RE: Securing RDP - Is it possible?

["Craig S. Wright" <craig.wright () Information-Defense com>]

Changing the default port adds obscurity and not security. 

Next, SSL will help with TLS fully enabled - this is client side
certificates, but these are rarely used.

Otherwise, SSL is just a dark tunnel, it helps stop sniffing, but not the
attacks. In fact, it makes it more difficult to determine that you are being
attacked in the first place.

...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Leung, Kevin King Ting
Sent: Tuesday, 14 April 2009 7:31 PM
To: Chip Panarchy; pen-test () securityfocus com
Subject: RE: Securing RDP - Is it possible?

Securing RDP: 

1) Change the default PORT 3389 for RDP session
http://support.microsoft.com/kb/306759


2)Applying SSL encryption for RDP session
http://thelazyadmin.com/blogs/thelazyadmin/archive/2007/01/26/Configure-
RDP-over-SSL-with-SelfSSL.aspx


Regards
Kevin



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Chip Panarchy
Sent: Tuesday, April 14, 2009 4:28 PM
To: pen-test () securityfocus com
Subject: Securing RDP - Is it possible?

Hello

Is Secure RDP an impossibility?

I am now working (WOOT) and they seem to use entirely RDP, almost no
VNC...

This, by my reckoning would make the network most insecure.

Would you agree?

Or is it possible to Secure RDP?

Thanks in advance for sharing ideas on this matter,

Panarchy

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught
by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec
Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises,
Certified Ethical Hacker and Certified Penetration Tester exams, taught by
an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------