzug [mailto:morty_at_frakir.org]
> Sent: Friday, November 21, 2003 12:48 AM
> To: firewall-wizards_at_nfr.com
> Subject: [fw-wiz] RDP and security
>
>
>
> Anyone have any strong opinions on the security of RDP
> (Microsoft's terminal server/remote desktop protocol)?
> Poking around on the net, I see that they've had at least one
> design flaw that supposedly hasn't been fixed (ie. server
> identification.) Any other design problems?
>
> Thanks!
>
> - Morty
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
> *******************************
>
> This e-mail and any files transmitted with it are
> confidential and may be privileged and are intended solely
> for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error, please
> notify the sender immediately. Please note that any views or
> opinions presented in this e-mail are solely those of the
> author and do not necessarily represent those of Allianz
> Canada. Allianz Canada accepts no liability for any damage
> caused by the transmission of this e-mail.
>
>
> Ce courriel et tous fichiers qui l'accompagneraient sont
> confidentiels et peuvent faire l'objet d'un privilège. Ils
> sont destinés uniquement à la personne ou à l'entité à qui
> ils sont adressés. Si vous avez reçu ce courriel par erreur,
> veuillez en avertir l'expéditeur immédiatement.
> Veuillez noter que tous points de vue ou opinions contenus
> dans ce courriel sont uniquement ceux de l'auteur et ne
> représentent pas nécessairement ceux d'Allianz Canada.
> Allianz Canada rejette toute responsabilité au titre de
> dommages entraînés par la transmission de ce courriel.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 23 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos