Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 513712 29-Aug-2011 22:28
Send private message

Regs: the RDP protocol itself has not, to my knowledge, had any breaches that have enabled anyone to gain access without a valid username/password.

http://www.microsoft.com/technet/security/bulletin/ms11-065.mspx

There are others, too.
Regs: You can use two-factor authentication with smartcard + username & password with RDP which is built in to windows. You also have the ability to install 3rd party two-factor auth products onto the 'server'(*) such as RSA SecureID, a USB Key solution, or an SMS-based one-time-code.

(*) some two-factor solutions also work on xp/vista/7 as well as on the win server platform.

Yes, you can do all of that. Or you can use a VPN which gives you all of that, mitigates from exploiting the RDP protocol itself (although the VPN is of course exploitable, but now you must exploit both the VPN and the RDP to compromise the system). And a VPN is more versatile over time than RDP.

Security is about layers...

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 513738 29-Aug-2011 23:47
Send private message

PenultimateHop:
Regs: the RDP protocol itself has not, to my knowledge, had any breaches that have enabled anyone to gain access without a valid username/password.
http://www.microsoft.com/technet/security/bulletin/ms11-065.mspx
There are others, too.


denial of service, sure, i remember this one.  but have there been any instances where a protocol exploit has resulted in a breach of the network hosting the RDP service? I don't recall any.

Security is about layers...


Yep - fair point.

There are a lot of VPNs out there that use single factor auth, are open for all protocols and destination IPs, and accessible by poor username/password combinations.  When compared with a direct RDP session to a terminal server (which would typically be locked down for regular users) I'd say that the RDP would be the more 'secure' of the two..




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs


726 posts

Ultimate Geek
+1 received by user: 6


  Reply # 513739 29-Aug-2011 23:50
Send private message

there are programs out there easy to use that scan ip ranges for RDP. poeple really need to change the passwords to something more hardder and so easy.




               The Biggest and the Best.

1074 posts

Uber Geek
+1 received by user: 65


  Reply # 513955 30-Aug-2011 15:12
Send private message

PenultimateHop:
Security is about layers...


Agreed too.

I say the below from a enterprise support level.

Nearly every security measure has one weakness, your users.

Users are simple creatures who want things to work nice an easy.  However they are also un-informed when it comes to security (not all but most).
It is the role of the systems administrator to enforce strong password policies accross the network and educate users of the risks involved with weak passwords. If you let the users have a password of 1234 or password, then in my mind you (as the administrator) are just as much to blame as the user.

VPN's are great, however they can cause administrative overheads that the user/client may not want to pay for.

RDP (as mentioned above) has proven hard to break/exploit if at all.

We have seen the attacks already on some of our servers, and they come from a range of IP's.  By default we do not open our file servers or the file servers of our clients to the internet via RDP. we use our own LogMeIn or Kaseya to get connection to each server.

1074 posts

Uber Geek
+1 received by user: 65


  Reply # 513959 30-Aug-2011 15:15
Send private message

cws82us: there are programs out there easy to use that scan ip ranges for RDP. poeple really need to change the passwords to something more hardder and so easy.


Your post made my brain cry Yell

Did you mean to say:

"There are programs out there, that are easy to use, that scan IP ranges for RDP. People really need to change their passwords to more complex ones and it is so easy to do"

51 posts

Master Geek


  Reply # 513987 30-Aug-2011 16:09
Send private message

gjm: Is this spreading any other way apart from having to have 3389 open on the internet?



We have had a small remote site with a number of PCs infected, where none of the PCs have any method of being accessed remotely via RDP (and none of the PCs had any of the passwords in the list used). VPN access is available but firewall logs record the last VPN access as being a number of months ago.

To top it off the NOD32 antivirus still doesn't detect the MONDO worm and we are having to resort to Microsoft Security Essentials to detect and clean it up. I use to give NOD32 a 10/10 rating but the lack of a signature update over 36 hours after MS have released an update is really affecting my confidence in the product.

8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 514000 30-Aug-2011 17:13
Send private message

PenultimateHop: 

Yes, you can do all of that. Or you can use a VPN which gives you all of that, mitigates from exploiting the RDP protocol itself (although the VPN is of course exploitable, but now you must exploit both the VPN and the RDP to compromise the system). And a VPN is more versatile over time than RDP.

Security is about layers...


Yes +1 

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.