RE: Remote Desktop vs VPN on Windows 2003

From: Roger A. Grimes (roger_at_banneretcs.com)
Date: 01/19/05

  • Next message: Bryan McAninch: "RE: I am searching for an good online infosec learning institution.. any suggestions?" 
    Date: Tue, 18 Jan 2005 22:02:03 -0500
To: "Paris E. Stone" <pstone@alhurra.com>, "Ansgar -59cobalt- Wiechers" <bugtraq@planetcobalt.net>, <security-basics@securityfocus.com>

    I appreciate what you are both saying...but security is always a trade
    off of security vs. usability.

    RDP does not have a known vulnerability against it...you mention
    RC4...but again...until I hear that RDP is exploitable again, it's a
    great tool for me to use. If I'm running a NASA server or something top
    secret, I might need a more secure tool...but I'm pretty sure I'm not
    going to be running SSH either.

    If I need high security, I can also require the use of a smart card to
    use RDP.

    Also, if my background is strong Windows and weak on Unix and
    Unix-ported tools...why not stay with secure Windows tool?

    I love using open source and Unix-ported tools...but if the Windows tool
    can do the same or better job, why not use the free tools in the system?

    -----Original Message-----
    From: Paris E. Stone [mailto:pstone@alhurra.com]
    Sent: Tuesday, January 18, 2005 3:30 PM
    To: Ansgar -59cobalt- Wiechers; security-basics@securityfocus.com
    Subject: RE: Remote Desktop vs VPN on Windows 2003

    As was my original post, avoid naked RDP on the internet at all costs.

    Secure it with other means.

    -----Original Message-----
    From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
    Sent: Tuesday, January 18, 2005 9:01 AM
    To: security-basics@securityfocus.com
    Subject: Re: Remote Desktop vs VPN on Windows 2003

    On 2005-01-17 Roger A. Grimes wrote:
    > I don't think RC4, by itself is weak...it's specific implementations
    > of RC4 (like in WEP).

    No. It's an algorithm problem, not an implementation problem.

    > Yes, RDP did have an RC4 vulnerability in 2002, but it was patched.
    > SSH had an RC4 vulnerability just a few months before RDP did (in
    > 2001). Both are patched now.

    The "patch" for SSH was to completely remove RC4 support. I don't think
    RDP was patched the same way (but I would welcome anyone to prove me
    wrong here).

    > SSH seems to get hacked at least once a year.

    True. But that's because of implementation problems, not because of
    problems with the underlying encryption algorithms. Implementation
    problems can be (more or less) easily patched.

    [...]
    > RDP is free (for W2K and above),

    Well, it's not really free, but I think I know what you mean.

    > remote client can be nearly anything (especiallly with RDP ActiveX
    > control),

    Requiring IE which one usually wants to avoid.

    > its encrypted,

    Using a weak algorithm.

    > fast, has kick *** Edit-Copy, Edit-Paste features, remote printing
    > (not so hot), drive mapping, etc.

    True.

    > RDP is arguably running on more Windows enterprise servers than any
    > alternative but SSH (and maybe PC Anywhere), and it has not had a
    > public exploit demonstrated since 2002. I'd say it is a strong
    > candidate for consideration.

    Please re-read my post. I was not suggesting to avoid RDP, but to tunnel
    RDP connections through e.g. SSH, which can be easily done. That way you
    have RDP *and* strong encryption.

    Regards
    Ansgar Wiechers 

    --
"Those who would give up liberty for a little temporary safety deserve
neither liberty nor safety, and will lose both."
--Benjamin Franklin
  • Next message: Bryan McAninch: "RE: I am searching for an good online infosec learning institution.. any suggestions?"