Full Disclosure mailing list archives
Re: RDP, can it be done safely?
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Thu, 10 Jun 2010 14:10:58 +0000
To be specific, it actually doesn't require a "client" cert in the strictest sense. You can configure certificate parameters on the server in such a way that certificate trust chains must be honored (close enough) but if you want true client authentication based on a certificate, you would have to publish the RDP over RPC/HTTP(s) via something like ISA where you can specifically configure a listener to require client authentication certificates to be "presented" to the publisher, but that's not really the same thing. t
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of Marsh Ray Sent: Thursday, June 10, 2010 3:44 AM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] RDP, can it be done safely? On 6/10/2010 4:44 AM, Larry Seltzer wrote:All right, I guess you've got a point. I reflexively say VPN at times like this because the very few reported RDP attacks I've seen have been MITM attacks of the sort that VPNs effectively block. But a client certificate/TLS implementation accomplishes the same thing and all you have to open is the RDP port.MS Terminal Services Gateway can be set up to require client cert authentication and comes in over SSL/TLS over port 443 (RPC over HTTPS I think). Allowing raw RDP to come in through the firewall is not something I would feel real good about. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: RDP, can it be done safely?, (continued)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
- Re: RDP, can it be done safely? Benji (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 09)
- Re: RDP, can it be done safely? Benji (Jun 09)
- Re: RDP, can it be done safely? Benji (Jun 09)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 09)
- Re: RDP, can it be done safely? Larry Seltzer (Jun 10)
- Re: RDP, can it be done safely? Marsh Ray (Jun 10)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
- Re: RDP, can it be done safely? Marsh Ray (Jun 10)
- Re: RDP, can it be done safely? Thor (Hammer of God) (Jun 10)
- Re: RDP, can it be done safely? J. Ottosson (Jun 10)
- Re: RDP, can it be done safely? Cor Rosielle (Jun 10)