Re: Securing RDP - Is this possible?

[Security Focus <securityfocus () compucenter org>]

Here's a checklist of security improvements (sorted by order of
difficulty and effectiveness).

1) Firewall the RDP service so only authorized IP addresses can connect,
significantly limiting your exposure to a known set of IPs instead of
being open to the world (external access) or to the Intranet (internal
access). The individual or group administering the firewall should be
separate from the system administrators.

2) If for whatever reason 1) is not possible, and you want admins to be
able to RDP from IP addresses that cannot be predetermined, use an
authenticating firewall which will request user credentials first (using
a different set of credentials than those used to log on via RDP is a
necessity) before allowing an incoming request to reach the target RDP
host. This way you can create selective firewall rules that only allow
certain administrators to connect to the RDP service only on certain
hosts, based on their business need to know or need to do. Make sure the
individual or group administering the firewall have no system admin
privileges and vice-versa or this could end up being a self-defeating
measure! It is only after system administrators have authenticated to
the firewall that they would be authorized to establish a TCP connection
to the RDP host, where they would have to authenticate one more time to
the target RDP host using different credentials. No shared credentials
should be used. You need to tie connection attempts whether successful
or failed at the firewall and at the host to real persons.

3) For even stronger security, combine one of the above with tunneling
(via SSH or SSL). In this case, you would authenticate SSH or SSL
connections at the firewall first before allowing incoming connections
through to the SSL or SSH tunnel endpoint.

George Jahchan

-----Original Message-----
From: Ansgar Wiechers <bugtraq () planetcobalt net>
To: security-basics () securityfocus com
Subject: Re: Securing RDP - Is this possible?
Date: Tue, 14 Apr 2009 22:17:56 +0200

On 2009-04-14 Chip Panarchy wrote:
> Is Secure RDP an impossibility?

No.

> I am now working (WOOT) and they seem to use entirely RDP, almost no
> VNC...

So?

> This, by my reckoning would make the network most insecure.

And why exactly might that be?

> Would you agree?

No.

> Or is it possible to Secure RDP?

Yes.

RDP already is reasonably secure in itself (a lot more than VNC). If you
want to make it even harder to attack: run the RDP connection through
something like an SSH tunnel or a VPN.

Regards
Ansgar Wiechers


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------