mailing list archives
Re: RDP, can it be done safely?
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Thu, 10 Jun 2010 15:55:51 +0000
Hey Jeffery - sorry for the top post reply... What I was saying (in response to Larry) is that the "require a VPN to
connect first" doesn't necessarily buy you anything from a security perspective as opposed to directly publishing
terminal services. What I meant to say (though I didn't really say it well last night) was that if you connect to
the VPN with the same credentials that you would then connect to the TS box once connected to the VPN, that you really
haven't bought yourself anything - you may as well just directly connect to the RDP server. While this could be done
via 3389 directly (or any port for that matter) I personally would use TSG over 443. But I don't necessarily require
VPN first. I personally haven't VPNd into my own network for many years now. I just RDP directly to my resources.
My "full stack" comment meant to point out that if you set up a VPN for the purposes of getting to an RDP resource
internally, that that could actually be less secure than a "direct" connection to rdp since you are only allowing the
one port into your network from the client as opposed to that client having a full pipe to the rest of the network.
That point, however, gets lost in the reality of "well, you are on the remote desktop of a box on the network so what's
the difference" but I still think it is a valid point.
Hopefully that comes across better than my message last night - I was knee deep in a lot of stuff last night and my
email was not all that clear. ;)
From: Jeffrey Walton [mailto:noloader () gmail com]
Sent: Thursday, June 10, 2010 7:21 AM
To: Thor (Hammer of God)
Cc: Larry Seltzer; Daniel Sichel; full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?
I only bring this up because I think one should consider the
ramifications of the "VPN first" model before assuming it grants you
some inherent security.
My experience in the enterprise and the work-at-home crowd has been:
(1) VPN into corpnet
(2) Land at a TS (users) or JumpBox (Admins)
I've read your reply a few times, so please forgive my ignorance: What are you claiming? (1) There are technologies
other than VPN? (2) Don't use VPN? (3) Use Windows Firewall and IP filtering? (4) Use RDP over HTTPS for single sign
on? Again, my apologies.
However, when it comes to a network-level "least privilege"
standpoint, I think there are stark differences: The VPN endpoint
typically will give the end user full-stack IP acces
to resources unless otherwise specified.
In this respect, how is VPN any different than a user walking in to the office, punching in, and signing on at the
computer in their cube?
For the Admin, its allow VPN to TS or jumpbox. Then network security applies. Or am I missing something in your
RDP endpoints however only require the specified RDP port to access the host.
This is kind of Apples and Oranges.... The vpn GIVES acces to TCP/IP, while rdp REQUIRES that 3389 be open on the host.
Perhaps I misread you.
On Wed, Jun 9, 2010 at 11:58 PM, Thor (Hammer of God) <Thor () hammerofgod com> wrote:
I request that you start thinking about RDS/TS/RDP as a "direct" technology. Treating access via RDP as something
that one must first VPN/RAS into a corpnet first in order to secure properly obscures what one might consider obvious:
If you require me to logon to your network via VPN first before I can subsequently connect to internal RDP resources,
one might consider the VPN endpoint as the primary authentication point. As such, one might logically conclude that
since access was granted via the VPN, that internal access to RDP resources would be considered "safe." In this
model, what is the difference between me authenticating to the VPN endpoint as opposed to me authenticating to an RDP
Insofar as the authentication layer is concerned, there really isn't a difference. However, when it comes to a
network-level "least privilege" standpoint, I think there are stark differences: The VPN endpoint typically will
give the end user full-stack IP access to resources unless otherwise specified. RDP endpoints however only require
the specified RDP port to access the host. What happens after a successful connection to the host is up to the
admin. In the case of RDP via TSGateway, we find that one can deploy a server at the "connection-level" using
client certificates - not only for encryption upon connection, but for validation TO connect in the first place.
To me, that is an important distinction.
VPN endpoint authentication might lead to the propensity for one to consider access to down-range resources as
authorized. I don't think you should do that when you consider the capabilities an attacker has given an "open pipe"
once authenticated versus an single protocol access to a machine you can tightly control.
I only bring this up because I think one should consider the ramifications of the "VPN first" model before assuming
it grants you some inherent security.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: RDP, can it be done safely? Jonathan Leigh (Jun 09)
Re: RDP, can it be done safely? musnt live (Jun 11)
- Re: RDP, can it be done safely?, (continued)
- Re: RDP, can it be done safely? Jeffrey Walton (Jun 10)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)