Security Basics mailing list archives
Re: Securing RDP - Is this possible?
From: Security Focus <securityfocus () compucenter org>
Date: Thu, 16 Apr 2009 16:54:01 +0300
Here's a checklist of security improvements (sorted by order of difficulty and effectiveness). 1) Firewall the RDP service so only authorized IP addresses can connect, significantly limiting your exposure to a known set of IPs instead of being open to the world (external access) or to the Intranet (internal access). The individual or group administering the firewall should be separate from the system administrators. 2) If for whatever reason 1) is not possible, and you want admins to be able to RDP from IP addresses that cannot be predetermined, use an authenticating firewall which will request user credentials first (using a different set of credentials than those used to log on via RDP is a necessity) before allowing an incoming request to reach the target RDP host. This way you can create selective firewall rules that only allow certain administrators to connect to the RDP service only on certain hosts, based on their business need to know or need to do. Make sure the individual or group administering the firewall have no system admin privileges and vice-versa or this could end up being a self-defeating measure! It is only after system administrators have authenticated to the firewall that they would be authorized to establish a TCP connection to the RDP host, where they would have to authenticate one more time to the target RDP host using different credentials. No shared credentials should be used. You need to tie connection attempts whether successful or failed at the firewall and at the host to real persons. 3) For even stronger security, combine one of the above with tunneling (via SSH or SSL). In this case, you would authenticate SSH or SSL connections at the firewall first before allowing incoming connections through to the SSL or SSH tunnel endpoint. George Jahchan -----Original Message----- From: Ansgar Wiechers <bugtraq () planetcobalt net> To: security-basics () securityfocus com Subject: Re: Securing RDP - Is this possible? Date: Tue, 14 Apr 2009 22:17:56 +0200 On 2009-04-14 Chip Panarchy wrote:
Is Secure RDP an impossibility?
No.
I am now working (WOOT) and they seem to use entirely RDP, almost no VNC...
So?
This, by my reckoning would make the network most insecure.
And why exactly might that be?
Would you agree?
No.
Or is it possible to Secure RDP?
Yes. RDP already is reasonably secure in itself (a lot more than VNC). If you want to make it even harder to attack: run the RDP connection through something like an SSH tunnel or a VPN. Regards Ansgar Wiechers ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------
Current thread:
- Securing RDP - Is this possible? Chip Panarchy (Apr 14)
- RE: Securing RDP - Is this possible? Jacob (Apr 14)
- Re: Securing RDP - Is this possible? Ansgar Wiechers (Apr 14)
- Re: Securing RDP - Is this possible? George J. Jahchan (Apr 20)
- Re: Securing RDP - Is this possible? Security Focus (Apr 20)
- RE: Securing RDP - Is this possible? Evgeny Vaganov (Apr 15)
- Re: Securing RDP - Is this possible? Alexandre Verriere (Apr 15)
- RE: Securing RDP - Is this possible? Scott Race (Apr 20)
- Re: Securing RDP - Is this possible? Venkatesh Selvaraju (Apr 15)
- <Possible follow-ups>
- Re: Securing RDP - Is this possible? wahlstrom79 (Apr 15)
- SV: Securing RDP - Is this possible? Peter Wahlström (Apr 20)