Click here to get back home

Remote Desktop MITM Concerns
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Remote Desktop MITM Concerns JerryTheGreat 06-10-2005
Posted by JerryTheGreat on June 10, 2005, 8:45 am
Please log in for more thread options
 Hello,

Released May 28 was an unofficial security advisory entitled "Remote Desktop
Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This has
me very concerned about my setup. Is this a valid issue?? I've found no
advisoried from Microsoft or any other security site, except that the
nefarious tool Cain and Abel v2.7 contains this capability. Please someone
address this concern for me.

I'm being careful in this posting not to use any keywords a search engine
may index.


Posted by Steven L Umbach on June 10, 2005, 11:41 am
Please log in for more thread options
 If you are concerned about such I would implement ipsec on the internal
network or for a wan connection connect to a VPN server, preferably via
l2tp, first and then use RDP through the VPN tunnel. If you use ipsec on the
lan a Security Association using ESP encryption can be created between the
two computers before the RDP would be used. In a domain only domain
computers could use ipsec with the default kerberos authentication for
computer authentication and if further security is required you could use
computer certificates and tightly control which computers can request them
and assign your ipsec polices at the OU level moving the computers you want
to use ipsec into the corresponding OU's. Ipsec policies can be configured
to use only specific ports/protocols/subnets/IP addresses. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx

--- Windows 2003 ipsec center.

> Hello,
>
> Released May 28 was an unofficial security advisory entitled "Remote
> Desktop
> Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This
> has
> me very concerned about my setup. Is this a valid issue?? I've found no
> advisoried from Microsoft or any other security site, except that the
> nefarious tool Cain and Abel v2.7 contains this capability. Please someone
> address this concern for me.
>
> I'm being careful in this posting not to use any keywords a search engine
> may index.




Posted by Roger Abell on June 11, 2005, 5:17 pm
Please log in for more thread options
I am with Steve in replying that, if you feel your environment of sufficient
value that there actually is a risk someone would consider mounting an man
in the middle compromise of your network communications, then you should
look at use of a IPsec hard security association, in one or another form,
and then use RDP within this.

The underlying problem here is that RD is intended to allow ad-hoc type
connections, such as with consumer stand-alones. When there is no third
party involved and there is no pre-shared secret, then it is fundamentally
unavoidable that the types of mutual verification this author indicates as
the most desirable are not infallibly possible.

--
Roger Abell
Microsoft MVP (Windows Security)

> Hello,
>
> Released May 28 was an unofficial security advisory entitled "Remote
Desktop
> Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This
has
> me very concerned about my setup. Is this a valid issue?? I've found no
> advisoried from Microsoft or any other security site, except that the
> nefarious tool Cain and Abel v2.7 contains this capability. Please someone
> address this concern for me.
>
> I'm being careful in this posting not to use any keywords a search engine
> may index.




Posted by JerryTheGreat on June 12, 2005, 11:08 am
Please log in for more thread options
What I really want to know here is this: How significant a concern is this?
If the ability to perform the act is integrated into freely available
software should I be concerned? In my setup, I am logging in accross the
Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is that
I use IP, not DNS to connect to the server, which should make a MOTM
extremely difficult to perform without detection.

Thanks.

JTG

"Roger Abell" wrote:

> I am with Steve in replying that, if you feel your environment of sufficient
> value that there actually is a risk someone would consider mounting an man
> in the middle compromise of your network communications, then you should
> look at use of a IPsec hard security association, in one or another form,
> and then use RDP within this.
>
> The underlying problem here is that RD is intended to allow ad-hoc type
> connections, such as with consumer stand-alones. When there is no third
> party involved and there is no pre-shared secret, then it is fundamentally
> unavoidable that the types of mutual verification this author indicates as
> the most desirable are not infallibly possible.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> > Hello,
> >
> > Released May 28 was an unofficial security advisory entitled "Remote
> Desktop
> > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro. This
> has
> > me very concerned about my setup. Is this a valid issue?? I've found no
> > advisoried from Microsoft or any other security site, except that the
> > nefarious tool Cain and Abel v2.7 contains this capability. Please someone
> > address this concern for me.
> >
> > I'm being careful in this posting not to use any keywords a search engine
> > may index.
>
>
>


Posted by Roger Abell on June 12, 2005, 1:11 pm
Please log in for more thread options
Not using DNS does much reduce the ability to mount a mitm attack,
but even with DNS doing so is not at all a trivial effort (except in
some reduced complexity situations).

Using the internet does not in and of itself mean that one cannot
use IPsec. In fact, IPsec was invented _for_ the internet.

Personally, I would not worry about it, especially as the leverage
point most easily used to effect the injection (DNS) is not a factor
in your case. Even if you were using DNS name resolutions, the
effort needed in the open network would imply that you were the
had been identified as a high value target.

--
Roger Abell
Microsoft MVP (Windows Security)

> What I really want to know here is this: How significant a concern is
this?
> If the ability to perform the act is integrated into freely available
> software should I be concerned? In my setup, I am logging in accross the
> Internet, so IPSec is out, unless I set up a vpn. Mitigating the risk is
that
> I use IP, not DNS to connect to the server, which should make a MOTM
> extremely difficult to perform without detection.
>
> Thanks.
>
> JTG
>
> "Roger Abell" wrote:
>
> > I am with Steve in replying that, if you feel your environment of
sufficient
> > value that there actually is a risk someone would consider mounting an
man
> > in the middle compromise of your network communications, then you should
> > look at use of a IPsec hard security association, in one or another
form,
> > and then use RDP within this.
> >
> > The underlying problem here is that RD is intended to allow ad-hoc type
> > connections, such as with consumer stand-alones. When there is no third
> > party involved and there is no pre-shared secret, then it is
fundamentally
> > unavoidable that the types of mutual verification this author indicates
as
> > the most desirable are not infallibly possible.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
message
> > > Hello,
> > >
> > > Released May 28 was an unofficial security advisory entitled "Remote
> > Desktop
> > > Protocol, the Good the Bad and the Ugly" By Massimiliano Montoro.
This
> > has
> > > me very concerned about my setup. Is this a valid issue?? I've found
no
> > > advisoried from Microsoft or any other security site, except that the
> > > nefarious tool Cain and Abel v2.7 contains this capability. Please
someone
> > > address this concern for me.
> > >
> > > I'm being careful in this posting not to use any keywords a search
engine
> > > may index.
> >
> >
> >




Similar ThreadsPosted
Remote desktop February 21, 2006, 3:25 pm
SSL and Remote Desktop February 27, 2008, 7:53 pm
Can connect via Remote Desktop September 26, 2005, 12:36 pm
remote desktop security February 18, 2006, 5:38 pm
Windows Remote Desktop April 16, 2006, 7:17 am
Secure Remote Desktop August 10, 2006, 11:00 pm
RDP: remote desktop issues September 23, 2007, 3:13 pm
Remote Desktop Protocol October 29, 2007, 5:16 pm
How secure is remote desktop June 16, 2008, 8:46 pm
Securing Remote Desktop To Server August 11, 2005, 10:30 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap