Sign in with
Sign up | Sign in
Your question

TS Client - How Secure?

Tags:
  • Remote Desktop
  • Connection
  • Microsoft
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
July 10, 2005 5:15:23 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

Question, How secure is the TS client (Remote Desktop Connection from
WinXP)? Can you make it reasonably secure? I have run sessions through
VPNs but I am wondering if that is necessary?

Any info would be appreciated.

Cheers

More about : client secure

Anonymous
July 11, 2005 11:41:56 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

RDP is encrypted with 128-bit bi-directional RC4 Encryption by
default (and if the client supports 128-bit).
If your Terminal Server is behind a firewall and you have a strong
password policy, there's no reason for VPN from a security point of
view. And if you don't have full control over the other end of the
VPN tunnel (a home PC), then I would say VPN is less secure.

_________________________________________________________
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

"Un1c0rn" <un1c0rn(S p_am Ki_ll_er)@yahoo.com> wrote on 09 jul
2005:

> Question, How secure is the TS client (Remote Desktop Connection
> from WinXP)? Can you make it reasonably secure? I have run
> sessions through VPNs but I am wondering if that is necessary?
>
> Any info would be appreciated.
>
> Cheers
Anonymous
July 12, 2005 5:44:20 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

In article <Xns9690A9DE963B5veranoesthemutforsse@207.46.248.16>,
Vera.Noest@remove-this.hem.utfors.se says...
> RDP is encrypted with 128-bit bi-directional RC4 Encryption by
> default (and if the client supports 128-bit).
> If your Terminal Server is behind a firewall and you have a strong
> password policy, there's no reason for VPN from a security point of
> view. And if you don't have full control over the other end of the
> VPN tunnel (a home PC), then I would say VPN is less secure.

Sure there is - if you "Trust" that there are no exploits in the MS TS
service then you are correct, you don't need a VPN.

On the other hand, I don't trust the OS to be exploit free and always
put our servers behind a Firewall Appliance at the border and one that
is not setup to authenticate with the domain - so that domain accounts
with weak passwords can't get users pass the firewall.

Our solution is to ALWAYS setup a firewall appliance, users VPN into the
appliance, rule per use to restrict the VPN user to a specific set of
IP/Port combinations inside the lan, and then they still have to
authenticate with the domain/network. This type of mind-set has kept our
clients uncompromised for as along as they have been using public facing
services.

--
--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
July 12, 2005 5:44:21 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

Leythos <void@nowhere.lan> wrote on 12 jul 2005:

> In article <Xns9690A9DE963B5veranoesthemutforsse@207.46.248.16>,
> Vera.Noest@remove-this.hem.utfors.se says...
>> RDP is encrypted with 128-bit bi-directional RC4 Encryption by
>> default (and if the client supports 128-bit).
>> If your Terminal Server is behind a firewall and you have a
>> strong password policy, there's no reason for VPN from a
>> security point of view. And if you don't have full control over
>> the other end of the VPN tunnel (a home PC), then I would say
>> VPN is less secure.
>
> Sure there is - if you "Trust" that there are no exploits in the
> MS TS service then you are correct, you don't need a VPN.
>
> On the other hand, I don't trust the OS to be exploit free and
> always put our servers behind a Firewall Appliance at the border
> and one that is not setup to authenticate with the domain - so
> that domain accounts with weak passwords can't get users pass
> the firewall.
>
> Our solution is to ALWAYS setup a firewall appliance, users VPN
> into the appliance, rule per use to restrict the VPN user to a
> specific set of IP/Port combinations inside the lan, and then
> they still have to authenticate with the domain/network. This
> type of mind-set has kept our clients uncompromised for as along
> as they have been using public facing services.

OK, I understand what you mean, but the funny thing is that to the
best of my knowledge there have not been any known exploits of TS.

And of course you need a firewall and strong passwords, we totally
agree on that.

But I still think that VPN from a home PC (where the user is local
Administrator and has an unlimited amount of malware, spyware etc
running) into your corporate LAN is not the safest of possible
solutions.

_________________________________________________________
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*
!