RE: Securing RDP - Is this possible?

["Scott Race" <scott () jda-networks com>]

If you want more info on securing RDP, see below:

Synopsis :

It may be possible to get access to the remote host. 

Description :

The remote version of Remote Desktop Protocol Server (Terminal
Service) is vulnerable to a man in the middle attack. 

An attacker may exploit this flaw to decrypt communications between
client and server and obtain sensitive information (passwords, ...). 

Solution :

Force the use of SSL as a transport layer for this service.

See also :

http://www.oxid.it/downloads/rdp-gbu.pdf

http://technet.microsoft.com/en-us/library/cc782610.aspx


Scott 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexandre Verriere
Sent: Wednesday, April 15, 2009 12:10 AM
To: Chip Panarchy
Cc: security-basics () securityfocus com
Subject: Re: Securing RDP - Is this possible?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

you can secure it using stunnel (ssl tunneling ) for example.


Hope this helps!


Chip Panarchy a écrit :
> Hello
>
> Is Secure RDP an impossibility?
>
> I am now working (WOOT) and they seem to use entirely RDP, almost no VNC...
>
> This, by my reckoning would make the network most insecure.
>
> Would you agree?
>
> Or is it possible to Secure RDP?
>
> Thanks in advance for sharing ideas on this matter,
>
> Panarchy
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
> Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry 
> recognized certs available, online computer forensics training available.
>
> http://www.infosecinstitute.com/courses/computer_forensics_training.html
> ------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJJ5Yg5AAoJEFtprSOdqQjsMngH/1Pa/vQWkucrFermYS+wn+qK
Pd3lrFIkwonYLDTOWwhuSrpuNo5tAM5FApeev8/ryN8kGRmSEg/J0J5IuaNELkfI
AIerpXSSmQtQRcr6mV0YSL2vvVo6ftnuulhG3VZPjuTrXM50xY7Mb/YjzzhApD5P
LJLMl5tyTDkqhzOP2MWbpIlGWaPhnrkhGqL5nKsj9vyXqbtB5XLSfOwlO9OtJuqY
6DnyLNzs7Y8tMUVmWjjr92U3im0CUewVdSrTMPgranhCL4BwQPFp0AIx0ZRZYEs5
+0wGdfcLvWRjnPLjB5p1ob9ImPgAiOlaoMQCZj7Eut4RXaR5KMb9IRHWi5zLHiA=
=ccJm
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------