Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: RDP, can it be done safely?
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Thu, 10 Jun 2010 14:10:58 +0000

To be specific, it actually doesn't require a "client" cert in the strictest sense.  You can configure certificate 
parameters on the server in such a way that certificate trust chains must be honored (close enough) but if you want 
true client authentication based on a certificate, you would have to publish the RDP over RPC/HTTP(s) via something 
like ISA where you can specifically configure a listener to require client authentication certificates to be 
"presented" to the publisher, but that's not really the same thing.

t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of Marsh Ray
Sent: Thursday, June 10, 2010 3:44 AM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?

On 6/10/2010 4:44 AM, Larry Seltzer wrote:
All right, I guess you've got a point. I reflexively say VPN at times
like this because the very few reported RDP attacks I've seen have
been MITM attacks of the sort that VPNs effectively block. But a
client certificate/TLS implementation accomplishes the same thing and
all you have to open is the RDP port.

MS Terminal Services Gateway can be set up to require client cert
authentication and comes in over SSL/TLS over port 443 (RPC over HTTPS I
think).

Allowing raw RDP to come in through the firewall is not something I would feel
real good about.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]