Re: RDP over the internet



On 19 March 2012 18:52, Ansgar Wiechers <bugtraq@xxxxxxxxxxxxxxxx> wrote:
On 2012-03-19 Dan Lynch wrote:
New vulnerabilities will be discovered every now and then. Duh. The
question is: do they get fixed in a timely manner?

The fact is that "open port" is a potential attack vector because a
vulnerability may be discovered in the application.

I'm sorry to have to break this to you, but as long as you're using
TCP/IP you need an open port if you want to be able to establish a
connection.
But it's clear that *any* open port represents additional risk. If
that open port is not required for the function of the system (as
terminal services/RDP generally is not), it's an unnecessary risk
(however convenient it might be). And that risk is compounded if that
port is running by necessity with system level permissions, and
offering up a login screen that people use with their admin
credentials. Also, terminal services is dependent on the loading of
yet another service: RPC.

This is my point exactly - any port represent an attack vector. This
is not to say that you should not have open ports (you cannot operate
without ports), but rather, you should congnisant of the fact that if
a vulnerability is identified in the listening application, you may be
vulnerabile.

Software restrictions solutions (i.e AppLocker) are not a panacea, but
they CAN protect you to a certain extent. The article from SANS
provide a "good" (not comprehensive) analysis of their limitations:
http://www.sans.org/reading_room/whitepapers/sysadmin/application-whitelisting-panacea-propaganda_33599

Its correct that assuming the RDP service is running in the context of
system and is exploited by malware, you are truly buggered. However
you can mitigate this by employing least privileges. RDP should be
running in the local context (not Domain Admin or System) with the
minimum set of privileges required.

But you cannot stop there, if using Windows, look at DEP for buffer
overflow protection and a reasonable HIPS.

The key is defence in depth and this should be applied for all
externally facing system.

For these reasons, I don't believe the concern expressed over exposing
RDP to the internet is "a massive generalisation". I think that
concern is clearly justified.

Indeed. And I didn't write anything about "massive generalisation". I
did, however, want to point out that one newly discovered vulnerability
is no proof whatsoever for a claim about unpatched vulnerabilities.

RDP is not of the same risk level as, say NTP.

I'd argue that the complexity of VPN (or SSH) services is closer to RDP
than to NTP, though. ;)

And if, when we point out that risk, CEOs then see security officers
as "the enemy", it's because the security folks have failed to (1)
account for the value in the convenience offered by things like RDP,
(2) reasonably evaluate that value against the risk, and (3) consider
what actions, configurations and technologies are available to
mitigate the risk.

No argument there. And FTR: personally I do prefer using RDP through
encrypted tunnels, even though RDP itself is an encrypted protocol.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: RDP over the internet
    ... The fact is that "open port" is a potential attack vector because a ... But it's clear that *any* open port represents additional risk. ... terminal services/RDP generally is not), ... I'd argue that the complexity of VPN services is closer to RDP ...
    (Security-Basics)
  • RE: RDP over the internet
    ... The fact is that "open port" is a potential attack vector because a ... vulnerability may be discovered in the application. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • [Full-disclosure] Senao SI-680H VoIP Wifi phone undocumented open port
    ... I disclosed today the following vulnerability at the 32nd CSI ... VENDOR NOTIFIED: ... Senao SI-680H VOIP WIFI phone undocumented open port UDP/17185 ...
    (Full-Disclosure)
  • RE: Microsoft RDP Priv. Escalation
    ... this is neither a "vulnerability" in RDP nor have you ... illustrated any "privilege escalation." ... Make sure you secure the host. ...
    (Pen-Test)
  • Re: [Full-disclosure] Possible RDP vulnerability
    ... I think I possible may have found a vulnerability with using RDP / Terminal ... execute upon logging on even though the user isn’t allowed to execute the ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)