Re: Windows Remote Desktop
From: Jamie Pratt (jamie_at_nucdc.org)
Date: 01/15/04
- Previous message: Shawn Jackson: "RE: Please help with this strangeness"
- In reply to: Nero, Nick: "RE: Windows Remote Desktop"
- Next in thread: David Gillett: "A different question RE: Windows Remote Desktop"
- Reply: David Gillett: "A different question RE: Windows Remote Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 Jan 2004 17:01:14 -0500 To: security-basics@securityfocus.com
not sure if anyone mentioned it already (apologies if so), but you can
also use stunnel for securing RDP links:
Nero, Nick wrote:
> You can use Citrix's http gateway with full SSL which will prevent MITM
> attacks. If you wanted to you, you may be able to use certificate
> authentication for MS RDP. I agree that MS RDP is very secure over
> LANS, but over the net you may want to PPTP/IPSEC the traffic via vpn.
> Another solution is to use WINSSHD
> (http://www.bitvise.com/remote-desktop.html) and tunnel the RDP session
> in SSH. I think this would make an RDP session as close to unbreakable
> as you can get.
>
> I didn't put much work into this response so it is only .01. And even
> that is in pesos.
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> Sent: Thursday, January 15, 2004 4:14 PM
> To: Shawn Jackson; jamesworld@intelligencia.com
> Cc: Michael Gale; security-basics@securityfocus.com
> Subject: RE: Windows Remote Desktop
>
> Shawn,
>
> I still fail to see the difference between Citrix and RDP as far as
> security goes. RDP like Citrix can be configured on the server side.
> As for the MiM attack. Theoretically I can setup an machine and have it
> masquerade as your Citrix server. When you logon to my machine you
> enter your Username and Password. I pass this information on to your
> Citrix server and I have compromised your data. This is possible
> because no authentication is done at the client to ensure your machine
> is authentic. This is true for both the HTTP interface/gateway and the
> ICA client. The same also holds true for the RDP protocol. (Which I
> believe has a lot of Citrix components in it.)
>
> I still don't want end users accessing their home workstation via RDP,
> Citrix, PCAnywhere, VNC or any other protocol. This creates another
> portal into my network for virii and worms.
>
> Denny
>
> -----Original Message-----
> From: Shawn Jackson [mailto:sjackson@horizonusa.com]
> Sent: Thursday, January 15, 2004 3:52 PM
> To: Depp, Dennis M.; jamesworld@intelligencia.com
> Cc: Michael Gale; security-basics@securityfocus.com
> Subject: RE: Windows Remote Desktop
>
>
> Citrix ICA defaults to the setting on the server side, so if you
> configured your server with *some* security then a 'basic default' is
> not the case. Personally I separate raw data (Files, Databases, etc) and
> interactive 'streaming' data. Raw data is a file/component in transit on
> the wire that can be sniffed and recompiled, while streaming data can't
> be recompiled into anything but can be sifted through for information.
>
> Capturing interface information from even an unencrypted RDP
> connection is difficult. Setup three workstations on a hub then setup
> VNC server on 1 and the viewer on the 2nd. From the 3rd workstation use
> SNORT and sniff the traffic between the two. Have another person play
> with the viewer to give you something too look at.
>
> To my understanding Citrix is only at risk of a MiM attack when
> using the HTTP interface/gateway and not the ICA client. If I'm
> incorrect please supply a link to information about this attack. Also I
> don't believe you can use SSL with XP RDP and that's Terminal Services.
>
> Personally I can justify the need of using RDP to my workstation
> at home, but then again I know that system and its security. I setup and
> maintain that network and servers so I can be reasonably sure that my
> connection is clean and my systems are not at risk. Would I personally
> let my users have RDP access to their workstations at home, nope. My
> reasoning for this is that they could be violating the company policy
> (browsing bad sites, playing games, listening to their MP3 collection,
> etc) and we can't see it. Would I let our IT/IS guys, yep. I'm not
> worried about people taking data offsite because everyone has USB drives
> already. I'm also not *too* worried about virii or hackers; it's that it
> just walks too fine a line with our security policy. But then again, if
> them have a business need...
>
> My 2,000,000 cents! :-)
>
> Shawn Jackson
> Systems Administrator
> Horizon USA
> 1190 Trademark Dr #107
> Reno NV 89521
>
> www.horizonusa.com
> Email: sjackson@horizonusa.com
> Phone: (775) 858-2338
> (800) 325-1199 x338
>
>
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> Sent: Thursday, January 15, 2004 10:29 AM
> To: Shawn Jackson; jamesworld@intelligencia.com
> Cc: Michael Gale; security-basics@securityfocus.com
> Subject: RE: Windows Remote Desktop
>
> Two statements I don't agree with:
>
> 1) "Additionally no actual 'data' is transferred through the RDP
> connection, it's just interface information (mouse movement, button
> clicks, typing) and screen refreshes. Now if you were using the resource
> mapping then data would traverse the RDP connection and would be subject
> to its encryption."
> Data is sent over the wire concerning keystrokes, mouse
> movements and screen refresh data. Obviously this information,
> particularly keystrokes can provide data to a hacker. However all
> information set via RDP is encrypted the default is 56-bit with the
> capacity to use 128-bit RC4. Even when using local resources, the data
> is still encrypted with 128-bit security.
>
> 2) "All in all I think that PCAnywhere and Citrix have
> more secure RDP/VNC like interfaces"
> The default security setting in Citrix is basic (no encryption)
> PCAnywhere maybe better, I'm not sure. Both Citrix and RDP are
> vulnerable to MiM attacks. Citrix does have the capability to use SSL
> but this is comprable to Microsoft's VPN solution.
>
> Denny
>
> -----Original Message-----
> From: Shawn Jackson [mailto:sjackson@horizonusa.com]
> Sent: Wednesday, January 14, 2004 6:36 PM
> To: jamesworld@intelligencia.com
> Cc: Michael Gale; security-basics@securityfocus.com
> Subject: RE: Windows Remote Desktop
>
>
> Well transferring data outside a company is easier then pie
> these days. With everything from encrypted email to USB drives it's hard
> to use that as a sole point 'ban' RDP to offsite resources. Unless
> you're running at high level security i.e. Military, Extremely Sensitive
> Work, National Security the movement of data offsite would be a
> secondary concern.
>
> The RDP encryption is 'in transit' protection and won't protect
> the resources. I personally never use the clipboard sharing,
> drive/printer mapping, etc. Access to those resources should be dictated
> by the company security policy and doesn't follow the 'security' of the
> protocol/connection. Seaming the connection is one-way (From Workstation
> or RDP Host) it hard to open a hole/exploit through an infected RDP host
> and use the RDP interface to your advantage.
>
> Additionally no actual 'data' is transferred through the RDP
> connection, it's just interface information (mouse movement, button
> clicks, typing) and screen refreshes. Now if you were using the resource
> mapping then data would traverse the RDP connection and would be subject
> to its encryption. All in all I think that PCAnywhere and Citrix have
> more secure RDP/VNC like interfaces but RDP is pretty secure by itself.
> Just as James stated, watch the local resource mapping.
>
> Shawn Jackson
> Systems Administrator
> Horizon USA
> 1190 Trademark Dr #107
> Reno NV 89521
>
> www.horizonusa.com
> Email: sjackson@horizonusa.com
> Phone: (775) 858-2338
> (800) 325-1199 x338
>
> -----Original Message-----
> From: jamesworld@intelligencia.com [mailto:jamesworld@intelligencia.com]
>
> Sent: Wednesday, January 14, 2004 3:03 PM
> To: Shawn Jackson
> Cc: Michael Gale; security-basics@securityfocus.com
> Subject: RE: Windows Remote Desktop
>
> Ahh,,
>
>
> but what about the option to connect local resources......
>
> Drives
> Printers
> Serial Ports
> Smart Cards
>
> ....
>
> Talk about the ability to transfer company data out... What is
> protecting
> the actual data, MS RDP encryption which defaults to "medium" security
> by
> default.
>
> Again it comes back to.......What is the company policy? If it doesn't
> cover it, the policy needs to be updated.
>
>
> -James
>
> At 12:14 01/14/2004, Shawn Jackson wrote:
>
>
>> Eh' for 'Testing' I use a remote SSH server off my backbone. I
>>do 'periodically' login to my remote XP workstation and do some work.
>>Because only screen information is transmitted even if that system was
>>hacked or infected with a virus it won't affect my network at work. My
>>XP system doesn't sit directly on the Internet through; it goes through
>>a Debian box running iptables.
>>
>>Shawn Jackson
>>Systems Administrator
>>Horizon USA
>>1190 Trademark Dr #107
>>Reno NV 89521
>>www.horizonusa.com
>>
>>Email: sjackson@horizonusa.com
>>Phone: (775) 858-2338
>> (800) 325-1199 x338
>>
>>-----Original Message-----
>>From: Michael Gale [mailto:michael@bluesuperman.com]
>>Sent: Tuesday, January 13, 2004 8:35 PM
>>To: security-basics@securityfocus.com
>>Subject: Windows Remote Desktop
>>
>>Hello,
>>
>> I have a question, I have locked down a company network
>
> allowing
>
>>only
>>web browsing, SSH and FTP. Nothing else is need and soon SSH and FTP
>>will be gone hopefully once the VPN is final.
>>
>>Right now a internal user is complaining about the fact their remote
>>desktop connection to their home PC is no longer working.
>>
>>The justification is that a remote PC out side the network is needed
>
> for
>
>>testing. At which point I gladly offered to setup a out side box for
>>testing. :)
>>
>>Any ways the question I have is, do you feel that Remote Desktop (into
>>WinXP) is a secure enough connection to allow it. I mind you that this
>>is supposed to be a outbound connection only but you never know with
>>windows.
>>
>>
>>--
>>Hand over the Slackware CD's and back AWAY from the computer, your geek
>>rights have been revoked !!!
>>
>>Michael Gale
>>Slackware user :)
>>Bluesuperman.com
>>
>>-----------------------------------------------------------------------
>
> -
>
>>---
>>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
>>any
>>course! All of our class sizes are guaranteed to be 10 students or
>
> less.
>
>>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
>>Prevention,
>>and many other technical hands on courses.
>>Visit us at http://www.infosecinstitute.com/securityfocus to get $720
>>off
>>any course!
>>-----------------------------------------------------------------------
>
> -
>
>>----
>>
>>
>>-----------------------------------------------------------------------
>
> ----
>
>>Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
>
> any
>
>>course! All of our class sizes are guaranteed to be 10 students or
>
> less.
>
>>We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
>
> Prevention,
>
>>and many other technical hands on courses.
>>Visit us at http://www.infosecinstitute.com/securityfocus to get $720
>
> off
>
>>any course!
>>-----------------------------------------------------------------------
>
> -----
>
>
> ------------------------------------------------------------------------
> ---
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
> any
> course! All of our class sizes are guaranteed to be 10 students or less.
>
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
> Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720
> off
> any course!
> ------------------------------------------------------------------------
> ----
>
>
> ------------------------------------------------------------------------
> ---
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
> any
> course! All of our class sizes are guaranteed to be 10 students or less.
>
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
> Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720
> off
> any course!
> ------------------------------------------------------------------------
> ----
>
>
>
> ------------------------------------------------------------------------
> ---
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
> any
> course! All of our class sizes are guaranteed to be 10 students or less.
>
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
> Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720
> off
> any course!
> ------------------------------------------------------------------------
> ----
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
> course! All of our class sizes are guaranteed to be 10 students or less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> any course!
> ----------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
- Previous message: Shawn Jackson: "RE: Please help with this strangeness"
- In reply to: Nero, Nick: "RE: Windows Remote Desktop"
- Next in thread: David Gillett: "A different question RE: Windows Remote Desktop"
- Reply: David Gillett: "A different question RE: Windows Remote Desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
