Re: [Full-disclosure] RDP, can it be done safely?



On 10 Jun 2010 at 9:30, Marsh Ray wrote:

On 6/10/2010 9:10 AM, Thor (Hammer of God) wrote:
To be specific, it actually doesn't require a "client" cert in the
strictest sense.

But I thought it could be configured to require a client cert?

Some users would probably be content using stunnel (+OpenSSL) as SSL wrapper on
server side and the "-v 3" option in config which I think should force
validation against locally installed certificates.

/J






You can configure certificate parameters on the
server in such a way that certificate trust chains must be honored
(close enough)

I don't get your meaning here. What cert chains would the server be
validating if not client certs? The server's own?

Or are you saying it's still the client's option to not present a client
cert?

but if you want true client authentication based on a
certificate, you would have to publish the RDP over RPC/HTTP(s) via
something like ISA where you can specifically configure a listener to
require client authentication certificates to be "presented" to the
publisher, but that's not really the same thing.

I kind of thought we had it configured something like that (but I
haven't gotten in too deep yet).

http://technet.microsoft.com/en-us/library/cc731264%28WS.10%29.aspx

Thanks for the heads-up, I'll definitely look at this more closely as I
have some projects at work which involve MSTS and TSG.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: HELP - Cert Svr and IIS
    ... Win 2003 Enterprise Server you can use autoenrollment. ... Directory service mapping to map the certificates to user accounts when the ... i created a page that requrie client cert. ...
    (microsoft.public.win2000.security)
  • Re: stunnel, OpenSSL, certificates, etc. [was: SMTP server or "forwarding"?]
    ... Is there a way to find a server that might be there but I ... >> how the ssl stuff works. ... Does the client need to have the certificate ... client must have a client cert to connect? ...
    (Fedora)
  • Re: CA and IIS
    ... In win2000 you can use certificate snapin or web enrollment to have users ... Issuing CA is trusted by the web server machine. ... > i run cert server on one server and IIS on another. ... i created a page that requrie client cert. ...
    (microsoft.public.win2000.security)
  • Re: httpwebrequest failure with .net service
    ... Do you know if SSL client certificate authentication is being performed? ... client cert that is being used (which may actually be the server's own SSL ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... the same 2003 server machine that is configured to use https. ...
    (microsoft.public.dotnet.security)
  • Re: CA and IIS
    ... i run cert server on one server and IIS on another. ... i created a page that requrie client cert. ... >> Must IIS and Certificate server be on ...
    (microsoft.public.win2000.security)