Re: RDP, can it be done safely?

["Thor (Hammer of God)" <Thor () hammerofgod com>]

This is not correct.  While the default setting for an RDP connection is "client-negotiate" that does not mean that you 
will automatically get a no/low bit encryption session.   And one should note that this has nothing to do with "local" 
or "remote" users:  To be pedantic, *all* RDP sessions are "remote."  You can easily configure the server to require 
certificate-based TLS encryption and have a host of other transport security options.

I'm not sure what you mean by "if the users are remote you might find it easier to user another remote access 
solution."  That makes no sense to me.

Daniel - If I understand your question, your concern with having standard users connecting up to and running software 
on a server machine, correct?   This is typically where most people fall short in application deployment via terminal 
services.   You should certainly make sure that the users are standard user and that you've properly ACL'd off the 
application and data.  The model you describe sounds relatively straight-forward in that the server will be a dedicated 
application server (if I understand correctly).  When you have high numbers of users where some are local 
administrators and they all have home directories with various access points to shares, etc, there are other, more 
complicated methods you must consider when deploying TS.

I've done fair amount of work with RDP, so I'm happy to help if you can give me some more information.

t

From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Jeffrey Walton
Sent: Wednesday, June 09, 2010 2:19 PM
To: Daniel Sichel
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?

Hi Dainiel,

> You might find it easier to use another remote access solution.
I probably should have elaborated: if users are local, understand that RDP is probably un-encrypted or weakly 
encrypted. If the users are remote, you might find it easier to use another remote access solution.
Jeff
On Wed, Jun 9, 2010 at 5:04 PM, Jeffrey Walton <noloader () gmail com<mailto:noloader () gmail com>> wrote:
Hi Dan,

Where are the users located (local LAN or from an untrusted network such as the Internet)?

If I recall correctly, RDP encryption is "turned on" from a GPO setting that applies to the host/server, and not just 
RDP [or was it strong encryption?] (corrections, please). So you can get a secure RDP connection at the cost of 
possibly breaking other functionality.
You might find it easier to use another remote access solution.

Jeff

On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <daniels () ponderosatel com<mailto:daniels () ponderosatel com>> wrote:
[cid:image001.gif@01CB07E8.2F1FA040]
We have a boneheaded group of software developers who even in this day and age eschew the client server model of 
software for the easier dumber run it from the console school of design. So I have this idiotic Windows accounting 
application that MUST run on an application server, cannot be run from a client.  Rather than have my accounting 
department log in directly to the physical box, I would like to have them use some flavor of terminal services on my 
Windows server. My question therefore is, can I turn on RDP safely, without exposing my Windows server to risk of 
exploitation?
Thanks for any help you can give.
Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/