Full Disclosure mailing list archives

Re: RDP, can it be done safely?

From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Thu, 10 Jun 2010 03:58:23 +0000

I request that you start thinking about RDS/TS/RDP as a "direct" technology.  Treating access via RDP as something that 
one must first VPN/RAS into a corpnet first in order to secure properly obscures what one might consider obvious:

If you require me to logon to your network via VPN first before I can subsequently connect to internal RDP resources, 
one might consider the VPN endpoint as the primary authentication point.  As such, one might logically conclude that 
since access was granted via the VPN, that internal access to RDP resources would be considered "safe."  In this model, 
what is the difference between me authenticating to the VPN endpoint as opposed to me authenticating to an RDP endpoint?

Insofar as the authentication layer is concerned, there really isn't a difference.  However, when it comes to a 
network-level "least privilege" standpoint, I think there are stark differences:  The VPN endpoint typically will give 
the end user full-stack IP access to resources unless otherwise specified.  RDP endpoints however only require the 
specified RDP port to access the host.  What happens after a successful connection to the host is up to the admin.   In 
the case of RDP via TSGateway, we find that one can deploy a server at the "connection-level" using client certificates 
- not only for encryption upon connection, but for validation TO connect in the first place.

To me, that is an important distinction.

VPN endpoint authentication might lead to the propensity for one to consider access to down-range resources as 
authorized.  I don't think you should do that when you consider the capabilities an attacker has given an "open pipe" 
once authenticated versus an single protocol access to a machine you can tightly control.

I only bring this up because I think one should consider the ramifications of the "VPN first" model before assuming it 
grants you some inherent security.

t

From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Larry Seltzer
Sent: Wednesday, June 09, 2010 2:20 PM
To: noloader () gmail com; Daniel Sichel
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] RDP, can it be done safely?

See http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

If you connect through a VPN it should be as secure as anything else you're going to consider.

From: full-disclosure-bounces () lists grok org uk<mailto:full-disclosure-bounces () lists grok org uk> 
[mailto:full-disclosure-bounces () lists grok org uk<mailto:full-disclosure-bounces () lists grok org uk>] On Behalf Of 
Jeffrey Walton
Sent: Wednesday, June 09, 2010 5:04 PM
To: Daniel Sichel
Cc: full-disclosure () lists grok org uk<mailto:full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] RDP, can it be done safely?

Hi Dan,

Where are the users located (local LAN or from an untrusted network such as the Internet)?

If I recall correctly, RDP encryption is "turned on" from a GPO setting that applies to the host/server, and not just 
RDP [or was it strong encryption?] (corrections, please). So you can get a secure RDP connection at the cost of 
possibly breaking other functionality.
You might find it easier to use another remote access solution.

Jeff

On Wed, Jun 9, 2010 at 4:35 PM, Daniel Sichel <daniels () ponderosatel com<mailto:daniels () ponderosatel com>> wrote:
[cid:image001.gif@01CB0814.286A3BD0]
We have a boneheaded group of software developers who even in this day and age eschew the client server model of 
software for the easier dumber run it from the console school of design. So I have this idiotic Windows accounting 
application that MUST run on an application server, cannot be run from a client.  Rather than have my accounting 
department log in directly to the physical box, I would like to have them use some flavor of terminal services on my 
Windows server. My question therefore is, can I turn on RDP safely, without exposing my Windows server to risk of 
exploitation?
Thanks for any help you can give.
Dan S.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: RDP, can it be done safely?, (continued)
- - - Re: RDP, can it be done safely? Jeffrey Walton (Jun 09)
    - Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
    - Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
    - Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
    - Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
    - Re: RDP, can it be done safely? Benji (Jun 09)
    - Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
    - Re: RDP, can it be done safely? Benji (Jun 09)
    - Re: RDP, can it be done safely? Benji (Jun 09)
  - Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
    - Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
    - Re: RDP, can it be done safely? Larry Seltzer (Jun 10)
    - Re: RDP, can it be done safely? Marsh Ray (Jun 10)
    - Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
    - Re: RDP, can it be done safely? Marsh Ray (Jun 10)
    - Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
    - Re: RDP, can it be done safely? J. Ottosson (Jun 10)
    - Re: RDP, can it be done safely? Jeffrey Walton (Jun 10)
    - Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
- Re: RDP, can it be done safely? Jonathan Leigh (Jun 09)
  - Re: RDP, can it be done safely? Cor Rosielle (Jun 10)

(Thread continues...)