Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: RDP, can it be done safely?
From: Larry Seltzer <larry () larryseltzer com>
Date: Thu, 10 Jun 2010 05:44:27 -0400

All right, I guess you've got a point. I reflexively say VPN at times like
this because the very few reported RDP attacks I've seen have been MITM
attacks of the sort that VPNs effectively block. But a client
certificate/TLS implementation accomplishes the same thing and all you have
to open is the RDP port.

On Wed, Jun 9, 2010 at 11:58 PM, Thor (Hammer of God)
<Thor () hammerofgod com>wrote:

I request that you start thinking about RDS/TS/RDP as a “direct”
technology.  Treating access via RDP as something that one must first
VPN/RAS into a corpnet first in order to secure properly obscures what one
might consider obvious:



If you require me to logon to your network via VPN first before I can
subsequently connect to internal RDP resources, one might consider the VPN
endpoint as the primary authentication point.  As such, one might logically
conclude that since access was granted via the VPN, that internal access to
RDP resources would be considered “safe.”  In this model, what is the
difference between me authenticating to the VPN endpoint as opposed to me
authenticating to an RDP endpoint?



Insofar as the authentication layer is concerned, there really isn’t a
difference.  However, when it comes to a network-level “least privilege”
standpoint, I think there are stark differences:  The VPN endpoint typically
will give the end user full-stack IP access to resources unless otherwise
specified.  RDP endpoints however only require the specified RDP port to
access the host.  What happens after a successful connection to the host is
up to the admin.   In the case of RDP via TSGateway, we find that one can
deploy a server at the “connection-level” using client certificates – not
only for encryption upon connection, but for validation TO connect in the
first place.



To me, that is an important distinction.



VPN endpoint authentication might lead to the propensity for one to
consider access to down-range resources as authorized.  I don’t think you
should do that when you consider the capabilities an attacker has given an
“open pipe” once authenticated versus an single protocol access to a machine
you can tightly control.



I only bring this up because I think one should consider the ramifications
of the “VPN first” model before assuming it grants you some inherent
security.



t



*From:* full-disclosure-bounces () lists grok org uk [mailto:
full-disclosure-bounces () lists grok org uk] *On Behalf Of *Larry Seltzer
*Sent:* Wednesday, June 09, 2010 2:20 PM
*To:* noloader () gmail com; Daniel Sichel

*Cc:* full-disclosure () lists grok org uk
*Subject:* Re: [Full-disclosure] RDP, can it be done safely?



See http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx



If you connect through a VPN it should be as secure as anything else you’re
going to consider.



*From:* full-disclosure-bounces () lists grok org uk [mailto:
full-disclosure-bounces () lists grok org uk] *On Behalf Of *Jeffrey Walton
*Sent:* Wednesday, June 09, 2010 5:04 PM
*To:* Daniel Sichel
*Cc:* full-disclosure () lists grok org uk
*Subject:* Re: [Full-disclosure] RDP, can it be done safely?



Hi Dan,



Where are the users located (local LAN or from an untrusted network such as
the Internet)?



If I recall correctly, RDP encryption is "turned on" from a GPO setting
that applies to the host/server, and not just RDP [or was it strong
encryption?] (corrections, please). So you can get a secure RDP connection
at the cost of possibly breaking other functionality.

You might find it easier to use another remote access solution.


Jeff



On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <daniels () ponderosatel com>
wrote:

We have a boneheaded group of software developers who even in this day and
age eschew the client server model of software for the easier dumber run it
from the console school of design. So I have this idiotic Windows accounting
application that MUST run on an application server, cannot be run from a
client.  Rather than have my accounting department log in directly to the
physical box, I would like to have them use some flavor of terminal services
on my Windows server. My question therefore is, can I turn on RDP safely,
without exposing my Windows server to risk of exploitation?

Thanks for any help you can give.

Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]