Re: Windows Remote Desktop

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-01-13 Michael Gale wrote:
> Right now a internal user is complaining about the fact their remote
> desktop connection to their home PC is no longer working.
>
> The justification is that a remote PC out side the network is needed
> for testing.

o_O

> At which point I gladly offered to setup a out side box for testing.
> :)

^_^

> Any ways the question I have is, do you feel that Remote Desktop (into
> WinXP) is a secure enough connection to allow it. I mind you that this
> is supposed to be a  outbound connection only but you never know with
> windows.

RDP does use encryption (RC4), but I wouldn't want to rely on it. What
you could do is: install an ssh daemon on the target machine (e.g. the
Windows port of OpenSSH [1]) and establish the RDP connection through a
ssh tunnel. Make sure the Windows box is well-configured an patched,
otherwise the encrypted connection would be useless, as an attacker
could break into the box and 0wn the RDP server.

[1] http://lexa.mckenna.edu/sshwindows/

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------