TS Client - How Secure?

Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

Question, How secure is the TS client (Remote Desktop Connection from
WinXP)? Can you make it reasonably secure? I have run sessions through
VPNs but I am wondering if that is necessary?

Any info would be appreciated.

Cheers
3 answers Last reply
More about client secure
  1. Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

    RDP is encrypted with 128-bit bi-directional RC4 Encryption by
    default (and if the client supports 128-bit).
    If your Terminal Server is behind a firewall and you have a strong
    password policy, there's no reason for VPN from a security point of
    view. And if you don't have full control over the other end of the
    VPN tunnel (a home PC), then I would say VPN is less secure.

    _________________________________________________________
    Vera Noest
    MCSE,CCEA, Microsoft MVP - Terminal Server
    http://hem.fyristorg.com/vera/IT
    *----------- Please reply in newsgroup -------------*

    "Un1c0rn" <un1c0rn(S p_am Ki_ll_er)@yahoo.com> wrote on 09 jul
    2005:

    > Question, How secure is the TS client (Remote Desktop Connection
    > from WinXP)? Can you make it reasonably secure? I have run
    > sessions through VPNs but I am wondering if that is necessary?
    >
    > Any info would be appreciated.
    >
    > Cheers
  2. Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

    In article <Xns9690A9DE963B5veranoesthemutforsse@207.46.248.16>,
    Vera.Noest@remove-this.hem.utfors.se says...
    > RDP is encrypted with 128-bit bi-directional RC4 Encryption by
    > default (and if the client supports 128-bit).
    > If your Terminal Server is behind a firewall and you have a strong
    > password policy, there's no reason for VPN from a security point of
    > view. And if you don't have full control over the other end of the
    > VPN tunnel (a home PC), then I would say VPN is less secure.

    Sure there is - if you "Trust" that there are no exploits in the MS TS
    service then you are correct, you don't need a VPN.

    On the other hand, I don't trust the OS to be exploit free and always
    put our servers behind a Firewall Appliance at the border and one that
    is not setup to authenticate with the domain - so that domain accounts
    with weak passwords can't get users pass the firewall.

    Our solution is to ALWAYS setup a firewall appliance, users VPN into the
    appliance, rule per use to restrict the VPN user to a specific set of
    IP/Port combinations inside the lan, and then they still have to
    authenticate with the domain/network. This type of mind-set has kept our
    clients uncompromised for as along as they have been using public facing
    services.

    --
    --
    spam999free@rrohio.com
    remove 999 in order to email me
  3. Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

    Leythos <void@nowhere.lan> wrote on 12 jul 2005:

    > In article <Xns9690A9DE963B5veranoesthemutforsse@207.46.248.16>,
    > Vera.Noest@remove-this.hem.utfors.se says...
    >> RDP is encrypted with 128-bit bi-directional RC4 Encryption by
    >> default (and if the client supports 128-bit).
    >> If your Terminal Server is behind a firewall and you have a
    >> strong password policy, there's no reason for VPN from a
    >> security point of view. And if you don't have full control over
    >> the other end of the VPN tunnel (a home PC), then I would say
    >> VPN is less secure.
    >
    > Sure there is - if you "Trust" that there are no exploits in the
    > MS TS service then you are correct, you don't need a VPN.
    >
    > On the other hand, I don't trust the OS to be exploit free and
    > always put our servers behind a Firewall Appliance at the border
    > and one that is not setup to authenticate with the domain - so
    > that domain accounts with weak passwords can't get users pass
    > the firewall.
    >
    > Our solution is to ALWAYS setup a firewall appliance, users VPN
    > into the appliance, rule per use to restrict the VPN user to a
    > specific set of IP/Port combinations inside the lan, and then
    > they still have to authenticate with the domain/network. This
    > type of mind-set has kept our clients uncompromised for as along
    > as they have been using public facing services.

    OK, I understand what you mean, but the funny thing is that to the
    best of my knowledge there have not been any known exploits of TS.

    And of course you need a firewall and strong passwords, we totally
    agree on that.

    But I still think that VPN from a home PC (where the user is local
    Administrator and has an unlimited amount of malware, spyware etc
    running) into your corporate LAN is not the safest of possible
    solutions.

    _________________________________________________________
    Vera Noest
    MCSE,CCEA, Microsoft MVP - Terminal Server
    http://hem.fyristorg.com/vera/IT
    *----------- Please reply in newsgroup -------------*
Ask a new question

Read More

Remote Desktop Connection Microsoft Windows