Re: Remote connections
From: Matt Ostiguy (ostiguy_at_gmail.com)
Date: 10/15/04
- Previous message: Moser, Scott: "RE: Interesting thing about ICF and SP2"
- In reply to: GuidoZ: "Re: Remote connections"
- Next in thread: Laura Robinson: "Re: Re: Remote connections"
- Maybe reply: Laura Robinson: "Re: Re: Remote connections"
- Maybe reply: Erick Waldchen: "RE: Re: Remote connections"
- Maybe reply: Kevin E. Casey: "RE: Re: Remote connections"
- Maybe reply: Adam Vaxvick: "RE: Re: Remote connections"
- Maybe reply: Conlan Adams: "RE: Re: Remote connections"
- Maybe reply: Jordan Wiseman: "RE: Re: Remote connections"
- Maybe reply: Jim Harrison (ISA): "RE: Re: Remote connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Oct 2004 11:25:52 -0400 To: focus-ms@securityfocus.com
On Thu, 14 Oct 2004 23:54:37 -0700, GuidoZ <uberguidoz@gmail.com> wrote:
> > Why not? I don't know of any current exploit for RDP set to high
> > encryption, and even if there were any, connections may very well be
> > shielded by encrypted tunnels.
>
> I'm not aware of any currently either, but as their track record
> proves, that's meaningless. It was more of a retorical question and a
> snide remark - please excuse it.
Thor@hammerofgod was working on a brute forcer for term serv/RDP
stuff. Haven't checked on it in awhile, but he recommended
implementing a standard login banner to slow it down, and password
lockouts, both of which are very very good ideas in general.
I haven't fully tested tightvnc, but another appeal of RDP/TS (beyond
its speed advantage, provided you connect with 256 color as opposed to
high bit depth) is with proper audit logging set up, you can generate
the following:
10/13/2004 3:23:24 PM 683 8 Success Audit event 2 Security
USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAAA)|Unknown|CLIENTPCNAMEHERE|a.b.c.d
SERVERNAMEHERE Session disconnected from winstation: User Name:
USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAAA) Session
Name: Unknown Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d
10/13/2004 4:34:55 PM 682 8 Success Audit event 2 Security
USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAA)|RDP-Tcp#4|CLIENTPCNAMEHERE|a.b.c.d
SERVERNAMEHERE Session reconnected to winstation: User Name:
USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAA) Session
Name: RDP-Tcp#4 Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d
That is from win2k, pulled with logparser. Having full audit
functionality in the native logging facilities is nice.
That all said, vnc vs rdp vs whathaveyou - a good starting assumption
is that everything should only be accessible via the vpn, if at all.
If it should be accessible through firewall without vpn, they ought to
be a stunning reason for it.
Matt
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Moser, Scott: "RE: Interesting thing about ICF and SP2"
- In reply to: GuidoZ: "Re: Remote connections"
- Next in thread: Laura Robinson: "Re: Re: Remote connections"
- Maybe reply: Laura Robinson: "Re: Re: Remote connections"
- Maybe reply: Erick Waldchen: "RE: Re: Remote connections"
- Maybe reply: Kevin E. Casey: "RE: Re: Remote connections"
- Maybe reply: Adam Vaxvick: "RE: Re: Remote connections"
- Maybe reply: Conlan Adams: "RE: Re: Remote connections"
- Maybe reply: Jordan Wiseman: "RE: Re: Remote connections"
- Maybe reply: Jim Harrison (ISA): "RE: Re: Remote connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
