And to follow up on that, you can use FIPS-compliant encryption in Win2K3. :-)
Laura
From: "Ken Remley" <ken.remley@jfshea.com>
Date: 2004/10/15 Fri PM 06:42:51 EDT
To: "Matt Ostiguy" <ostiguy@gmail.com>, <focus-ms@securityfocus.com>
Subject: RE: Remote connections
Just as a follow up. If you are using ICA which is encrypted with two piece
authentication like RSA that works as well. Then you don't have the VPN
Tunnel overhead!
-----Original Message-----
From: Matt Ostiguy [mailto:ostiguy@gmail.com]
Sent: Friday, October 15, 2004 8:26 AM
To: focus-ms@securityfocus.com
Subject: Re: Remote connections
On Thu, 14 Oct 2004 23:54:37 -0700, GuidoZ <uberguidoz@gmail.com> wrote:
Why not? I don't know of any current exploit for RDP set to high
encryption, and even if there were any, connections may very well be
shielded by encrypted tunnels.
I'm not aware of any currently either, but as their track record
proves, that's meaningless. It was more of a retorical question and a
snide remark - please excuse it.
Thor@hammerofgod was working on a brute forcer for term serv/RDP
stuff. Haven't checked on it in awhile, but he recommended
implementing a standard login banner to slow it down, and password
lockouts, both of which are very very good ideas in general.
I haven't fully tested tightvnc, but another appeal of RDP/TS (beyond
its speed advantage, provided you connect with 256 color as opposed to
high bit depth) is with proper audit logging set up, you can generate
the following:
10/13/2004 3:23:24 PM 683 8 Success Audit event 2 Security
USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAAA)|Unknown|CLIENTPCNAMEHERE|a.b.c.d
SERVERNAMEHERE Session disconnected from winstation: User Name:
USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAAA) Session
Name: Unknown Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d
10/13/2004 4:34:55 PM 682 8 Success Audit event 2 Security
USERNAMEHERE|DOMAINNAMEHERE|(0x0,0xAAAAA)|RDP-Tcp#4|CLIENTPCNAMEHERE|a.b.c.d
SERVERNAMEHERE Session reconnected to winstation: User Name:
USERNAMEHERE Domain: DOMAINNAMEHERE Logon ID: (0x0,0xAAAAA) Session
Name: RDP-Tcp#4 Client Name: CLIENTPCNAMEHERE Client Address: a.b.c.d
That is from win2k, pulled with logparser. Having full audit
functionality in the native logging facilities is nice.
That all said, vnc vs rdp vs whathaveyou - a good starting assumption
is that everything should only be accessible via the vpn, if at all.
If it should be accessible through firewall without vpn, they ought to
be a stunning reason for it.
Matt
---------------------------------------------------------------------------
---------------------------------------------------------------------------
The information contained in this e-mail message is confidential and may be
legally privileged and is intended only for the use of the individual or
entity named above. If you are not an intended recipient or if you have
received this message in error, you are hereby notified that any
dissemination, distribution or copy of this e-mail is strictly prohibited. If
you have received this e-mail in error, please immediately notify us by
return e-mail or telephone if the sender's phone number is listed above, then
promptly and permanently delete this message. Thank you for your cooperation
and consideration.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
