Re: RDP over the internet

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2012-03-19 Dan Lynch wrote:
> > > > New vulnerabilities will be discovered every now and then. Duh. The
> > > > question is: do they get fixed in a timely manner?
> > >
> > > The fact is that "open port" is a potential attack vector because a
> > > vulnerability may be discovered in the application.
> >
> > I'm sorry to have to break this to you, but as long as you're using
> > TCP/IP you need an open port if you want to be able to establish a
> > connection.
>
> But it's clear that *any* open port represents additional risk. If
> that open port is not required for the function of the system (as
> terminal services/RDP generally is not), it's an unnecessary risk
> (however convenient it might be). And that risk is compounded if that
> port is running by necessity with system level permissions, and
> offering up a login screen that people use with their admin
> credentials. Also, terminal services is dependent on the loading of
> yet another service: RPC.
>
> For these reasons, I don't believe the concern expressed over exposing
> RDP to the internet is "a massive generalisation". I think that
> concern is clearly justified.

Indeed. And I didn't write anything about "massive generalisation". I
did, however, want to point out that one newly discovered vulnerability
is no proof whatsoever for a claim about unpatched vulnerabilities.

> RDP is not of the same risk level as, say NTP.

I'd argue that the complexity of VPN (or SSH) services is closer to RDP
than to NTP, though. ;)

> And if, when we point out that risk, CEOs then see security officers
> as "the enemy", it's because the security folks have failed to (1)
> account for the value in the convenience offered by things like RDP,
> (2) reasonably evaluate that value against the risk, and (3) consider
> what actions, configurations and technologies are available to
> mitigate the risk.

No argument there. And FTR: personally I do prefer using RDP through
encrypted tunnels, even though RDP itself is an encrypted protocol.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------