RE: Remote connections

From: Ken Remley (ken.remley_at_jfshea.com)
Date: 10/16/04

  • Next message: Thor: "Re: Interesting thing about ICF and SP2"
    To: "Matt Ostiguy" <ostiguy@gmail.com>, <focus-ms@securityfocus.com>
    Date: Fri, 15 Oct 2004 15:42:51 -0700
    
    

    Just as a follow up. If you are using ICA which is encrypted with two piece
    authentication like RSA that works as well. Then you don't have the VPN
    Tunnel overhead!

    -----Original Message-----
    From: Matt Ostiguy [mailto:ostiguy@gmail.com]
    Sent: Friday, October 15, 2004 8:26 AM
    To: focus-ms@securityfocus.com
    Subject: Re: Remote connections

    On Thu, 14 Oct 2004 23:54:37 -0700, GuidoZ <uberguidoz@gmail.com> wrote:
    > > Why not? I don't know of any current exploit for RDP set to high
    > > encryption, and even if there were any, connections may very well be
    > > shielded by encrypted tunnels.
    >
    > I'm not aware of any currently either, but as their track record
    > proves, that's meaningless. It was more of a retorical question and a
    > snide remark - please excuse it.

    Thor@hammerofgod was working on a brute forcer for term serv/RDP
    stuff. Haven't checked on it in awhile, but he recommended
    implementing a standard login banner to slow it down, and password
    lockouts, both of which are very very good ideas in general.

    I haven't fully tested tightvnc, but another appeal of RDP/TS (beyond
    its speed advantage, provided you connect with 256 color as opposed to
    high bit depth) is with proper audit logging set up, you can generate
    the following:

    10/13/2004 3:23:24 PM 683 8 Success Audit event 2 Security
    USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAAA)|Unknown|CLIENTPCNAMEHERE|a.b.c.d
    SERVERNAMEHERE Session disconnected from winstation: User Name:
    USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAAA) Session
    Name: Unknown Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d

    10/13/2004 4:34:55 PM 682 8 Success Audit event 2 Security
    USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAA)|RDP-Tcp#4|CLIENTPCNAMEHERE|a.b.c.d
    SERVERNAMEHERE Session reconnected to winstation: User Name:
    USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAA) Session
    Name: RDP-Tcp#4 Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d

    That is from win2k, pulled with logparser. Having full audit
    functionality in the native logging facilities is nice.

    That all said, vnc vs rdp vs whathaveyou - a good starting assumption
    is that everything should only be accessible via the vpn, if at all.
    If it should be accessible through firewall without vpn, they ought to
    be a stunning reason for it.

    Matt

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
      
      
      
     
    The information contained in this e-mail message is confidential and may be legally privileged and is intended only for the use of the individual or entity named above. If you are not an intended recipient or if you have received this message in error, you are hereby notified that any dissemination, distribution or copy of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify us by return e-mail or telephone if the sender's phone number is listed above, then promptly and permanently delete this message. Thank you for your cooperation and consideration.
     
      
     

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Thor: "Re: Interesting thing about ICF and SP2"

    Relevant Pages

    • Re: Remote connections
      ... >> encryption, and even if there were any, connections may very well be ... SERVERNAMEHERE Session disconnected from winstation: User Name: ... USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: Session ... Name: Unknown Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d ...
      (Focus-Microsoft)
    • RE: Cannot decrypt files encrypted using Crypto API on a different
      ... previous message which uses the recipien't public key.) ... KEK (key encryption key) to protect the session key. ... embedded into your client app and server code). ... but what is the point to encrypt the data if ANYBODY can decrypt it (since ...
      (microsoft.public.platformsdk.security)
    • Re: username and Password sent as clear text strings
      ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
      (Pen-Test)
    • Re: Can extra processing threads help in this case?
      ... A Webserver rented to the client at the client's site. ... there is NO way to protect the contents of the ... challenge-response encryption systems, are actually ... Explain how encrypted data transfer ...
      (microsoft.public.vc.mfc)
    • Re: username and Password sent as clear text strings
      ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
      (Pen-Test)