SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit |  reply to Anav
Re: The most secure way to use Windows Remote Desk
There have been some reports in the past of man-in-the-middle attacks against the native Remote Desktop protocol.
I simply think its safer to use a SSH tunnel (or VPN if that floats your boat) with a private/public key pair encrypted with a strong pass phrase to safe guard the link. Personally I have more confidence in the integrity of the link that way.
I think it comes down to what you feel comfortable with...
--
"When all else fails, read the instructions..." |
|
Komputerguy
join:2001-03-29
Melbourne, FL
| reply to Flaubert
I actually also do the ssh tunneling thing but I went even a step further and also implemented port knocking to turn on and off the SSH server. I've run into one problem, though. I had to resort to using nmap to do the knocking because I had finer control on how the tcp connections were made. For instance all of the other utilities I used would make multiple connections for each attempt to contact a particular port which would mess up the knocking sequence. This seemed to work fine for a while but recently for some reason I am now having a similar problem with nmap and it also seems like the order that the ports are being contacted on the receiving end is different than on the sending end. I'm giving a pretty reasonable several second delay between knocks which I think would be more than enough to ensure there not to be a problem like this, so I'm kind of baffled. I'm now looking for a different utility to do the knocking. Does anyone have any suggestions?
--
What can possibly go wrong? |
|
Shootist
Premium
join:2003-02-10
Decatur, GA
| reply to Anav
said by Anav  :Lets go back to the original question, no one here seems to use RD by itself. Is it not secure? If that is all one has, what precautions/practices should one exercise????? I RDC to my home PC from work all the time and don't use any other tunnel. I do use the Z5 firewall rules to block all other IP's except a select few which I know I'll be using to connect with on port 3389.
--
Shooter Ready--Stand By BEEP ******** |
|
AMD Phreak
Premium
join:2003-12-14 | reply to Komputerguy
I have a brother that uses port knocking to access his home network. He had to write a script to perform the sequence as they are only milliseconds apart. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
| reply to Flaubert
Re: The most secure way to use Windows Remote Desktop
I often enable RDP without requiring a tunnel. I have set the password policy (in gpedit.msc) to lock out an account after 3 failed password attempts.
So far, I haven't seen _any_ abuses in the log, but I know that's just a matter of time.
Worst possible thing I expect to happen is a DDOS on my account. But they're not getting in. 
--
Robb Topolski -= http://www.funchords.com/ =- Hillsboro, Oregon USA
... Did you wake up grouchy this morning or did you let her sleep in? ... |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to Flaubert
Another reason I like using a SSH tunnel is that once the tunnel is connected I can grab files off of my PC without using Remote Desktop. Both Tunnelier or WinSCP, both free, offer that functionality...
»winscp.net/eng/index.php
Also, WebDrive allows mapping of drives through a SSH tunnel.
»www.webdrive.com/index.php?pg=./···ve/index
Unfortunately I have not been able to get it to work yet, but I will...:)
--
"When all else fails, read the instructions..." |
|
Raphion
join:2000-10-14
Samsara
| reply to Flaubert
Re: The most secure way to use Windows Remote Desk
Is it possible to change the port used by RDP?
I'm going to want to try RDP from some insecure WiFi soon, as VPN seems way over my head. I plan to do all my online tasks from my home computer over RDP as a lazy man's workaround. I'd feel a bit more secure about it if I could change the port to something obscure so as to keep the hax0rz from trying the door as much.
Second question; how long would be long enough for a purely random mixed case password? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| Yes, you can change the listening port for RDP. See the section near the end of this page that has information about that...
»theillustratednetwork.mvps.org/R···ing.html
Personally I think your better off running RDP through a VPN or Secure Shell (SSH) tunnel for added security. For a home user/SOHO user SSH is quite easy to setup and quite a bit safer than using the native RDP data link, IMHO...
»theillustratednetwork.mvps.org/S···SSH.html
»theillustratednetwork.mvps.org/S···Key.html
--
"When all else fails, read the instructions..." |
|
Raphion
join:2000-10-14
Samsara
| Well I'm trying CopSSH, but I can't activate my user account. I was able to activate administrator, but not an account that I actually use. It tells me the account does not exist, even though it just listed it. 
The account name in question has a space in it, does the space break this?  |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| said by Raphion :Well I'm trying CopSSH, but I can't activate my user account. I was able to activate administrator, but not an account that I actually use. It tells me the account does not exist, even though it just listed it. The account name in question has a space in it, does the space break this? That is the problem...
»www.itefix.no/phpws/index.php?mo···MS[]=205
--
"When all else fails, read the instructions..." |
|
YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| reply to Anav
This article describes one vulnerability to Windows Remote Desktop. It sounds real, but an attacker would have to be pretty determined to get anywhere with it.
»www.xatrix.org/article.php?s=1943
I don't think there's any practical problem with using RDP over a clear channel (unless you are worried about targeted corporate espionage...). But taken from a system perspective, why would you want to? A better system design is to use a VPN-capable firewall to protect you from snooping and your inner equipment from the internet. You could use straight RDP, but it's better to have a secure entre into your lan through one path instead of opening one-off paths with firewall rules for protocol-specific ports. |
|
Raphion
join:2000-10-14
Samsara
| reply to SoonerAl
Every step stumps me. Now I made accounts without spaces, and tried again, and PuTTY says "Network error: Software caused connection abort". This is why I say VPN or any other tunneling system is way over my head. |
|
Raphion
join:2000-10-14
Samsara
| reply to YqE41k24
said by YqE41k24 :This article describes one vulnerability to Windows Remote Desktop. It sounds real, but an attacker would have to be pretty determined to get anywhere with it. » www.xatrix.org/article.php?s=1943I don't think there's any practical problem with using RDP over a clear channel (unless you are worried about targeted corporate espionage...). But taken from a system perspective, why would you want to? A better system design is to use a VPN-capable firewall to protect you from snooping and your inner equipment from the internet. You could use straight RDP, but it's better to have a secure entre into your lan through one path instead of opening one-off paths with firewall rules for protocol-specific ports. I read about a worse exploit that allows total decryption of the whole RDP session. »www.oxid.it/downloads/rdp-gbu.pdf (Sorry it's a PDF) And it's built right into a program called Cain&Able, so you don't even have to work much at all to use it.
As to why I would like to be able to use something simple like RDP; I really don't have the knowledge to setup or administer any of those VPN firewall things. I've looked at some, and all I get for it is a headache.
I wouldn't leave anything like in service all the time either. I would only open the ports for it at my gateway router when the rare occasion comes that I'll actually need it. |
|
YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| Thank you for the link. I skimmed through the article and this discussion
»groups.google.com/group/microsof···deddc08e
I don't like the looks of the Cain&Able program. Anyways... you would have to work to use this RDP attack. You need to position yourself and the environment such that the RDP client initiates a connection to you instead of the real RDP server. That's why in the link above, they say that this exploit is more viable with DNS than without. This isn't the kind of attack you'd run into at a coffee shop or public internet (unless you think the ISP is hosting the attack). This attack is also not specific to the RDP protocol. SSH would have the same vulnerability, for instance, were it not the fact that each server generates and publishes its own certificate.
Here are some "famous last words".
I wouldn't leave anything like in service all the time either. This is how holes often appear in networks. Somebody opens up a port for a special case, gets distracted, and the port remains open. It would be better, IMHO, to set up a VPN which you can leave active and secure. If you can understand the RDP attacks and open/close ports, you shouldn't have any trouble setting up a VPN these days. |
|
Raphion
join:2000-10-14
Samsara
1 edit | said by YqE41k24 :That's why in the link above, they say that this exploit is more viable with DNS than without. This isn't the kind of attack you'd run into at a coffee shop or public internet (unless you think the ISP is hosting the attack). Why wouldn't it be easy to run on a coffee shop network? MITM attacks are extremely easy on a WiFi network. All you have to do is ARP poison both the target and the gateway, and then you have every bit of the target's IP traffic running through your machine, and can do whatever you want with it. I've done that on my own network, and it's childsplay.
[edit] I suppose a well run network would have guards in place to make MITM less easy, like kicking a client that sends out excessive ARPs. But I wouldn't expect to see anything like that in a small network like a hotel or hotspot, where they dole out private IP's to everyone via a SOHO DSL router. Though it would be a nice idea. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to Raphion
said by Raphion :Every step stumps me. Now I made accounts without spaces, and tried again, and PuTTY says "Network error: Software caused connection abort". This is why I say VPN or any other tunneling system is way over my head. I have never seen that error...
Can you post screen shots of how you have PuTTY setup?
Make sure you test locally before you try to do this over the public internet and test with a psssword before you try to setup and use a key pair.
--
"When all else fails, read the instructions..." |
|
YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| reply to Raphion
That's a good point.
»projects.cerias.purdue.edu/secpr···-Related Vulnerabilities
»www-128.ibm.com/developerworks/w···=r,p=arp
»www-128.ibm.com/developerworks/s···icle=wir
I'm a little puzzled why you can't figure out how to run a VPN, though. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to SoonerAl
said by SoonerAl :said by Raphion :and PuTTY says "Network error: Software caused connection abort". I have never seen that error... Oh, I'm sure you have seen it and don't recognize it because it's actually in text and not in the usual cryptic form. This is the WSAECONNABORTED error, and the 10053 error.
In this case, most likely Winsock sent data over the connection that was not acknowledged before a timeout, so Winsock closed the connection.
Another reason would be because winsock couldn't open the connection due to some constraint, such as a socket's queue being full.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| said by funchords :said by SoonerAl :said by Raphion :and PuTTY says "Network error: Software caused connection abort". I have never seen that error... Oh, I'm sure you have seen it and don't recognize it because it's actually in text and not in the usual cryptic form. This is the WSAECONNABORTED error, and the 10053 error. Well, no I have not seen that error before...
--
"When all else fails, read the instructions..." |
|
Raphion
join:2000-10-14
Samsara
| reply to SoonerAl
said by SoonerAl :said by Raphion :Every step stumps me. Now I made accounts without spaces, and tried again, and PuTTY says "Network error: Software caused connection abort". This is why I say VPN or any other tunneling system is way over my head. I have never seen that error... Can you post screen shots of how you have PuTTY setup? Make sure you test locally before you try to do this over the public internet and test with a psssword before you try to setup and use a key pair. I followed the link you gave exactly, only skipping the port forwarding because I'll only want to connect to the one machine for now, and replacing the address with my own of course.
I looked at the exchange between the machines using a sniffer, and what I see is:
Client sends SYN from port 2145 to Server port 22,
Server sends SYN ACK from port 22 to Client port 2145,
Client sends ACK from port 2145 to Server port 22,
Server sends RST ACK from port 22 to Client port 2145.
And that's all that happens. |
|
