Security Basics mailing list archives
RE: Remote Desktop vs VPN on Windows 2003
From: "Paris E. Stone" <pstone () alhurra com>
Date: Tue, 18 Jan 2005 15:30:19 -0500
As was my original post, avoid naked RDP on the internet at all costs. Secure it with other means. -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Tuesday, January 18, 2005 9:01 AM To: security-basics () securityfocus com Subject: Re: Remote Desktop vs VPN on Windows 2003 On 2005-01-17 Roger A. Grimes wrote:
I don't think RC4, by itself is weak...it's specific implementations of RC4 (like in WEP).
No. It's an algorithm problem, not an implementation problem.
Yes, RDP did have an RC4 vulnerability in 2002, but it was patched. SSH had an RC4 vulnerability just a few months before RDP did (in 2001). Both are patched now.
The "patch" for SSH was to completely remove RC4 support. I don't think RDP was patched the same way (but I would welcome anyone to prove me wrong here).
SSH seems to get hacked at least once a year.
True. But that's because of implementation problems, not because of problems with the underlying encryption algorithms. Implementation problems can be (more or less) easily patched. [...]
RDP is free (for W2K and above),
Well, it's not really free, but I think I know what you mean.
remote client can be nearly anything (especiallly with RDP ActiveX control),
Requiring IE which one usually wants to avoid.
its encrypted,
Using a weak algorithm.
fast, has kick butt Edit-Copy, Edit-Paste features, remote printing (not so hot), drive mapping, etc.
True.
RDP is arguably running on more Windows enterprise servers than any alternative but SSH (and maybe PC Anywhere), and it has not had a public exploit demonstrated since 2002. I'd say it is a strong candidate for consideration.
Please re-read my post. I was not suggesting to avoid RDP, but to tunnel RDP connections through e.g. SSH, which can be easily done. That way you have RDP *and* strong encryption. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Re: Remote Desktop vs VPN on Windows 2003, (continued)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Anonymous (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 John McGuire (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 shrek-m () gmx de (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 David Gillett (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Rhett Grant (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Danny Puckett (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Joe Dumass (Jan 19)
- RE: non-default ports (Was: Remote Desktop vs VPN on Windows 2003) Alexander Klimov (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
(Thread continues...)