If you are concerned about such I would implement ipsec on the internal network or for a wan connection connect to a VPN server, preferably via l2tp, first and then use RDP through the VPN tunnel. If you use ipsec on the lan a Security Association using ESP encryption can be created between the two computers before the RDP would be used. In a domain only domain computers could use ipsec with the default kerberos authentication for computer authentication and if further security is required you could use computer certificates and tightly control which computers can request them and assign your ipsec polices at the OU level moving the computers you want to use ipsec into the corresponding OU's. Ipsec policies can be configured to use only specific ports/protocols/subnets/IP addresses. --- Steve
> Released May 28 was an unofficial security advisory entitled "Remote > Desktop > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This > has > me very concerned about my setup. Is this a valid issue?? I've found no > advisoried from Microsoft or any other security site, except that the > nefarious tool Cain and Abel v2.7 contains this capability. Please someone > address this concern for me.
> I'm being careful in this posting not to use any keywords a search engine > may index.
I am with Steve in replying that, if you feel your environment of sufficient value that there actually is a risk someone would consider mounting an man in the middle compromise of your network communications, then you should look at use of a IPsec hard security association, in one or another form, and then use RDP within this.
The underlying problem here is that RD is intended to allow ad-hoc type connections, such as with consumer stand-alones. When there is no third party involved and there is no pre-shared secret, then it is fundamentally unavoidable that the types of mutual verification this author indicates as the most desirable are not infallibly possible.
-- Roger Abell Microsoft MVP (Windows Security)
"JerryTheGreat" <JerryTheGr...@discussions.microsoft.com> wrote in message
> Released May 28 was an unofficial security advisory entitled "Remote Desktop > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This has > me very concerned about my setup. Is this a valid issue?? I've found no > advisoried from Microsoft or any other security site, except that the > nefarious tool Cain and Abel v2.7 contains this capability. Please someone > address this concern for me.
> I'm being careful in this posting not to use any keywords a search engine > may index.
What I really want to know here is this: How significant a concern is this? If the ability to perform the act is integrated into freely available software should I be concerned? In my setup, I am logging in accross the Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is that I use IP, not DNS to connect to the server, which should make a MOTM extremely difficult to perform without detection.
"Roger Abell" wrote: > I am with Steve in replying that, if you feel your environment of sufficient > value that there actually is a risk someone would consider mounting an man > in the middle compromise of your network communications, then you should > look at use of a IPsec hard security association, in one or another form, > and then use RDP within this.
> The underlying problem here is that RD is intended to allow ad-hoc type > connections, such as with consumer stand-alones. When there is no third > party involved and there is no pre-shared secret, then it is fundamentally > unavoidable that the types of mutual verification this author indicates as > the most desirable are not infallibly possible.
> -- > Roger Abell > Microsoft MVP (Windows Security)
> > Released May 28 was an unofficial security advisory entitled "Remote > Desktop > > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This > has > > me very concerned about my setup. Is this a valid issue?? I've found no > > advisoried from Microsoft or any other security site, except that the > > nefarious tool Cain and Abel v2.7 contains this capability. Please someone > > address this concern for me.
> > I'm being careful in this posting not to use any keywords a search engine > > may index.
Not using DNS does much reduce the ability to mount a mitm attack, but even with DNS doing so is not at all a trivial effort (except in some reduced complexity situations).
Using the internet does not in and of itself mean that one cannot use IPsec. In fact, IPsec was invented _for_ the internet.
Personally, I would not worry about it, especially as the leverage point most easily used to effect the injection (DNS) is not a factor in your case. Even if you were using DNS name resolutions, the effort needed in the open network would imply that you were the had been identified as a high value target.
-- Roger Abell Microsoft MVP (Windows Security)
"JerryTheGreat" <JerryTheGr...@discussions.microsoft.com> wrote in message
> What I really want to know here is this: How significant a concern is this? > If the ability to perform the act is integrated into freely available > software should I be concerned? In my setup, I am logging in accross the > Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is that > I use IP, not DNS to connect to the server, which should make a MOTM > extremely difficult to perform without detection.
> Thanks.
> JTG
> "Roger Abell" wrote:
> > I am with Steve in replying that, if you feel your environment of sufficient > > value that there actually is a risk someone would consider mounting an man > > in the middle compromise of your network communications, then you should > > look at use of a IPsec hard security association, in one or another form, > > and then use RDP within this.
> > The underlying problem here is that RD is intended to allow ad-hoc type > > connections, such as with consumer stand-alones. When there is no third > > party involved and there is no pre-shared secret, then it is fundamentally > > unavoidable that the types of mutual verification this author indicates as > > the most desirable are not infallibly possible.
> > -- > > Roger Abell > > Microsoft MVP (Windows Security)
> > > Released May 28 was an unofficial security advisory entitled "Remote > > Desktop > > > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This > > has > > > me very concerned about my setup. Is this a valid issue?? I've found no > > > advisoried from Microsoft or any other security site, except that the > > > nefarious tool Cain and Abel v2.7 contains this capability. Please someone > > > address this concern for me.
> > > I'm being careful in this posting not to use any keywords a search engine > > > may index.
I would not lose sleep if I were you. I still use TS accross the internet and don't worry about it. Since you are using an IP the threat is almost non existant as a user can not simply reconfigure their public IP to spoof you into connecting like they can a lan IP due to the way the internet is routed. Then always look at the worse case scenario as part of managing your risk. What would be the consequences if someone read your data? If it meant that people would die or be harmed, or a that customers credit card numbers could be obtained then you must use a l2tp VPN connection to mitigate the risk but my guess is that is not the case as hopefully you would already be doing such. --- Steve
"JerryTheGreat" <JerryTheGr...@discussions.microsoft.com> wrote in message
> What I really want to know here is this: How significant a concern is > this? > If the ability to perform the act is integrated into freely available > software should I be concerned? In my setup, I am logging in accross the > Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is > that > I use IP, not DNS to connect to the server, which should make a MOTM > extremely difficult to perform without detection.
> Thanks.
> JTG
> "Roger Abell" wrote:
>> I am with Steve in replying that, if you feel your environment of >> sufficient >> value that there actually is a risk someone would consider mounting an >> man >> in the middle compromise of your network communications, then you should >> look at use of a IPsec hard security association, in one or another form, >> and then use RDP within this.
>> The underlying problem here is that RD is intended to allow ad-hoc type >> connections, such as with consumer stand-alones. When there is no third >> party involved and there is no pre-shared secret, then it is >> fundamentally >> unavoidable that the types of mutual verification this author indicates >> as >> the most desirable are not infallibly possible.
>> -- >> Roger Abell >> Microsoft MVP (Windows Security)
>> > Released May 28 was an unofficial security advisory entitled "Remote >> Desktop >> > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This >> has >> > me very concerned about my setup. Is this a valid issue?? I've found >> > no >> > advisoried from Microsoft or any other security site, except that the >> > nefarious tool Cain and Abel v2.7 contains this capability. Please >> > someone >> > address this concern for me.
>> > I'm being careful in this posting not to use any keywords a search >> > engine >> > may index.
"Steven L Umbach" wrote: > I would not lose sleep if I were you. I still use TS accross the internet > and don't worry about it. Since you are using an IP the threat is almost non > existant as a user can not simply reconfigure their public IP to spoof you > into connecting like they can a lan IP due to the way the internet is > routed. Then always look at the worse case scenario as part of managing your > risk. What would be the consequences if someone read your data? If it meant > that people would die or be harmed, or a that customers credit card numbers > could be obtained then you must use a l2tp VPN connection to mitigate the > risk but my guess is that is not the case as hopefully you would already be > doing such. --- Steve
> "JerryTheGreat" <JerryTheGr...@discussions.microsoft.com> wrote in message > news:F74D73A1-CC31-4A0C-B854-31ADD2912793@microsoft.com... > > What I really want to know here is this: How significant a concern is > > this? > > If the ability to perform the act is integrated into freely available > > software should I be concerned? In my setup, I am logging in accross the > > Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is > > that > > I use IP, not DNS to connect to the server, which should make a MOTM > > extremely difficult to perform without detection.
> > Thanks.
> > JTG
> > "Roger Abell" wrote:
> >> I am with Steve in replying that, if you feel your environment of > >> sufficient > >> value that there actually is a risk someone would consider mounting an > >> man > >> in the middle compromise of your network communications, then you should > >> look at use of a IPsec hard security association, in one or another form, > >> and then use RDP within this.
> >> The underlying problem here is that RD is intended to allow ad-hoc type > >> connections, such as with consumer stand-alones. When there is no third > >> party involved and there is no pre-shared secret, then it is > >> fundamentally > >> unavoidable that the types of mutual verification this author indicates > >> as > >> the most desirable are not infallibly possible.
> >> -- > >> Roger Abell > >> Microsoft MVP (Windows Security)
> >> > Released May 28 was an unofficial security advisory entitled "Remote > >> Desktop > >> > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This > >> has > >> > me very concerned about my setup. Is this a valid issue?? I've found > >> > no > >> > advisoried from Microsoft or any other security site, except that the > >> > nefarious tool Cain and Abel v2.7 contains this capability. Please > >> > someone > >> > address this concern for me.
> >> > I'm being careful in this posting not to use any keywords a search > >> > engine > >> > may index.
When doing anything over the Internet, you inherently trust all the connecting networks. You are assuming that none of the ISPs or Broad band networks have been or could not be compromised. If you have a high degree of concern for the information you are sending over the internet then take the recommendations above and use tunneling to protect it. If it is really really important, then make sure you don't use just usernames and passwords for the tunnel, but use certificates or some other means to validate the identity of both sides.
|
