Announcement

Collapse
No announcement yet.

RDP Connections without VPN's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RDP Connections without VPN's

    Ok this practice is probably fairly frowned upon.......but.

    Why is it so commonplace to set up a VPN before connecting to a TS server or even your home pc with Remote desktop enabled?

    What is the problem with me just connecting from the client directly to a wan ip which has 3389 forwarded to the TS or remote desktop pc without using a VPN first? Maybe I am missing some things.

    If the arguement is the packets are protected in a VPN. They are encrypted by default anyway.

    http://z.about.com/d/bizsecurity/1/0/7/-/-/-/RDP8.JPG

    If the arguement is MITM attacks , how easy is this over the WAN in the hope of getting the right target with administrator credentials at just the right time? Wouldnt it just be easier to hack a client side you know connects to the target you are after, hypothetically. Or port scan the wan ips of the router/s on the perimeter of the network you are after? They still have to guess passwords that way.

    If the arguement is a VPN means you dont have to open 3389 on the destination router. You dont anyway, you can get around this a multitude of other ways including designating a different port to come in on & turn it around to 3389 once its inside the perimeter. Or even continue it onto the server with the different port & change the port on the server RDP is using in the registry.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server\WinStations\RDP-Tcp\PortNumber

    You can also limit the connectons to your TS server on the firewall (ISA, router or even Windows firewall) to certain IP address's.

    If the arguement is VPN's give that added bit of security. Maybe, but so does putting a sign on your house "beware of dog" when you dont have a dog. We all know how completely unprotected many of our clients leave their home PC's, a keylogger pretty much defeats the purpose of the VPN. It wouldnt matter if you had a 20 character alphanumeric password, the keylogger is just as happy with that. Only smart cards & certificates can defeat this.

    I cant see that even the new 2008 TS gateway resolves this if the client side is compromised.

    So can someone shed some light on my VPN for RDP bashing & let me know why it is good?

    M

  • #2
    Re: RDP Connections without VPN's

    Interestingly, I just set up a simple port forward for a home office to use remote desktop. The two biggest reasons to me to use VPN before establishing a RDP connection are:
    1. VPNs allow access to the entire internal network. On top of the general benefits of having remote access to a network, you can RDP to more than just one computer. Port forwarding means that WAN port 3389 can only be forwarded to one computer at a time. Sure, you can make 3390, 3391, 3392 etc. point to other computers as needed, but that's a huge headache on a network with more than just a few computers that need to be accessed.
    2. Security. Yes, RDP is encrypted, but it's not bullet-proof. I'm much more comfortable with IPSec or TLS as an encryption method. For some, however, that might not be an issue.



    If the arguement is the packets are protected in a VPN. They are encrypted by default anyway.
    True, but RDP has known security flaws and for some industries, 128 bit RC4 might not be enough. Here's an article on some Terminal Services security flaws circa 2005.


    If the arguement is MITM attacks , how easy is this over the WAN in the hope of getting the right target with administrator credentials at just the right time?
    "Easy" is determined by the [email protected] ski11z of the haxor that is targeting you. A zombified home PC that port scans your address probably isn't going to do anything. A script kiddy probably wouldn't be able to orchestrate a MITM attack nor would they be likely to find you that interesting. However, if you're the SysAdmin for a chemical fabrication plant, combustion laboratory, or major college you would want to worry. Of course, the IT department for those types of facilities would more than likely have the $$'s for a serious ASA (or CheckPoint device if Dumber worked there ).



    If the arguement is a VPN means you dont have to open 3389 on the destination router. You dont anyway, you can get around this a multitude of other ways including designating a different port to come in on & turn it around to 3389 once its inside the perimeter. Or even continue it onto the server with the different port & change the port on the server RDP is using in the registry.
    Yes, but it's unmanageable past just a few servers. It's a veritable nightmare if you have regular users who need remote desktop. Not to mention, simply changing port numbers is "security through obscurity". I haven't looked deeply into the matter, but it may be possible for Terminal Services to be fingerprinted for a remote attacker to discover which port is for RDP connections. Then there's the topic of fuzzing. Someone somewhere may throw the right garbage at TS to get it to choke and do something... regrettable. Of course, I'm rather paranoid so this may not bother you, but it makes me check under the bed before I go to sleep at night.

    Oh and BTW, if you use Terminals 1.7 on Windows or KRDC on linux, you don't have to hack around in the registry to change RDP ports on the client. Yay!



    You can also limit the connectons to your TS server on the firewall (ISA, router or even Windows firewall) to certain IP address's.
    I'm not aware of "a multitude of different ways" to get around this limitation, but we're back to the topic of being difficult to manage. Scenario: I'm 400 miles away in a different city visiting friends. I get a text message from Nagios saying that a critical server fell over and can't get up. I try to RDP into a server (Oh wait, which external port do I use to get into which internal server... I can't remember... was it 29543 for the file server or 53892? No, wait! It was 45293... I think. Argh!), but then realize that I restricted IPs to only my home IP address. Grrr! So, being the geek that I am, I VNC over SSH into my home computer. From there I RDP into the server at work (assuming I can remember which external port goes to which internal server... and then of course edit the registry correctly... unless I'm using Terminals or KRDC) only to find that my ISP renewed my home IP address and my RDP connection is refused.



    If the arguement is VPN's give that added bit of security. Maybe, but so does putting a sign on your house "beware of dog" when you dont have a dog. We all know how completely unprotected many of our clients leave their home PC's, a keylogger pretty much defeats the purpose of the VPN.
    It may seem funny to lock the front door but leave the back door wide open, however I think this is a 'baby out with the bath water' scenario. I wouldn't forgo major security components just because someone might let a keylogger on their computer. I just had to worry about a Trojan threat on one of my small business networks. That didn't tempt me to publish the network's administrator passwords on a black-hat forum. I'm beginning to think that you have SOHO clients in mind rather than SMBs. In that case, maybe a VPN is overkill, but still... it's a good idea and rather cheap for more benefits than just secure RDP.

    At the end of all of this, you could also use SSH to establish a more secure tunnel than RDP does, yet without worrying about a VPN. But in the end, an SSH tunnel is just as easy/hard to set up as a VPN these days but doesn't have the same breadth of use as a VPN... so just set up a VPN and be done with it.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: RDP Connections without VPN's

      Thanks for your input Nonapeptide.

      The two biggest reasons to me to use VPN before establishing a RDP connection are: VPNs allow access to the entire internal network.
      I would have thought that was a reason against a vpn. At least if it was say a client connecting from their home pc without using a vpn, you are directing them to only one server. Once the client is logged on, you can create additional rdp connections to other server from that first one if need be. If a hacker or even someones teenage son ( like I have busted before) with their parents details that are left on a piece of paper at home start up the vpn, then as you say, they have access to the entire internal network. At least with TS Gateway it overcomes that somewhat by creating a secure point to point connection & granting more granular access.


      Port forwarding means that WAN port 3389 can only be forwarded to one computer at a time. Sure, you can make 3390, 3391, 3392 etc. point to other computers as needed, but that's a huge headache on a network with more than just a few computers that need to be accessed.
      You can create access ffrom inside the initial connection to other servers. Either way, you have to sign on each time whether doing it through a vpn to multiple other servers or through an intial rdp connect then onto other rdp connections. Either that or create remote desktop web connection page that has multiple connections on it. Those 2 scenarios would be more for clients. For an administrator logging on & needing access to multiple servers, you simply use "remote desktops" or "royal TS" or some such thing.

      http://www.hostmysite.com/support/vp...estartsql1.gif

      http://i.d.com.com/i/dl/media/dlimag...831_large.jpeg

      That way you dont need to remember multiple port numbers.

      Security. Yes, RDP is encrypted, but it's not bullet-proof. I'm much more comfortable with IPSec or TLS
      If the client side is compromised, how does that help?

      and for some industries, 128 bit RC4 might not be enough
      Absolutely. Couldnt agree more. Banking sector, legal, finance, accounting, medical, militiary & on it goes all need super security. Although the recent hacks on the pentagon, cia & US Navy shows those measures were either too lax or someone dropped the ball. But when we are talking about SMB's like say Bobs Tyre Mart who employs 160 people, they not only cant be bothered with super security, cant afford it or its not necessary. Of course you are going to have strong AD passwords, account policies, Firewalls, Auditing & all the small cheap stuff, but really, businesse's like this are not high on the target list.


      if you're the SysAdmin for a chemical fabrication plant, combustion laboratory, or major college you would want to worry. Of course, the IT department for those types of facilities would more than likely have the $$'s for a serious ASA
      I agree.

      Oh and BTW, if you use Terminals 1.7 on Windows or KRDC on linux, you don't have to hack around in the registry to change RDP ports on the client. Yay!
      Sweet sweet linux, please take over the computer world. We are all waiting.


      I get a text message from Nagios saying that a critical server fell over and can't get up. I try to RDP into a server (Oh wait, which external port do I use to get into which internal server... I can't remember... was it 29543 for the file server or 53892? No, wait! It was
      Like I was saying above, you log onto one terminal & use remote desktops feature to manage many servers.


      I'm beginning to think that you have SOHO clients in mind rather than SMBs. In that case, maybe a VPN is overkill, but still... it's a good idea and rather cheap for more benefits than just secure RDP.
      I am currently in a postion for a company that predominantly hosts their servers in data centres. They/we host servers with users anywhere from 10 to 400 users in size. Ive started with them recently & they dont use VPN's for rdp.

      Of the last 2 places I worked, 1 DID use VPN's & the other didnt. So I was curious as to what other techs out there had to say about the practice, from now seeing & hearing these different points of view in the few places Ive worked.

      Comment


      • #4
        Re: RDP Connections without VPN's

        Originally posted by mobius2011 View Post
        I would have thought that was a reason against a vpn. At least if it was say a client connecting from their home pc without using a vpn, you are directing them to only one server. Once the client is logged on, you can create additional rdp connections to other server from that first one if need be. If a hacker or even someones teenage son ( like I have busted before) with their parents details that are left on a piece of paper at home start up the vpn, then as you say, they have access to the entire internal network. At least with TS Gateway it overcomes that somewhat by creating a secure point to point connection & granting more granular access.
        True. Very true. That was part of a scenario that I had to take into account whilst doing gobs of research on mobile security on one of the larger places that I work(ed) at. NAP (or NAC if you're a Cisco person) comes in handy, but that's a lot of administrative overhead for "Dan's Bait and Tackle Shop". "Bobs Tyre Mart" on the other hand might just be getting to the size to be capable of implementing such a thing, especially if they have a significant pool of remote users.

        Those types of problems (infected home PCs, leaked credentials, etc.) don't seem to me to be quite enough to do away with VPNs... but they are good supporting points for TS/Citrix. Those issues are really supposed to be handled by other procedures and policies. E.g. "You must only access the network with a company supplied laptop, or a device that has an approved antivirus/malware application that is up to date, all access will be logged, report suspected credntial leaks immediately, blah, blah, blah..."

        The question is: Is it cheaper and easier to maintain a TS-style solution or just put in a VPN with some security policies and user education.


        Originally posted by mobius2011 View Post
        You can create access ffrom inside the initial connection to other servers. Either way, you have to sign on each time whether doing it through a vpn to multiple other servers or through an intial rdp connect then onto other rdp connections.
        True, but I've never liked playing "sock-puppets". My personal dislike of sock-puppets isn't really a rational reason to not do it I suppose. However, explaining this process to users is already making me break out in hives.

        Originally posted by mobius2011 View Post
        Either that or create remote desktop web connection page that has multiple connections on it. [...] For an administrator logging on & needing access to multiple servers, you simply use "remote desktops" or "royal TS" or some such thing.
        Multiple TSweb connections and a "royal TS" are both things that I'm unaware of. I'll have to look deeper into those things.


        Originally posted by mobius2011 View Post
        If the client side is compromised, how does that help?
        It... umm... helps the badware to thrash the network... so... ummm... yeah.



        Originally posted by mobius2011 View Post
        But when we are talking about SMB's like say Bobs Tyre Mart who employs 160 people, they not only cant be bothered with super security, cant afford it or its not necessary.
        FreeBSD + OpenVPN = Done!
        Even simpler: IPCop with it's plethora of plug-ins.



        Originally posted by mobius2011 View Post
        Sweet sweet linux, please take over the computer world. We are all waiting.
        Yep! And it would be even better if there were some super-cool, hi-tech and even frivolous things for linux. Like if I could print. Or use my laptop's trackpad. Or get a decent VPN client to work consistently. Or connect to a wireless network (yeah, I know... that's the wireless card manufacturer's fault for not opening up to help the development of drivers). /me glances at his Fedora 9 Dell Dimension sitting next to him

        At least NVidia makes drivers for my video card. I can't use my mouse, VPN into work or print... but at least I can play SuperTuxKart in SUSE 11 at 50 FPS!!!



        Originally posted by mobius2011 View Post
        I am currently in a postion for a company that predominantly hosts their servers in data centres. They/we host servers with users anywhere from 10 to 400 users in size. Ive started with them recently & they dont use VPN's for rdp.

        Of the last 2 places I worked, 1 DID use VPN's & the other didnt. So I was curious as to what other techs out there had to say about the practice, from now seeing & hearing these different points of view in the few places Ive worked.
        So the place you work for offers rackspace and server support for other SMBs so that they don't have to deal with it? Okay, sounds intersting. I suppose a RDP-only workplace could be a workable solution, but getting local apps on mobile computers to work remotely can only be done via VPNs. I was mostly thinking about those mobile users that 1) Use applications that need backend DB servers that are in the server room, 2) Need access to various intranet based tools, and 3) Use their network drives to store their files (like we tell them over, and over, and over, and over to do). Yeah, TS and Citrix can work, but I think bandwidth might be an issue at that point (for both users and the business site). Also, I don't like to make users entirely dependent on a network connection. At least if the VPN isn't working or the network connection is down some apps can be used locally and their changes stored and synced back up when they connect to the network.

        All in all, you present interesting points that I need to consider. Personally, I'd only feel comfortable relying only on RDP is I first has an SSH tunnel set up. Ah well. Good discussion!
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: RDP Connections without VPN's

          "Dan's Bait and Tackle Shop".
          Aaahahah. Yeah I could imagine the "network" there.

          The question is: Is it cheaper and easier to maintain a TS-style solution or just put in a VPN with some security policies and user education.
          The first place I worked in used VPN's religously & I considered that the norm. Then I went to the next job & they didnt use them for wan based rdp connections. It didnt compute & I argued & was finally told to shutup & support their SOE. After a while I began to come around to their way of thinking & figured whats the big deal? In 2 years I never saw any problems resulting from this practice. So my arguements lacked evidence.

          Personaly, I dont think its that hard to add just a standard microsft VPN to the procedure.


          Multiple TSweb connections and a "royal TS" are both things that I'm unaware of
          The first is just the windows remote desktop web connection page.

          http://microsoft.apress.com/images/a...0812_01_14.jpg

          But the html is edited so that more than the one default connection apppears on the one page. Its more for clients benefits.

          The second is more for the administrator & expands on the already existing Microsoft Desktops found in administrative tools.

          http://code4ward.net/cs2/

          That way I can log on to one central pc & access network monitoring & be able to access any of a hundred servers with a double click of the mouse. My account is highly secured in comparison with clients. Except for some accountancy & legal clients where we go all out on security.

          Yep! And it would be even better if there were some super-cool, hi-tech and even frivolous things for linux. Like if I could print.
          Lol, well yeah its a bit of a challenge sometimes, but look at its market share in just the last couple of years. Its still unfriendly IMO to basic end users , even with the like s of Ubuntu & Open Suse, but I feel its only about 2 years away until basic end users can easily move from a Windows or Mac environment with all the gui familiarities. With products like Wine for Linux & many other goodies we cant be too far away.

          It has certainly penetrated the Sys admin/ engineer world. Many jobs are now advertised for Linux gurus & server admins.

          So the place you work for offers rackspace and server support for other SMBs so that they don't have to deal with it?
          Yes, its a data centre which looks very similiar to this:

          http://pythonology.org/images/final/...center-web.jpg

          About 80% of our clients are stored there. So we can manage them all easier. It is more secure, & protected by a massive UPS & diesel generator if need be. If there is a hardware issue isnt only a few steps away & uptime is increased that way. The remaining 20% are small 10-30 users sites where the servers are stored at their premises.

          I suppose a RDP-only workplace could be a workable solution, but getting local apps on mobile computers to work remotely can only be done via VPNs. I was mostly
          Most of our clients use thin clients (wyse or HP) in their offices so there is no local apps. There maybe one dedicated multimedia pc which may have local apps & local needs. The mobile users rdp in & use the apps on the servers. Yes there is a VPN between us & their site, but it is only for printing due to the various ip's using the same ports. The rdp connections dont go over a vpn.

          but I think bandwidth might be an issue at that point
          Yes, you have to throw bucketloads of bandwidth at it.

          At least if the VPN isn't working or the network connection is down some apps can be used locally and their changes stored and synced back up when they connect to the network.
          Yes, thats the one big advantage client server has over TS models. If the internet goes down, not one person can do any work in my above TS environment. It doesnt happen often, but when it does, it sux. Also refresh rates & graphics are crap on TS over WAN comapred to client server.

          Comment


          • #6
            Re: RDP Connections without VPN's

            Originally posted by mobius2011 View Post
            The first place I worked in used VPN's religously & I considered that the norm. Then I went to the next job & they didnt use them for wan based rdp connections. It didnt compute & I argued & was finally told to shutup & support their SOE. After a while I began to come around to their way of thinking & figured whats the big deal? In 2 years I never saw any problems resulting from this practice. So my arguements lacked evidence.
            I am a compulsive VPN implementor. I just recently had my perspective shifted though. A user needed to work from home with a CRM application and I was spinning my wheels trying to figure out how to get the CRM app installed on a laptop, get the database connections set up, etc.. Someone else said to me "Just use remote desktop from the user's home PC to the office PC." After I finished smacking my forehead, I instructed the user on how to use remote desktop. Of course, I still used the VPN to make the connection first... I can't break old habits that fast.



            Originally posted by mobius2011 View Post
            The first is just the windows remote desktop web connection page.

            http://microsoft.apress.com/images/a...0812_01_14.jpg

            But the html is edited so that more than the one default connection apppears on the one page. Its more for clients benefits.
            I knew about the web connection for TS, but never considered placing more than one client on the same web page. Interesting possibility.

            Originally posted by mobius2011 View Post
            The second is more for the administrator & expands on the already existing Microsoft Desktops found in administrative tools.
            Okay, so it's a third-party app that aggregates your RDP connections. I'm just starting to use Terminals 1.7 for that actually. It has RDP and VNC connection capabilities as well as a host of your standard network tools (ping, tracert, whois, etc.) and supposedly it can save VPN connections and start them automatically when you try to RDP/VNC to specific servers. (There I go with the VPN again...).


            Originally posted by mobius2011 View Post
            I feel its only about 2 years away until basic end users can easily move from a Windows or Mac environment with all the gui familiarities.
            "This year is gonna be the Year of Linux! No really!!"

            --Linux Community, circa 1997



            Originally posted by mobius2011 View Post
            Yes there is a VPN between us & their site, but it is only for printing due to the various ip's using the same ports. The rdp connections dont go over a vpn.
            How do you make sure that the RDP connection don't go over the VPN? Do the tunnel endpoints have some kind of split horizon tunneling setting or traffic ACL that forces certain traffic over the VPN and other traffic onto the interwebs?


            I still want to set up an SSH tunnel before I do away with my VPN though. =)
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: RDP Connections without VPN's

              I think Windows TS Gateway is going to give VPN's a run for their money. VPN's will still be in the market but for small SMB's TS Gateway rocks!!!

              TS Gateway gives home users the ability to RDC onto Any (or specific) workstations in the office place by specifiying a TS Gateway that sits in your DMZ and translates RDC connections from external addresses to your internal network.

              http://technet.microsoft.com/en-us/l.../cc731264.aspx

              Michael
              Michael Armstrong
              www.m80arm.co.uk
              MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment


              • #8
                Re: RDP Connections without VPN's

                I'm just starting to use Terminals 1.7 for that actually


                I had never heard of it until you posted the link. Since then I have downloaded it & installed it on our main server & we are in the process of replacing royal Ts with terminals 1.7. Gotta say, what a fantastic program, its got everything we were ever after. Just trying to work out some of the features, but other than that, very happy with it, thanks.

                "This year is gonna be the Year of Linux! No really!!"

                --Linux Community, circa 1997


                Most of our techs have over the past year or so been installing as many open source (windows versions) apps as we can to get people used to them so the transition to a full Linux OS wont be so daunting. They are already using Open Office, Foxit Pdf, Bullzip pdf writer, open source media players, photo editing & email clients. Once Linux OS's get to the point of being more basic end user friendly many of these users would have allready been using the program that come pre packaged .

                How do you make sure that the RDP connection don't go over the VPN?


                Either configure the client to point to the wan ip address of the router where the target server is OR configure the router on the client side to send ANY 3389 traffic to a particular IP address, which you specify in the router settings as the wan port of the router housing the target TS . Nat takes care of the rest. Going back the other way requires a vpn though, as there is often more than one printer & port forwarding isnt as practical.

                VPN's will still be in the market but for small SMB's TS Gateway rocks!!!


                Yeah , I implimented it at work & no one was interested. "Oh you need certificates? You need to set up RAP & CAP's? how is that easier?" they say.

                As we know, "ease of use & cheaper" nearly always wins out over "better quality & more secure" when left to the end user.

                Comment


                • #9
                  Re: RDP Connections without VPN's

                  How do you make sure that the RDP connection don't go over the VPN?
                  Sorry, I just re-read your question & understood it differently. We use 2 to 3 lines typically.

                  Line & router 1 ( unless its a dual wan port router) Internet, email & print traffic. VPN/IPSEC

                  Line 2 & router 2 : RDP traffic

                  Line 3: VOIP.

                  Comment


                  • #10
                    Re: RDP Connections without VPN's

                    Originally posted by mobius2011 View Post
                    I had never heard of it until you posted the link. Since then I have downloaded it & installed it on our main server & we are in the process of replacing royal Ts with terminals 1.7. Gotta say, what a fantastic program, its got everything we were ever after. Just trying to work out some of the features, but other than that, very happy with it, thanks
                    Terminals does have some UI quirks that take some getting used to. All in all I'm impressed though. I like the ability to have HTTP connections saved. For example, for one of my workplaces I have a folder of favorite connections that include RDP connections to strategic computers as well as a HTTP connection to the LAN and WAN sides of their router. I'll also be using the VMRC connection her shortly as I set up some virtualization use MS's Virtual Server 2005. Very sharp!

                    In you experience, is it that much better than Royal TS? I would have thought that you'd stick with what you already paid for.
                    Wesley David
                    LinkedIn | Careers 2.0
                    -------------------------------
                    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                    Vendor Neutral Certifications: CWNA
                    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                    Comment


                    • #11
                      Re: RDP Connections without VPN's

                      This is quite interesting to read although I don't say it's good or bad.
                      Personal flavor, allow incoming VPN and allow only RDP from the VPN network to the RDP server.

                      http://www.msterminalservices.org/ar...ironments.html
                      http://www.ethicalhacker.net/content/view/105/24/

                      http://www.oxid.it/downloads/rdp-gbu.pdf

                      ...During extensive investigation of the Remote Desktop Protocol (RDP), the protocol used to connect to
                      Windows Terminal Services, we have found that although the information sent over the network is encrypted,
                      there is no verification of the identity of the server when setting up the encryption keys for the session. This
                      means RDP is vulnerable to Man In The Middle attacks (from here on referred to as MITM attacks).
                      But oh well, there quite a lot who is publishing the .rdp file
                      http://www.google.nl/search?hl=nl&q=...pe%3Ardp&meta=
                      Last edited by Dumber; 5th September 2008, 21:38.
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: RDP Connections without VPN's

                        Yeah that TS article : Brute Force Hacking In Terminal Server Environments is pretty interesting & covers some of the stuff we have discussed here & yes, for any malicious hacker the administrator account is going to be your holy grail.

                        I remember trying Grinder out when auditing our sites a while back & found I kept locking accounts out, so i must have been doing something wrong. I will have another go.

                        Between that & LC4 I was at least able to do some basic audit.

                        All of the points covered in that article Im glad to say the company Im in & the few others Ive been in adhere to those policies.

                        Rename administrator account & strong password policy.
                        All non administrator accounts are locked down so they dont have access to

                        C:\
                        Run
                        Command prompt
                        Registry
                        Tools
                        Network Places
                        Control panel
                        Software & drivers are prohibited to install by non admin
                        Password complexity requirements (although many still get around this by using basic leet) e.g. sch00l, [email protected]$, [email protected] etc.

                        Auditing is enabled for all drives for success/failure for logons & move/delete files & change privaleges.

                        But with that MITM article it tends to rely on LAN based MITM attacks. Theoreticaly its all possible, but as I mentioned earlier I dont believe business's SOHO & SMB's are as much of a target. For example, software & intrusion logs at the places I have worked show far less attacks via port scanning & failed logins compared to my home computer. I open 3389 & 21 on my home router & my software firewall is sending me alerts within a day.......mostly from China.

                        Also I believe when it comes to banking details or account details of importance, most business's keep passwords on paper locked away in either a safe or filing cabinet onsite. Wherea's Mums & Dads out there ( I know best!!) keep their passwords on their pc's or dont have anti spyware or AV.

                        Plus phishing , Nigerian, keylogging etc all make money easier from Mum & Dads pc than attempting business's that in many cases either block your IP after a few attempts, block you when port scanning or can trace you for prosecution purposes, which business's are more than happy to outlay cash for.

                        as well as a HTTP connection to the LAN and WAN sides of their router.
                        Yes! I have various shortcuts on my desktop for this purpose & it will be nice to have it all centralised. Plus access to various nodes with web interfaces. Printers, Scanners, WAps, PABX, Cameras etc.


                        In you experience, is it that much better than Royal TS? I would have thought that you'd stick with what you already paid for
                        I rate M$ Remote Desktops around a 5 compared to manually connecting to sessions individually. I rate Royal TS about an 8. I rate Terminals 1.7 about a 11.2 . The packet capture just rocks too.

                        Royal TS is free, so its no loss to give it the fling. We were actually looking at getting one of our coders to create a console to do about half of what Terminals 1.7 does, so it was very timely.

                        Comment


                        • #13
                          Re: RDP Connections without VPN's

                          But oh well, there quite a lot who is publishing the .rdp file
                          http://www.google.nl/search?hl=nl&q=...pe%3Ardp&meta=
                          Hahah! Yeah it kind of illustrates the point I guess that when so many business rdp portals ( without vpn's) are advertised like that, it makes a smaller profile for all the smaller SOHO's & SMB's out there.

                          After all, the big money or information is in publicly listed companies who can provide potential hackers with the information much more beneficial a possible 1 in a 1000 chance of finding a password & account details for a bank from an SMB which might have a $10k a day payment limit. The bank is then able to trace the account of the payee & prosecute.

                          It would be much more beneficial to get into a publicy listed companies private files & find out if that Billion $$ merger/acquisition/write down was going to go ahead. Then buy or sell a few thousand shares based on that info. No one is the wiser. Except for those massive trades you hear about in the news that seem to happen a day before a big announcement.
                          Last edited by mobius2011; 6th September 2008, 09:29. Reason: lost my seat on the train of thought

                          Comment


                          • #14
                            Re: RDP Connections without VPN's

                            But oh well, there quite a lot who is publishing the .rdp file
                            http://www.google.nl/search?hl=nl&q=...pe%3Ardp&meta=
                            Dumber, this one out of that list for example is asking for trouble.

                            Administrator account & TAX = Trouble

                            http://checkpluspr.com/Documents/test.RDP

                            Comment


                            • #15
                              Re: RDP Connections without VPN's

                              Originally posted by mobius2011 View Post
                              Dumber, this one out of that list for example is asking for trouble.

                              Administrator account & TAX = Trouble

                              http://checkpluspr.com/Documents/test.RDP
                              LOL, it's a domain controller, I was able to connect to it, and it reveals that it has a domain account named ADMINISTRATOR as the last logged on user account.

                              Wonder if it's a honey pot? This is too funny.
                              VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
                              boche.net - VMware Virtualization Evangelist
                              My advice has no warranties. Follow at your own risk.

                              Comment

                              Working...
                              X