RE: Remote Desktop vs VPN on Windows 2003

["Roger A. Grimes" <roger () banneretcs com>]

I appreciate what you are both saying...but security is always a trade
off of security vs. usability.

RDP does not have a known vulnerability against it...you mention
RC4...but again...until I hear that RDP is exploitable again, it's a
great tool for me to use.  If I'm running a NASA server or something top
secret, I might need a more secure tool...but I'm pretty sure I'm not
going to be running SSH either.

If I need high security, I can also require the use of a smart card to
use RDP.

Also, if my background is strong Windows and weak on Unix and
Unix-ported tools...why not stay with secure Windows tool?

I love using open source and Unix-ported tools...but if the Windows tool
can do the same or better job, why not use the free tools in the system?

-----Original Message-----
From: Paris E. Stone [mailto:pstone () alhurra com] 
Sent: Tuesday, January 18, 2005 3:30 PM
To: Ansgar -59cobalt- Wiechers; security-basics () securityfocus com
Subject: RE: Remote Desktop vs VPN on Windows 2003

As was my original post, avoid naked RDP on the internet at all costs.

Secure it with other means.

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: Tuesday, January 18, 2005 9:01 AM
To: security-basics () securityfocus com
Subject: Re: Remote Desktop vs VPN on Windows 2003

On 2005-01-17 Roger A. Grimes wrote:
> I don't think RC4, by itself is weak...it's specific implementations 
> of RC4 (like in WEP).

No. It's an algorithm problem, not an implementation problem.

> Yes, RDP did have an RC4 vulnerability in 2002, but it was patched.
> SSH had an RC4 vulnerability just a few months before RDP did (in 
> 2001). Both are patched now.

The "patch" for SSH was to completely remove RC4 support. I don't think
RDP was patched the same way (but I would welcome anyone to prove me
wrong here).

> SSH seems to get hacked at least once a year.

True. But that's because of implementation problems, not because of
problems with the underlying encryption algorithms. Implementation
problems can be (more or less) easily patched.

[...]
> RDP is free (for W2K and above),

Well, it's not really free, but I think I know what you mean.

> remote client can be nearly anything (especiallly with RDP ActiveX 
> control),

Requiring IE which one usually wants to avoid.

> its encrypted,

Using a weak algorithm.

> fast, has kick butt Edit-Copy, Edit-Paste features, remote printing 
> (not so hot), drive mapping, etc.

True.

> RDP is arguably running on more Windows enterprise servers than any 
> alternative but SSH (and maybe PC Anywhere), and it has not had a 
> public exploit demonstrated since 2002.  I'd say it is a strong 
> candidate for consideration.

Please re-read my post. I was not suggesting to avoid RDP, but to tunnel
RDP connections through e.g. SSH, which can be easily done. That way you
have RDP *and* strong encryption.

Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety deserve
neither liberty nor safety, and will lose both."
--Benjamin Franklin