[isalist] Re: RDP/TLS [Thread Subject Change]

• From: "Young, Gerald G" <Gerald.Young@xxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 25 May 2006 16:58:02 -0500

http://www.ISAserver.org
-------------------------------------------------------

And for what it's worth, I just stumbled across the following:

http://support.microsoft.com/default.aspx?scid=kb;en-us;895433

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Thursday, May 25, 2006 5:24 PM
To: ISA Mailing List
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]

http://www.ISAserver.org
-------------------------------------------------------
  
http://technet2.microsoft.com/WindowsServer/en/Library/a92d8eb9-f53d-4e8
6-ac9b-29fd6146977b1033.mspx?mfr=true

S

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Thursday, May 25, 2006 6:21 PM
To: ISA Mailing List
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]

http://www.ISAserver.org
-------------------------------------------------------
  
I don't understand the nonchalant attitude toward this.  If requested,
no one can provide solid, physical, and current evidence that Elvis is
alive.  The same is not true for successful RDP MITM attacks; solid,
physical, and current evidence can be provided if requested.

The first link returned for a Google search on "rdp mitm" documents why
it's possible.  From the same site, a utility can be downloaded to
exploit the cryptographic weakness in standard RDP encryption.  The
simplicity in successfully capturing, decrypting, and determining the
username and password used to establish an RDP session made my jaw drop.

When Tom mentioned that you could encrypt RDP traffic using TLS (SSL),
that caught my eye.  For obvious reasons.

My original query was simply for more information on how to do exactly
that and to find out to which platforms the solution could be applied
and not applied.  Since there seemed to be a misunderstanding as to what
I was asking for and why, I tried to clarify.

I just don't understand how that turned into a statement that could be
taken to imply that I'm as loony as a helper on a Reno dude ranch.

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, May 25, 2006 4:27 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]

http://www.ISAserver.org
-------------------------------------------------------
  
I was answering the original question regarding browser manglement if
ISA. 
Regarding RDP MITM attacks, "it exists and is real" is just as valid as
saying "Elvis is alive".
Depending on who you ask, (n)either statement is worth worrying about...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Thursday, May 25, 2006 12:31
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]

http://www.ISAserver.org
-------------------------------------------------------
  
Jim,

Thank you. :)  Just to clarify your answers, though, you mean:

No, you or Tom do not know of a KB article or TechNet article that
discusses RDP/TLS (SSL) and have no plans to know?

Or

No, Microsoft does not have a KB article or TechNet article that
discusses RDP/TLS and Microsoft has no plans to release such an article?

Follow up questions:

Is RDP/TLS (SSL) only available with Windows Server 2003 SP1?
Is it true that Microsoft pulled RDP/TLS (SSL) from Windows Server 2003
R2?

The reason why I ask, and I know this is a sensitive topic, is because a
MITM attack against an RDP session using standard RDP encryption can
succeed in determining the username and password used to log onto a
server (Test Case: Server - W2K3 SP1 Fully Patched; Client - WinXP SP2
Fully Patched).  Granted, this requires that the MITM attacker has
access to either the subnet of the client or the subnet of the server
but the risk still exists and is very real.

The federal agencies I play a role in supporting are very concerned
about this.

I'm just trying to perform all the due diligence I can and using RDP/TLS
seems like a very good solution to this issue for our current
environment.

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, May 25, 2006 2:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]

http://www.ISAserver.org
-------------------------------------------------------
  
No, we don't.
No, we have no such plans.


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Thursday, May 25, 2006 11:05
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RDP/TLS [Thread Subject Change]

http://www.ISAserver.org
-------------------------------------------------------
  
Tom,

The clarification was fine.  It just didn't answer the questions I had
asked is all. :)

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, May 25, 2006 1:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Browser based configurtaion

http://www.ISAserver.org
-------------------------------------------------------
  
What didn't make sense? There's a big difference between tunneling and
encryption.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> Sent: Thursday, May 25, 2006 12:18 PM
> To: ISA Mailing List
> Subject: [isalist] Re: Browser based configurtaion
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> It did, didn't it!...:)
> 
> S
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Thursday, May 25, 2006 2:12 PM
> To: ISA Mailing List
> Subject: [isalist] Re: Browser based configurtaion
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> That cleared it right up :-p
> 
> t
> 
> 
> On 5/25/06 10:23 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh

> to
> all:
> 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> > 
> > Hi Jerry,
> > 
> > Its not really RDP over SSL/TLS, but rather TLS encryption
> of the RDP
> > channel.
> > 
> > Tunneling RDP over a TLS (HTTP actually) is an entirely different 
> > matter to be solved with Longhorn.
> > 
> > HTH,
> > Tom
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > 
> >  
> > 
> >> -----Original Message-----
> >> From: isalist-bounce@xxxxxxxxxxxxx
> >> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Young, Gerald G
> >> Sent: Thursday, May 25, 2006 11:54 AM
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Re: Browser based configurtaion
> >> 
> >> http://www.ISAserver.org
> >> -------------------------------------------------------
> >>   
> >> Tom,
> >> 
> >> I've tried googling RDP/TLS and RDP/SSL but didn't find much from 
> >> Microsoft on this.  From the articles that I did see,
> however, this
> >> requires Windows Server 2003 SP1.  Another article mentioned that 
> >> Microsoft removed this from Windows Server 2003 R2 because this 
> >> technology competed with a Citrix product.
> >> 
> >> Do you or Jim happen to know if there is a KB article or TechNet 
> >> article at Microsoft that discusses this?
> >> 
> >> To confuse matters more, Microsoft apparently refers to
> this as RDP
> >> over SSL rather than TLS (the one Microsoft page I did
> find mention
> >> of this in was a What's New page for ISA Server 2004).  TLS is the 
> >> successor for SSL so could that simply be because SSL is
> more widely
> >> used as a term?
> >> 
> >> Cordially yours,
> >> Jerry G. Young II
> >>   MCSE (4.0/W2K)
> >> Atlanta EES Implementation Team Lead ECNS Microsoft Engineering 
> >> Unisys
> >>  
> >> 11493 Sunset Hills Rd.
> >> Reston, VA 20190
> >> Office: 703-579-2727
> >> Cell: 703-625-1468
> >> 
> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> >> PROPRIETARY MATERIAL and is thus for use only by the intended 
> >> recipient. If you received this in error, please contact
> the sender
> >> and delete the e-mail and its attachments from all computers.
> >> 
> >> -----Original Message-----
> >> From: isalist-bounce@xxxxxxxxxxxxx
> >> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thomas W Shinder
> >> Sent: Thursday, May 25, 2006 10:58 AM
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Re: Browser based configurtaion
> >> 
> >> http://www.ISAserver.org
> >> -------------------------------------------------------
> >>   
> >> Hi Raj,
> >> 
> >> No. Why not use RDP/TLS? Its just as secure.
> >> 
> >> Tom
> >> 
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://blogs.isaserver.org/shinder/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >> 
> >>  
> >> 
> >>> -----Original Message-----
> >>> From: isalist-bounce@xxxxxxxxxxxxx 
> >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Periyasamy, Raj
> >>> Sent: Thursday, May 25, 2006 9:11 AM
> >>> To: isalist@xxxxxxxxxxxxx
> >>> Subject: [isalist] Browser based configurtaion
> >>> 
> >>> http://www.ISAserver.org
> >>> -------------------------------------------------------
> >>>   
> >>> I know that certain pre-installed ISA appliances proved a browser 
> >>> based interface to configure the ISA server. Is there any way to 
> >>> configure an out-of-the box ISA Server installation with
> a browser
> >>> interface? Any such feature available from Microsoft?
> >>> 
> >>> Thanks.
> >>> 
> >>> Regards,
> >>> Raj Periyasamy
> >>> MCSE(Messaging), CCNA
> >>> 
> >>> 
> >>> ------------------------------------------------------
> >>> List Archives: //www.freelists.org/archives/isalist/
> >>> ISA Server Newsletter:
> >> http://www.isaserver.org/pages/newsletter.asp
> >>> ISA Server Articles and Tutorials:
> >>> http://www.isaserver.org/articles_tutorials/
> >>> ISA Server Blogs: http://blogs.isaserver.org/
> >>> ------------------------------------------------------
> >>> Visit TechGenix.com for more information about our other sites:
> >>> http://www.techgenix.com
> >>> ------------------------------------------------------
> >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>> 
> >>> 
> >>> 
> >> ------------------------------------------------------
> >> List Archives: //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials:
> >> http://www.isaserver.org/articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >> 
> >> ------------------------------------------------------
> >> List Archives: //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials:
> >> http://www.isaserver.org/articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >> 
> >> 
> >> 
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > 
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » [isalist] RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]
• » [isalist] Re: RDP/TLS [Thread Subject Change]

1. Home
2. isalist
3. Archive
4. 05-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---