[unisog] Windows Remote Desktop Client

Asadoorian, Paul D Paul_Asadoorian at brown.edu
Tue Apr 1 13:37:03 GMT 2003


Ed,

As others may have stated, it depends.  Depends on what you are trying
to secure, how sensative the data is, and, well you know where this is
going.......

On the technical side I have always been skeptical of the security of
RDP and MS Implemenentation of it.  An IPSEC VPN provides far better
security, although does raise other issues.  Here are some of the
shortcoming of RDP:

- Unlike a VPN tunnel, you have to exspose your servers to the Internet
directly (or at least one server as a jump off point)
- RDP does have previous vulnerabilities, so make sure the machines are
well patched
- Account policies are a must (locked after unsuccessful login attempts,
passwords expiring, etc...)
- You'll find an excellent discussion of RDP here:
http://cert.uni-stuttgart.de/archive/vuln-dev/2002/01/msg00165.html,
Interesting notes include:
	- Suggestion for the inclusion of RDP in the dsniff tool
	- Analysis of the data going across the wire
	- Some data travels in the clear (client name, and server
license root)

We have a Cisco 3030 and plan to rollout more VPN access, and in some
areas we may use RDP, but make sure that everyone is aware of the risks.
As far as the other issues go, we do not allow "split-tunnel", we push
firewall rules to the clients, we do not allow Local LAN access when
connected via the VPN.  If you are truly paranoid you can get a product
from Okena or Sygate which allows you to push more granular rules to the
client, as well as Anti-Virus and host-based IDS.  Any combination of
these will make it very difficult to exploit the VPN tunnel.

Other RDP links:
http://www.rdesktop.org/
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rd
pspec.asp

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 
  

-----Original Message-----
From: Ed Gibson [mailto:egibson at uwo.ca] 
Sent: Monday, March 31, 2003 12:01 PM
To: unisog at sans.org
Subject: [unisog] Windows Remote Desktop Client


Hello all...

The influx of Windows XP into our domain has increased the number of
faculty and staff wanting to access their at work desktops from home
via Microsoft RDC.

This of course opens and huge can of worms as far as security is
concerned. How secure is the at home computer? Are proper complex
passwords protecting the access to the RDC desktop? etc.

I have asked our Windows guru's questions about logging, brute force
password attacks, how do we protect administrator privileged accounts?
And am still awaiting their reply's.

It occurred to me that we can't be the only institution struggling with
this issue and that a question to Unisog as to how other institutions
are dealing with the issue might be enlightening.

Thanks

Ed Gibson
University of Western Ontario
Network Operations




More information about the unisog mailing list