Security Basics mailing list archives
RE: Remote Desktop vs VPN on Windows 2003
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Mon, 17 Jan 2005 20:00:35 -0500
I don't think RC4, by itself is weak...it's specific implementations of RC4 (like in WEP). Yes, RDP did have an RC4 vulnerability in 2002, but it was patched. SSH had an RC4 vulnerability just a few months before RDP did (in 2001). Both are patched now. SSH seems to get hacked at least once a year. SSL gets hacked at least once a year. VNC frequently gets hacked and has worms galore looking for its ports. RDP is free (for W2K and above), remote client can be nearly anything (especiallly with RDP ActiveX control), its encrypted, fast, has kick butt Edit-Copy, Edit-Paste features, remote printing (not so hot), drive mapping, etc. RDP is arguably running on more Windows enterprise servers than any alternative but SSH (and maybe PC Anywhere), and it has not had a public exploit demonstrated since 2002. I'd say it is a strong candidate for consideration. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Monday, January 17, 2005 12:52 PM To: security-basics () securityfocus com Subject: Re: Remote Desktop vs VPN on Windows 2003 On 2005-01-14 Roger A. Grimes wrote:
I can think of NO reason not to use Remote Desktop. Remote Desktop is
fast and secure.
Fast: yes. But secure? AFAIK terminal services use RC4 for encryption which is known to be weak for quite a few years now. Better set up an SSH server and establish the RDP session through an SSH tunnel. That's easy to setup, easy to use and secure as well.
Everything is encrypted past the logon name. To get additional security assurance, change the default TCP port from 3389 to something
randomly high...like 58645 (which you can do with a regedit on the server...just google it). Then add the new port number to your server
address...like www.example.com:58645.
Switching ports is just adding obscurity, not security. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Remote Desktop vs VPN on Windows 2003 Jeff Randall (Jan 14)
- Re: Remote Desktop vs VPN on Windows 2003 Michael Gale (Jan 17)
- <Possible follow-ups>
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 17)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 17)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Ansgar -59cobalt- Wiechers (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Roger A. Grimes (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 Anonymous (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 John McGuire (Jan 19)
- Re: Remote Desktop vs VPN on Windows 2003 shrek-m () gmx de (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 David Gillett (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Rhett Grant (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Paris E. Stone (Jan 19)
- RE: Remote Desktop vs VPN on Windows 2003 Danny Puckett (Jan 19)
(Thread continues...)