Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Remote Desktop MITM Concerns

0 views
Skip to first unread message

Steven L Umbach

unread,
Jun 10, 2005, 12:41:57 PM6/10/05
to
If you are concerned about such I would implement ipsec on the internal
network or for a wan connection connect to a VPN server, preferably via
l2tp, first and then use RDP through the VPN tunnel. If you use ipsec on the
lan a Security Association using ESP encryption can be created between the
two computers before the RDP would be used. In a domain only domain
computers could use ipsec with the default kerberos authentication for
computer authentication and if further security is required you could use
computer certificates and tightly control which computers can request them
and assign your ipsec polices at the OU level moving the computers you want
to use ipsec into the corresponding OU's. Ipsec policies can be configured
to use only specific ports/protocols/subnets/IP addresses. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
--- Windows 2003 ipsec center.

"JerryTheGreat" <JerryT...@discussions.microsoft.com> wrote in message
news:F875A484-5C95-44D8...@microsoft.com...
> Hello,
>
> Released May 28 was an unofficial security advisory entitled "Remote
> Desktop
> Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This
> has
> me very concerned about my setup. Is this a valid issue?? I've found no
> advisoried from Microsoft or any other security site, except that the
> nefarious tool Cain and Abel v2.7 contains this capability. Please someone
> address this concern for me.
>
> I'm being careful in this posting not to use any keywords a search engine
> may index.


Roger Abell

unread,
Jun 11, 2005, 8:17:31 PM6/11/05
to
I am with Steve in replying that, if you feel your environment of sufficient
value that there actually is a risk someone would consider mounting an man
in the middle compromise of your network communications, then you should
look at use of a IPsec hard security association, in one or another form,
and then use RDP within this.

The underlying problem here is that RD is intended to allow ad-hoc type
connections, such as with consumer stand-alones. When there is no third
party involved and there is no pre-shared secret, then it is fundamentally
unavoidable that the types of mutual verification this author indicates as
the most desirable are not infallibly possible.

--
Roger Abell
Microsoft MVP (Windows Security)

JerryTheGreat

unread,
Jun 12, 2005, 2:08:02 PM6/12/05
to
What I really want to know here is this: How significant a concern is this?
If the ability to perform the act is integrated into freely available
software should I be concerned? In my setup, I am logging in accross the
Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is that
I use IP, not DNS to connect to the server, which should make a MOTM
extremely difficult to perform without detection.

Thanks.

JTG

Roger Abell

unread,
Jun 12, 2005, 4:11:23 PM6/12/05
to
Not using DNS does much reduce the ability to mount a mitm attack,
but even with DNS doing so is not at all a trivial effort (except in
some reduced complexity situations).

Using the internet does not in and of itself mean that one cannot
use IPsec. In fact, IPsec was invented _for_ the internet.

Personally, I would not worry about it, especially as the leverage
point most easily used to effect the injection (DNS) is not a factor
in your case. Even if you were using DNS name resolutions, the
effort needed in the open network would imply that you were the
had been identified as a high value target.

--
Roger Abell
Microsoft MVP (Windows Security)

"JerryTheGreat" <JerryT...@discussions.microsoft.com> wrote in message

news:F74D73A1-CC31-4A0C...@microsoft.com...

Steven L Umbach

unread,
Jun 12, 2005, 11:13:57 PM6/12/05
to
I would not lose sleep if I were you. I still use TS accross the internet
and don't worry about it. Since you are using an IP the threat is almost non
existant as a user can not simply reconfigure their public IP to spoof you
into connecting like they can a lan IP due to the way the internet is
routed. Then always look at the worse case scenario as part of managing your
risk. What would be the consequences if someone read your data? If it meant
that people would die or be harmed, or a that customers credit card numbers
could be obtained then you must use a l2tp VPN connection to mitigate the
risk but my guess is that is not the case as hopefully you would already be
doing such. --- Steve


"JerryTheGreat" <JerryT...@discussions.microsoft.com> wrote in message

news:F74D73A1-CC31-4A0C...@microsoft.com...

JerryTheGreat

unread,
Jun 13, 2005, 12:21:02 AM6/13/05
to
Thank You both for you well thought-out input. I appreciate feedback
addressing my concerns.

JTS

mikee.netsec

unread,
Jun 13, 2005, 9:09:01 AM6/13/05
to
I believe that Cain and Abel is a freely available tool that has the
capability to do a MITM with RDP. Here's a link to a good article
about it.

http://www.securiteam.com/windowsntfocus/5EP010KG0G.html

When doing anything over the Internet, you inherently trust all the
connecting networks. You are assuming that none of the ISPs or Broad
band networks have been or could not be compromised. If you have a
high degree of concern for the information you are sending over the
internet then take the recommendations above and use tunneling to
protect it. If it is really really important, then make sure you don't
use just usernames and passwords for the tunnel, but use certificates
or some other means to validate the identity of both sides.

0 new messages