Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: RDP, can it be done safely?
From: "Cor Rosielle" <cor () outpost24 com>
Date: Thu, 10 Jun 2010 10:47:25 +0200

And then of course you have established a secure connection. Make sure you
also subjugate your users to only do what they are authorized to do. In an
RDP session far too often a user can gain shell access or can access data
that should be inaccessible.

Regards, Cor

From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Jonathan
Sent: woensdag 9 juni 2010 23:44
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?

"My question therefore is, can I turn on RDP safely, without exposing my
Windows server to risk of exploitation?"
Yes. As long as you setup terminal services correctly to only allow clients
that use encrypted RDP clients to log in it is relatively safe to allows
users RDP access. There is an option that allows people using unsafe,
unencrypted RDP clients to log in for legacy compatibility reasons, but it
would be bad to allow that. Make sure they have strong passwords because
most likely you will see in your logs people brute forcing logins to it
every day if you open it up to the WAN. I have seen multiple brute force
attempts to an SSH box I had setup remotely from my house, and I'm not even
running a business. You can set an account lockout policy for RDP to stop
them from attempting so much:
http://www.mobydisk.com/techres/securing_remote_desktop.html .

Now, you also have to take into account users computers at home are probably
not very sanitary, so there is also a risk of their passwords getting
sniffed by keyloggers from malware (especially if these people are so
enthusiastic about using windows). But as far as I know over the wire RDP is
an encrypted protocol so the traffic is safe from being sniffed. If the data
is too sensitive I wouldn't do it myself, but if you're at joe smoe's small
business I'd say go for it.
On Wed, Jun 9, 2010 at 3:35 PM, Daniel Sichel <daniels () ponderosatel com>


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]