[isalist] Re: RDP/TLS [Thread Subject Change]
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 25 May 2006 13:27:20 -0700
http://www.ISAserver.org
-------------------------------------------------------
I was answering the original question regarding browser manglement if ISA.
Regarding RDP MITM attacks, "it exists and is real" is just as valid as saying
"Elvis is alive".
Depending on who you ask, (n)either statement is worth worrying about...
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Young, Gerald G
Sent: Thursday, May 25, 2006 12:31
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]
http://www.ISAserver.org
-------------------------------------------------------
Jim,
Thank you. :) Just to clarify your answers, though, you mean:
No, you or Tom do not know of a KB article or TechNet article that discusses
RDP/TLS (SSL) and have no plans to know?
Or
No, Microsoft does not have a KB article or TechNet article that discusses
RDP/TLS and Microsoft has no plans to release such an article?
Follow up questions:
Is RDP/TLS (SSL) only available with Windows Server 2003 SP1?
Is it true that Microsoft pulled RDP/TLS (SSL) from Windows Server 2003 R2?
The reason why I ask, and I know this is a sensitive topic, is because a MITM
attack against an RDP session using standard RDP encryption can succeed in
determining the username and password used to log onto a server (Test Case:
Server - W2K3 SP1 Fully Patched; Client - WinXP SP2 Fully Patched). Granted,
this requires that the MITM attacker has access to either the subnet of the
client or the subnet of the server but the risk still exists and is very real.
The federal agencies I play a role in supporting are very concerned about this.
I'm just trying to perform all the due diligence I can and using RDP/TLS seems
like a very good solution to this issue for our current environment.
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, May 25, 2006 2:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RDP/TLS [Thread Subject Change]
http://www.ISAserver.org
-------------------------------------------------------
No, we don't.
No, we have no such plans.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Thursday, May 25, 2006 11:05
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RDP/TLS [Thread Subject Change]
http://www.ISAserver.org
-------------------------------------------------------
Tom,
The clarification was fine. It just didn't answer the questions I had asked is
all. :)
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, May 25, 2006 1:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Browser based configurtaion
http://www.ISAserver.org
-------------------------------------------------------
What didn't make sense? There's a big difference between tunneling and
encryption.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
> Sent: Thursday, May 25, 2006 12:18 PM
> To: ISA Mailing List
> Subject: [isalist] Re: Browser based configurtaion
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> It did, didn't it!...:)
>
> S
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Thursday, May 25, 2006 2:12 PM
> To: ISA Mailing List
> Subject: [isalist] Re: Browser based configurtaion
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> That cleared it right up :-p
>
> t
>
>
> On 5/25/06 10:23 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh
> to
> all:
>
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Hi Jerry,
> >
> > Its not really RDP over SSL/TLS, but rather TLS encryption
> of the RDP
> > channel.
> >
> > Tunneling RDP over a TLS (HTTP actually) is an entirely different
> > matter to be solved with Longhorn.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> >> -----Original Message-----
> >> From: isalist-bounce@xxxxxxxxxxxxx
> >> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Young, Gerald G
> >> Sent: Thursday, May 25, 2006 11:54 AM
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Re: Browser based configurtaion
> >>
> >> http://www.ISAserver.org
> >> -------------------------------------------------------
> >>
> >> Tom,
> >>
> >> I've tried googling RDP/TLS and RDP/SSL but didn't find much from
> >> Microsoft on this. From the articles that I did see,
> however, this
> >> requires Windows Server 2003 SP1. Another article mentioned that
> >> Microsoft removed this from Windows Server 2003 R2 because this
> >> technology competed with a Citrix product.
> >>
> >> Do you or Jim happen to know if there is a KB article or TechNet
> >> article at Microsoft that discusses this?
> >>
> >> To confuse matters more, Microsoft apparently refers to
> this as RDP
> >> over SSL rather than TLS (the one Microsoft page I did
> find mention
> >> of this in was a What's New page for ISA Server 2004). TLS is the
> >> successor for SSL so could that simply be because SSL is
> more widely
> >> used as a term?
> >>
> >> Cordially yours,
> >> Jerry G. Young II
> >> MCSE (4.0/W2K)
> >> Atlanta EES Implementation Team Lead ECNS Microsoft Engineering
> >> Unisys
> >>
> >> 11493 Sunset Hills Rd.
> >> Reston, VA 20190
> >> Office: 703-579-2727
> >> Cell: 703-625-1468
> >>
> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> >> PROPRIETARY MATERIAL and is thus for use only by the intended
> >> recipient. If you received this in error, please contact
> the sender
> >> and delete the e-mail and its attachments from all computers.
> >>
> >> -----Original Message-----
> >> From: isalist-bounce@xxxxxxxxxxxxx
> >> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thomas W Shinder
> >> Sent: Thursday, May 25, 2006 10:58 AM
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Re: Browser based configurtaion
> >>
> >> http://www.ISAserver.org
> >> -------------------------------------------------------
> >>
> >> Hi Raj,
> >>
> >> No. Why not use RDP/TLS? Its just as secure.
> >>
> >> Tom
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://blogs.isaserver.org/shinder/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- ISA Firewalls
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: isalist-bounce@xxxxxxxxxxxxx
> >>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Periyasamy, Raj
> >>> Sent: Thursday, May 25, 2006 9:11 AM
> >>> To: isalist@xxxxxxxxxxxxx
> >>> Subject: [isalist] Browser based configurtaion
> >>>
> >>> http://www.ISAserver.org
> >>> -------------------------------------------------------
> >>>
> >>> I know that certain pre-installed ISA appliances proved a browser
> >>> based interface to configure the ISA server. Is there any way to
> >>> configure an out-of-the box ISA Server installation with
> a browser
> >>> interface? Any such feature available from Microsoft?
> >>>
> >>> Thanks.
> >>>
> >>> Regards,
> >>> Raj Periyasamy
> >>> MCSE(Messaging), CCNA
> >>>
> >>>
> >>> ------------------------------------------------------
> >>> List Archives: //www.freelists.org/archives/isalist/
> >>> ISA Server Newsletter:
> >> http://www.isaserver.org/pages/newsletter.asp
> >>> ISA Server Articles and Tutorials:
> >>> http://www.isaserver.org/articles_tutorials/
> >>> ISA Server Blogs: http://blogs.isaserver.org/
> >>> ------------------------------------------------------
> >>> Visit TechGenix.com for more information about our other sites:
> >>> http://www.techgenix.com
> >>> ------------------------------------------------------
> >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>>
> >>>
> >>>
> >> ------------------------------------------------------
> >> List Archives: //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials:
> >> http://www.isaserver.org/articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >> ------------------------------------------------------
> >> List Archives: //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials:
> >> http://www.isaserver.org/articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
