RE: Remote Desktop vs VPN on Windows 2003

["Roger A. Grimes" <roger () banneretcs com>]

RDP's be around since Microsoft bought the Terminal Server technology
from Citrix...was that 1997 or 1998...product was code-named Hydra then.
They made RDP because they didn't get ICA from Citrix.

Odds are that if RDP had an active hack, it would be publicly known.
I'm quite familiar with the bug reporting to MS and you can report bugs
without abiding to any EULA.  It's your choice.  It's not as if they can
stop you from sending an email to secure () microsoft com and reporting on
the bug any way you want.  Many people report the bug to Bugtraq, not
MS.  

How many bugs exist in SSH that you don't of?  It's an unanswerable
question on both sides.

-----Original Message-----
From: Michael Gale [mailto:michael.gale () bluesuperman com] 
Sent: Wednesday, January 19, 2005 5:26 PM
To: Roger A. Grimes; security-basics () securityfocus com
Subject: Re: Remote Desktop vs VPN on Windows 2003

Hello,

        Think of it like this ... the number of hacks vs the number of
connections available.

SSH is widely used on the Internet because it allows a secure
connection, where in Microsoft documents does it say "RDP is safe and
there are no concerns about using it over the Internet natively".

Plus there has been more then one RDP vulnerability, I have read on-line
at a few security sites where they have stated that they have reported
security vulnerabilities to Microsoft and Microsoft refused to accept
them.

So how many RDP bugs / issues get reported and turned down ?

Also Microsoft has that stupid agreement EULA, if you report a
vulnerability to Microsoft the bug can not be made public until a fix
has been released or until Microsoft has been given ampull time to
release a patch.

How many bugs exist in RDP that you don't know of ??

You can not compare current RDP release to years SSH releases ... that
is like saying XP is more secure then your first ever release of Linux. 
Compare current versions and releases.

Michael.


Roger A. Grimes wrote:
> SSH multiple hacks...RDP one in 2002.  How is RDP the worse tool?  I 
> keep waiting for facts?
>
> -----Original Message-----
> From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
> Sent: Wednesday, January 19, 2005 12:05 PM
> To: security-basics () securityfocus com
> Subject: Re: Remote Desktop vs VPN on Windows 2003
>
> On 2005-01-18 Roger A. Grimes wrote:
>
> > but if the Windows tool can do the same or better job, why not use the
>
>
> > free tools in the system?
>
>
> Because it can't.
>
> Regards
> Ansgar Wiechers
> --
> "Those who would give up liberty for a little temporary safety deserve

> neither liberty nor safety, and will lose both."
> --Benjamin Franklin