OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Securing RDP - Is it possible?

From: Parity (pty.errgmail.com)
Date: Tue Apr 14 2009 - 20:14:57 CDT

Two-factor auth does nothing to prevent these attacks. The server can
use 100 different factors to authenticate the client, but if the
client doesn't also authenticate the server, then man-in-the-middle
attacks are still possible.

On Tue, Apr 14, 2009 at 10:25 AM, Ben Little <BLittleskylight.com> wrote:
> You can also use two-factor authentication as a means of helping to
> secure the authentication process.
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
> On Behalf Of David Glosser
> Sent: Tuesday, April 14, 2009 3:38 AM
> To: Chip Panarchy
> Cc: pen-testsecurityfocus.com
> Subject: Re: Securing RDP - Is it possible?
>
> You can configure better  authentication and  encryption with RDP (for
> example, http://technet.microsoft.com/en-us/library/cc782610.aspx,
> http://support.microsoft.com/kb/275727)
>
> Also change the RDP listening port to something non-standard. That won't
> prevent someone finding the port but should make it a little harder to
> find.
>
>
>
> On Tue, Apr 14, 2009 at 4:27 AM, Chip Panarchy <forumanarchygmail.com>
> wrote:
>> Hello
>>
>> Is Secure RDP an impossibility?
>>
>> I am now working (WOOT) and they seem to use entirely RDP, almost no
> VNC...
>>
>> This, by my reckoning would make the network most insecure.
>>
>> Would you agree?
>>
>> Or is it possible to Secure RDP?
>>
>> Thanks in advance for sharing ideas on this matter,
>>
>> Panarchy
>>
>> ----------------------------------------------------------------------
>> -- This list is sponsored by: InfoSec Institute
>>
>> Learn all of the latest penetration testing techniques in InfoSec
> Institute's Ethical Hacking class.
>> Totally hands-on course with evening Capture The Flag (CTF) exercises,
> Certified Ethical Hacker and Certified Penetration Tester exams, taught
> by an expert with years of real pen testing experience.
>>
>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>> ----------------------------------------------------------------------
>> --
>>
>>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec
> Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises,
> Certified Ethical Hacker and Certified Penetration Tester exams, taught
> by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------