Security Basics mailing list archives
Re: RDP over the internet
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Mon, 19 Mar 2012 19:52:28 +0100
On 2012-03-19 Dan Lynch wrote:
New vulnerabilities will be discovered every now and then. Duh. The question is: do they get fixed in a timely manner?The fact is that "open port" is a potential attack vector because a vulnerability may be discovered in the application.I'm sorry to have to break this to you, but as long as you're using TCP/IP you need an open port if you want to be able to establish a connection.But it's clear that *any* open port represents additional risk. If that open port is not required for the function of the system (as terminal services/RDP generally is not), it's an unnecessary risk (however convenient it might be). And that risk is compounded if that port is running by necessity with system level permissions, and offering up a login screen that people use with their admin credentials. Also, terminal services is dependent on the loading of yet another service: RPC. For these reasons, I don't believe the concern expressed over exposing RDP to the internet is "a massive generalisation". I think that concern is clearly justified.
Indeed. And I didn't write anything about "massive generalisation". I did, however, want to point out that one newly discovered vulnerability is no proof whatsoever for a claim about unpatched vulnerabilities.
RDP is not of the same risk level as, say NTP.
I'd argue that the complexity of VPN (or SSH) services is closer to RDP than to NTP, though. ;)
And if, when we point out that risk, CEOs then see security officers as "the enemy", it's because the security folks have failed to (1) account for the value in the convenience offered by things like RDP, (2) reasonably evaluate that value against the risk, and (3) consider what actions, configurations and technologies are available to mitigate the risk.
No argument there. And FTR: personally I do prefer using RDP through encrypted tunnels, even though RDP itself is an encrypted protocol. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: RDP over the internet, (continued)
- Re: RDP over the internet Thugzclub (Mar 15)
- Re: RDP over the internet Banyan He (Mar 16)
- Re: RDP over the internet Melissa Augustine (Mar 16)
- RE: RDP over the internet Dave Wray (Mar 16)
- Re: RDP over the internet synja (Mar 17)
- Re: RDP over the internet David J2 (Mar 17)
- Re: RDP over the internet Thugzclub (Mar 15)
- Re: RDP over the internet Ansgar Wiechers (Mar 16)
- Re: RDP over the internet Thugzclub (Mar 19)
- Re: RDP over the internet Ansgar Wiechers (Mar 19)
- RE: RDP over the internet Dan Lynch (Mar 19)
- Re: RDP over the internet Ansgar Wiechers (Mar 19)
- Re: RDP over the internet Thugzclub Thugzclub (Mar 21)
- Re: RDP over the internet Thugzclub (Mar 19)
- Message not available
- Re: RDP over the internet Ansgar Wiechers (Mar 19)