[isapros] Re: OT: Requiring client-side carts for RDP

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Sat, 14 Jul 2007 11:57:20 -0700

Unfortunately, Keith can't make it this year, so we'll have to choose someone 
else to "take one for the team" if needs be.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Saturday, July 14, 2007 11:25 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: OT: Requiring client-side carts for RDP

Actually, we WILL be in Vegas... But in *that* room, while sleeves get rolled 
up, well, I'll let you finish that sentence...

t

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of John T (lists)
> Sent: Friday, July 13, 2007 6:32 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: OT: Requiring client-side carts for RDP
> 
> Boyz Boyz Boyz. Me thinks is time for all of you to get together in one
> room and hash it out.
> 
> I haven't seen a good roll up the sleaves "talk" in a long time.
> 
> I'll bring the popcorn.
> 
> John T
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, July 13, 2007 6:21 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> >
> > Dude,
> > I thought you were a devotee of least priv!
> > I write out the scenarios if I ever get home.
> >
> > Send via Windows Mobile though ISA Firewall protected Exchange
> Servers
> >
> >
> > -----Original Message-----
> > From: "Thor (Hammer of God)"<thor@xxxxxxxxxxxxxxx>
> > Sent: 7/13/07 6:12:36 PM
> > To: "isapros@xxxxxxxxxxxxx"<isapros@xxxxxxxxxxxxx>
> > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> >
> > Right... but it's the same for VPN, or SSH or whatever... or FTP for
> > that matter (though that of course doesn't give you remote desktop).
> > The vulnerability you outline is not compounded by RDP in any way -
> > it's
> > compounded by any type of remote access, really.
> >
> > What method of remote access to you use that prevents access in the
> > scenario you outline?
> >
> > t
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > Sent: Friday, July 13, 2007 4:38 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > >
> > > You don't need to BF the log on if you've stolen the creds or smart
> > > card. I know *you* wouldn't give out your creds, but I've heard
> that
> > > other's do -- and losing a wallet or card is pretty common -- just
> > look
> > > at the number of lost credit cards.
> > >
> > > Or perhaps the laptop with the RDP client with the customer source
> > and
> > > dest port config is stolen (I've heard that happens too). That's
> why
> > > you
> > > need least privs, no matter how secure your authentication and
> > > authorization might be.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > > > (Hammer of God)
> > > > Sent: Friday, July 13, 2007 5:32 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > Right- and don't forget that one would not only have to find it,
> > but
> > > > they would have to BF the logon, which I know from experience is
> > > tough
> > > > to do, if not impossible in the "properly" configured
> environments.
> > > >
> > > > I use RDP strictly to get to all my servers for admin.  It
> > > > is, in fact,
> > > > the only way I do it.
> > > >
> > > > t
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > Sent: Friday, July 13, 2007 4:25 PM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > > >
> > > > > Least privs is not limited to app acls, but to any access point
> > or
> > > > > process.
> > > > > If I define my rules such that only traffic from port X to port
> Y
> > > is
> > > > > allowed, Joe HackerDewd is going to spend a *lot* of time
> trying
> > to
> > > > > sort
> > > > > out the combination.
> > > > > If I instead choose to share that combination with a select
> > > > few, then
> > > > > I've defined the limits of this control.
> > > > >
> > > > > Granted, RDP as currently deployed leaves a lot to be desired
> in
> > > the
> > > > > way
> > > > > of access and functionality controls & sanfboxing, but as
> you've
> > > > > pointed
> > > > > out previously, hope is on the horizon...
> > > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thomas W Shinder
> > > > > Sent: Friday, July 13, 2007 4:20 PM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > > >
> > > > > Dude,
> > > > >
> > > > > Least privs!!! That has nothing to do with the transport. It's
> > > about
> > > > > allowing what's required and nothing more (except for da boyz).
> > > > >
> > > > > RDP does not do that (except for the per app publishing, which
> > gets
> > > > you
> > > > > least priv). Publishing a desktop for Tim to hack is not least
> > > priv.
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- ISA Firewalls
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> Harrison
> > > > > > Sent: Friday, July 13, 2007 5:08 PM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for
> RDP
> > > > > >
> > > > > > Wait - I also allow SSL-protected RDP (though not on
> > > > default ports).
> > > > > > RDP via SSL performs far better than RDP over VPN any day.
> > > > > > Is RDP via VPN stronger? - yes.
> > > > > > Can someone scan my ports and detect my RDP listener? - yes.
> > > > > >
> > > > > > As has been stated so many times, "security" is the balance
> > > > > > between what
> > > > > > are and are not willing to risk.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Thomas W Shinder
> > > > > > Sent: Friday, July 13, 2007 4:02 PM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for
> RDP
> > > > > >
> > > > > > Egzactly! So why give the guy who steals your lusers
> > > > credentails or
> > > > > > smart card the same opportunity? If there's something worth
> > > > stealing,
> > > > > > someone will try, and a Remote Desktop Connection is giving
> > > > > > the perp the
> > > > > > Keys to The Mint.
> > > > > >
> > > > > > That's why least privilege is always your friend.
> > > > Violating it is to
> > > > > >
> > > > > > 1. Laziness
> > > > > > 2. Wishful Thinking
> > > > > > 3. Ignorance
> > > > > > 4. Belief in the inhernet Goodness of all Men
> > > > > >
> > > > > > ;)
> > > > > >
> > > > > > Tom
> > > > > >
> > > > > > Thomas W Shinder, M.D.
> > > > > > Site: www.isaserver.org
> > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > MVP -- ISA Firewalls
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> > Harrison
> > > > > > > Sent: Friday, July 13, 2007 4:56 PM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for
> > RDP
> > > > > > >
> > > > > > > <shot type="cheap">
> > > > > > > ..only to the women...
> > > > > > > </shot>
> > > > > > >
> > > > > > > If I didn't have a working relationship with Tim, I
> > > > > > wouldn't trust him
> > > > > > > on my network any further than I could throw him (and he's
> > > > > > > hard to toss
> > > > > > > around, lemmetellya!)
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > Sent: Friday, July 13, 2007 3:48 PM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for
> > RDP
> > > > > > >
> > > > > > > Who, me???  I'm harmless!
> > > > > > >
> > > > > > > t
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > > > Sent: Friday, July 13, 2007 3:37 PM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs
> for
> > > RDP
> > > > > > > >
> > > > > > > > Or to put it another way, you think Tim presents no risk
> > > > > > to your org
> > > > > > > in
> > > > > > > > this scenario?
> > > > > > > >
> > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > Site: www.isaserver.org
> > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > MVP -- ISA Firewalls
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> Thomas
> > > > > > > W Shinder
> > > > > > > > > Sent: Friday, July 13, 2007 4:30 PM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > certs for RDP
> > > > > > > > >
> > > > > > > > > So, if you give Tim a machine on your network that
> > > > he can sit
> > > > > in
> > > > > > > > front
> > > > > > > > > of, and give him a limited user account, do you think
> > > you're
> > > > > > > > > completely
> > > > > > > > > protected from what he might be able to do?
> > > > > > > > >
> > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > Site: www.isaserver.org
> > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> > > > > > > Gerald G. Young
> > > > > > > > > > Sent: Friday, July 13, 2007 4:24 PM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> certs
> > > for
> > > > > RDP
> > > > > > > > > >
> > > > > > > > > > You could use GPOs to further lock down the interface
> > for
> > > > the
> > > > > > > > > > RDP user.
> > > > > > > > > >
> > > > > > > > > > As far as I understand it, Remote Administration
> > > > only allows
> > > > > > > > > > for 2 concurrent connections.  The assumption is
> > > > that you're
> > > > > > > > > > using an administrator but that doesn't have to
> > > > be the case.
> > > > > > > > > >
> > > > > > > > > > You can lock down a regular user's use of the machine
> > > just
> > > > as
> > > > > > > > > > you would internally.  I'm not sure I see any
> increased
> > > > > > > > > > concern here, except for an in-protocol hack attack
> > > > > > against RDP.
> > > > > > > > > >
> > > > > > > > > > And with TLS, no more MITM attacks.
> > > > > > > > > >
> > > > > > > > > > Am I missing something?
> > > > > > > > > >
> > > > > > > > > > Cordially yours,
> > > > > > > > > > Jerry G. Young II
> > > > > > > > > > Application Engineer
> > > > > > > > > > Platform Engineering and Architecture
> > > > > > > > > > NTT America, an NTT Communications Company
> > > > > > > > > >
> > > > > > > > > > 22451 Shaw Rd.
> > > > > > > > > > Sterling, VA 20166
> > > > > > > > > >
> > > > > > > > > > Office: 571-434-1319
> > > > > > > > > > Fax: 703-333-6749
> > > > > > > > > > Email: g.young@xxxxxxxx
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Thomas W
> > > > > > > Shinder
> > > > > > > > > > Sent: Friday, July 13, 2007 6:20 PM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> certs
> > > for
> > > > > RDP
> > > > > > > > > >
> > > > > > > > > > Not really. You still give the intruder a full
> fledged
> > > > > > > > > machine to work
> > > > > > > > > > with.
> > > > > > > > > >
> > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Gerald
> > > > > G.
> > > > > > > > Young
> > > > > > > > > > > Sent: Friday, July 13, 2007 4:15 PM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > > > certs for RDP
> > > > > > > > > > >
> > > > > > > > > > > You realize that you don't NEED to add a user
> > > > to the local
> > > > > > > > > > > Administrators group to get access over RDP, yeah?
> > > > > > It's just
> > > > > > > > > > > that by default only the local Administrators group
> > is
> > > > > > > > > > > allowed to access the server over RDP.  You can
> > > > > > grant that to
> > > > > > > > > > > a regular user and then su (runas) into an
> > > administrator
> > > > > > > > > > > account.  That would still meet least privilege
> reqs,
> > > > yeah?
> > > > > > > > > > >
> > > > > > > > > > > Cordially yours,
> > > > > > > > > > > Jerry G. Young II
> > > > > > > > > > > Application Engineer
> > > > > > > > > > > Platform Engineering and Architecture
> > > > > > > > > > > NTT America, an NTT Communications Company
> > > > > > > > > > >
> > > > > > > > > > > 22451 Shaw Rd.
> > > > > > > > > > > Sterling, VA 20166
> > > > > > > > > > >
> > > > > > > > > > > Office: 571-434-1319
> > > > > > > > > > > Fax: 703-333-6749
> > > > > > > > > > > Email: g.young@xxxxxxxx
> > > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > > > Of Thomas
> > > > > > > > > W Shinder
> > > > > > > > > > > Sent: Friday, July 13, 2007 5:28 PM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > > > certs for RDP
> > > > > > > > > > >
> > > > > > > > > > > BTW--why are you looking into RDP?
> > > > > > > > > > >
> > > > > > > > > > > I've always thought remote access to RDP was
> > > > > > poison, since it
> > > > > > > > > > > epitomizes
> > > > > > > > > > > the violation of least privilege.
> > > > > > > > > > >
> > > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> Of
> > > > Thomas
> > > > > > > > > > W Shinder
> > > > > > > > > > > > Sent: Friday, July 13, 2007 3:23 PM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > > > > certs for RDP
> > > > > > > > > > > >
> > > > > > > > > > > > Doesn't hurt to ask :)
> > > > > > > > > > > >
> > > > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of
> > > > Thor
> > > > > > > > > > > > > (Hammer of God)
> > > > > > > > > > > > > Sent: Friday, July 13, 2007 3:18 PM
> > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > > > client-side certs for
> > > > > > > > RDP
> > > > > > > > > > > > >
> > > > > > > > > > > > > Exactly.  Which is why I'm asking for it ;)
> > > > > > > > > > > > > t
> > > > > > > > > > > > >
> > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-
> > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> > > > W Shinder
> > > > > > > > > > > > > > Sent: Friday, July 13, 2007 2:16 PM
> > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-
> > side
> > > > > > > > > certs for RDP
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > That's true -- this type of authentication is
> > > > > > > designed to
> > > > > > > > > > > > > protect the
> > > > > > > > > > > > > > client from "rogue" terminal servers. It
> > > > doesn't do
> > > > > > > > > > anything to
> > > > > > > > > > > > > protect
> > > > > > > > > > > > > > the server, nor is that the intent.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > > > Behalf Of Thor
> > > > > > > > > > > > > > > (Hammer of God)
> > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 2:05 PM
> > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> client-
> > > side
> > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Vista or the updated XP client.  You need
> to
> > > > > > > check under
> > > > > > > > > > > > > Advanced to
> > > > > > > > > > > > > > > select the connection type.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > But that is not what is important... what
> > > > > > is important
> > > > > > > is
> > > > > > > > > > > > > that *the
> > > > > > > > > > > > > > > client* decides what to do in the current
> > > > > > > deployment of
> > > > > > > > > > > > RDP/TLS in
> > > > > > > > > > > > > > > Win2k3 terminal services configurations.
> For
> > > > > "true"
> > > > > > > > > > > > > > > connection-based-on-certificate security,
> you
> > > > > > > must have
> > > > > > > > > > > > > > > functionality on
> > > > > > > > > > > > > > > the server to request and validate a
> > > > certificate.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > This is why I went out of my way to
> describe
> > > the
> > > > > > > > > > behavior, to
> > > > > > > > > > > > > > > avoid all
> > > > > > > > > > > > > > > of this ;)  So, the question was, does
> > > > > > anyone know if
> > > > > > > > > > > > > this is being
> > > > > > > > > > > > > > > addressed in Longhorn...
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > t
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of
> > > > Jim Harrison
> > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:58 PM
> > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > client-side
> > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Ok - what client are you using?
> > > > > > > > > > > > > > > > I've configured my own TS (not TSG) to
> use
> > > SSL
> > > > > > > > > > > encraption and
> > > > > > > > > > > > > every
> > > > > > > > > > > > > > > > time
> > > > > > > > > > > > > > > > I connect with any hostname other than
> what
> > > is
> > > > > > > > > > > > presented by the
> > > > > > > > > > > > > > cert
> > > > > > > > > > > > > > > > subject, I get a "cert validation" popup.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > > On Behalf Of Steve Moffat
> > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:39 PM
> > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > client-side
> > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > No popups are presented......I helped
> with
> > > the
> > > > > > > testing.
> > > > > > > > > > > > > > > Straight into
> > > > > > > > > > > > > > > > the desktop.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > S
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > > On Behalf Of Jim Harrison
> > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 4:36 PM
> > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > client-side
> > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > It's true that the client *can*
> > > > connect, but not
> > > > > > > > > > > > until the user
> > > > > > > > > > > > > has
> > > > > > > > > > > > > > > > acknowledged the popups that are produced
> > > whtn
> > > > > the
> > > > > > > cert
> > > > > > > > > > > > > > > isn't trusted,
> > > > > > > > > > > > > > > > fails to match the connection, etc.  This
> > > > > > > is my point.
> > > > > > > > > > > > > > > > In fact, anyone programming against the
> TS
> > > COM
> > > > > > > > > > will have to
> > > > > > > > > > > > > > > make sure
> > > > > > > > > > > > > > > > they handle this event properly.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Correct - TSG is not "TS Server using
> > > > > > SSL" - that's
> > > > > > > > > > > > RDP over SSL
> > > > > > > > > > > > > > (no
> > > > > > > > > > > > > > > > HTTP involved).
> > > > > > > > > > > > > > > > TSG OTOH, is RPC/HTTP - you'll have to
> > > > > > > web-publish it
> > > > > > > > to
> > > > > > > > > > > > > > > see the URLs
> > > > > > > > > > > > > > > > used, but when you do, the
> > > > > > > > > > > > > > > /rpc/rpcproxy.dll?<servername>:3388 request
> > > > > > > > > > > > > > > > will clarify this for ya.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:04 PM
> > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > client-side
> > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Actually, yes, it is *completely* wrong.
> > > > > > But let's
> > > > > > > > > > > make sure
> > > > > > > > > > > > > we're
> > > > > > > > > > > > > > > not
> > > > > > > > > > > > > > > > letting you launch one of your famous
> > > > > misdirection
> > > > > > > > > > > threads ;)
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I'm not talking about TSG (Terminal
> > Services
> > > > > > > > > > Gateway).  I'm
> > > > > > > > > > > > > talking
> > > > > > > > > > > > > > > > about Win2k3 Terminal Services configured
> > > > > > to require
> > > > > > > > > > > > > TLS/SSL: The
> > > > > > > > > > > > > > > > client
> > > > > > > > > > > > > > > > does *not* have to trust the CA at all -
> it
> > > > > > > > > does not have
> > > > > > > > > > > > > > > to trust the
> > > > > > > > > > > > > > > > cert, the ca, or the entire chain for
> that
> > > > > matter,
> > > > > > > even
> > > > > > > > > > > > > though the
> > > > > > > > > > > > > > > > articles say it must. It doesn't.  The
> > client
> > > > > > > > > can connect
> > > > > > > > > > > > > anyway...
> > > > > > > > > > > > > > > > That's what is wrong with the articles.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I'm asking if Longhorn terminal services
> > will
> > > > fix
> > > > > > > > > > > > this natively.
> > > > > > > > > > > > > > > Tom's
> > > > > > > > > > > > > > > > point about using ISA's SSL Client
> > > Certificate
> > > > > > > > > > > > > > > Authorization for this
> > > > > > > > > > > > > > > > is
> > > > > > > > > > > > > > > > a great suggestion for TSG, but that is a
> > > > > > > > > > different animal.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > t
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> > > > Harrison
> > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 11:31 AM
> > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > client-
> > > > > side
> > > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > It's not completely wrong; "..the
> > > > client must
> > > > > > > > > > > trust the root
> > > > > > > > > > > > > > > > > certificate
> > > > > > > > > > > > > > > > > authority.." actually means "the client
> > > > > > must trust
> > > > > > > > > > > > the CA that
> > > > > > > > > > > > > > > issues
> > > > > > > > > > > > > > > > > the TSG server certificate", but I
> > > > agree that
> > > > > > > > > it's less
> > > > > > > > > > > > > > > than clear.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > Whether TSG will do this natively, I
> > don't
> > > > know
> > > > > > > > > > (and kinda
> > > > > > > > > > > > > > doubt),
> > > > > > > > > > > > > > > > but
> > > > > > > > > > > > > > > > > I
> > > > > > > > > > > > > > > > > can certainly ask.
> > > > > > > > > > > > > > > > > As with OL, the question is more
> > > > client- than
> > > > > > > > > > > > > > > server-based; IIS and
> > > > > > > > > > > > > > > > any
> > > > > > > > > > > > > > > > > application that operates within it can
> > use
> > > > > user
> > > > > > > cert
> > > > > > > > > > > > > auth, but
> > > > > > > > > > > > > > so
> > > > > > > > > > > > > > > > far,
> > > > > > > > > > > > > > > > > no RPC/HTTP client is capable of
> > > > responding to
> > > > > a
> > > > > > > > > > > server that
> > > > > > > > > > > > > > > requires
> > > > > > > > > > > > > > > > > user cert auth.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 10:41 AM
> > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > client-
> > > > > side
> > > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > While dude's article is clearly wrong,
> > the
> > > > MSFT
> > > > > > > > > > > > KB's should be
> > > > > > > > > > > > > > > > amended
> > > > > > > > > > > > > > > > > as well.  Saying "the client must trust
> > the
> > > > > root
> > > > > > > > > > > certificate
> > > > > > > > > > > > > > > > authority"
> > > > > > > > > > > > > > > > > is simply incorrect and misleading.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > But, more to the core question, since
> the
> > > > > > > ts gateway
> > > > > > > > > > > > > is not the
> > > > > > > > > > > > > > > place
> > > > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > > > enforce this, are there plans in place
> > for
> > > > > > > > > > > longhorn terminal
> > > > > > > > > > > > > > > services
> > > > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > > > support client certificate requirements
> > > like
> > > > > IIS
> > > > > > > > does?
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > t
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of
> > > > > > Jim Harrison
> > > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 10:26 AM
> > > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > > > client-side
> > > > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > I just love it when "tribal
> knowledge"
> > > > > becomes
> > > > > > > > > > > > > > > "documented fact".
> > > > > > > > > > > > > > > > > > It's clear from the "article" that
> the
> > > > author
> > > > > > > never
> > > > > > > > > > > > > > > tested any of
> > > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > > > configuration or application
> statements
> > > > > > > he makes.
> > > > > > > > > > > > > > > > > > Even the dialog for his "attempt
> > > > > > authentication"
> > > > > > > > > > > > screenshot
> > > > > > > > > > > > > > > clearly
> > > > > > > > > > > > > > > > > > states "Authentication will confirm
> > > > > > the identity
> > > > > > > of
> > > > > > > > > > > > > the remote
> > > > > > > > > > > > > > > > > computer
> > > > > > > > > > > > > > > > > > to which you connect" - NOT
> > > > > > "Authentication will
> > > > > > > > > > > > confirm the
> > > > > > > > > > > > > > > > identity
> > > > > > > > > > > > > > > > > > of
> > > > > > > > > > > > > > > > > > the user/machine **from which you
> > > > connect**".
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > In theory you *could* require user
> cert
> > > > > > > auth,  but
> > > > > > > > I
> > > > > > > > > > > > > > > don't know if
> > > > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > > > TSG client will respond
> appropriately.
> > > > > > > Since TSG
> > > > > > > > > > > > is "just"
> > > > > > > > > > > > > > > > RPC/HTTP,
> > > > > > > > > > > > > > > > > > it's rpcrt4.dll that handles the
> > > > translation
> > > > > > > > between
> > > > > > > > > > > > > > > RPC and HTTP
> > > > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > > > > AFAIK, it only handles Basic and
> NTLM.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Because TSG is RPC/HTTP, you can
> > > configure
> > > > > the
> > > > > > > > > > > > /RPC vroot to
> > > > > > > > > > > > > > > > require
> > > > > > > > > > > > > > > > > > user certs and thus impose this
> > > > requirement
> > > > > on
> > > > > > > your
> > > > > > > > > > > > > connecting
> > > > > > > > > > > > > > > > > clients
> > > > > > > > > > > > > > > > > > to test this theory.  Of course,
> > > > if you also
> > > > > > > > > > share this
> > > > > > > > > > > > > > > vroot with
> > > > > > > > > > > > > > > > > > Exchange RPC/HTTP you'll break OL
> > > > > connections,
> > > > > > > > > > > since they
> > > > > > > > > > > > > can't
> > > > > > > > > > > > > > > > > handle
> > > > > > > > > > > > > > > > > > cert auth.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 9:29 AM
> > > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > > > Subject: [isapros] OT: Requiring
> > > > client-side
> > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Greets:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Windows Server 2003 SP1 allows one to
> > > > > > configure
> > > > > > > > > > > > > > > > server-authentication
> > > > > > > > > > > > > > > > > > via certificate for RDP over TLS/SSL.
> > > > > >   The MSFT
> > > > > > > > > > > > > articles say
> > > > > > > > > > > > > > > > things
> > > > > > > > > > > > > > > > > > like "the client must trust the
> > > > certificate"
> > > > > > > > > > > etc in their
> > > > > > > > > > > > > > > > > > client-configuration notes, and other
> > > > > articles
> > > > > > > > > > > > specify that
> > > > > > > > > > > > > you
> > > > > > > > > > > > > > > can
> > > > > > > > > > > > > > > > > > control access to RDP by issuing self
> > > > > > > > > signed certs and
> > > > > > > > > > > > > > > controlling
> > > > > > > > > > > > > > > > > > distribution.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > This presents the illusion that one
> can
> > > > limit
> > > > > > > > > > > > connections to
> > > > > > > > > > > > > > RDP
> > > > > > > > > > > > > > > on
> > > > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > > > > Win2k3 server via this method.  See:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> http://support.microsoft.com/kb/895433
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > http://technet2.microsoft.com/windowsserver/en/Library/a92d8eb9-f53d-
> > > > > > > > > > > > > > > > > > 4e8
> > > > > > > > > > > > > > > > > > 6-ac9b-29fd6146977b1033.mspx
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > http://www.windowsecurity.com/articles/Secure-remote-
> desktop-
> > > > > > > > > > > > > > > > > > connections
> > > > > > > > > > > > > > > > > > -TLS-SSL-based-authentication.html
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Win2k3 Terminal Services allows one
> to
> > > > > > > > > > require security
> > > > > > > > > > > > > levels,
> > > > > > > > > > > > > > > but
> > > > > > > > > > > > > > > > > > only
> > > > > > > > > > > > > > > > > > provides "server" authentication - it
> > > does
> > > > > not
> > > > > > > > > > > > allow you to
> > > > > > > > > > > > > > > require
> > > > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > > > > particular certification to be
> > > > > > requested of the
> > > > > > > > > > > > > client (as IIS
> > > > > > > > > > > > > > > > does).
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Snips from the windowsecurity article
> > > > > compound
> > > > > > > this
> > > > > > > > > > > > > perception:
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > <snip>
> > > > > > > > > > > > > > > > > > The threat becomes even bigger, when
> > the
> > > > > > > > > > server running
> > > > > > > > > > > > > > > Microsoft
> > > > > > > > > > > > > > > > > > Windows Terminal Services is
> > > > > > accessible from the
> > > > > > > > > > > > > > > Internet through
> > > > > > > > > > > > > > > > an
> > > > > > > > > > > > > > > > > > RDP
> > > > > > > > > > > > > > > > > > connection on port 3389, even though
> > > > > > you have an
> > > > > > > > > > > > > > > advanced firewall
> > > > > > > > > > > > > > > > > such
> > > > > > > > > > > > > > > > > > as ISA Server in front of it. A
> > scenario
> > > > that
> > > > > > > > > > is common
> > > > > > > > > > > > > > > especially
> > > > > > > > > > > > > > > > > for
> > > > > > > > > > > > > > > > > > Microsoft Small Business Server
> users.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > The good news however, is that you
> can
> > > > > prevent
> > > > > > > > these
> > > > > > > > > > > > > > > attacks. The
> > > > > > > > > > > > > > > > > > solution is certificate based
> computer
> > > > > > > > > > > > > authentication. If the
> > > > > > > > > > > > > > > > > computer
> > > > > > > > > > > > > > > > > > cannot authenticate itself by
> > > > > > presenting a valid
> > > > > > > > > > > > certificate
> > > > > > > > > > > > > to
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > > > terminal server it is trying to
> > > > connect to,
> > > > > > > > > > then the RDP
> > > > > > > > > > > > > > > connection
> > > > > > > > > > > > > > > > > > will
> > > > > > > > > > > > > > > > > > be dropped before the user has a
> chance
> > > > > > > to attempt
> > > > > > > > > > > > > to log on.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > </snip>
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > This is simply untrue.  The
> > > > client does not
> > > > > > > > > > > > "present a valid
> > > > > > > > > > > > > > > > > > certificate" at all.  It either
> trusts
> > > > > > > the server
> > > > > > > > > > > > > or not, and
> > > > > > > > > > > > > > it
> > > > > > > > > > > > > > > is
> > > > > > > > > > > > > > > > > up
> > > > > > > > > > > > > > > > > > to the client to make that decision.
> > > > > > While RDP
> > > > > > > > > > > > > clients 6 and
> > > > > > > > > > > > > > > below
> > > > > > > > > > > > > > > > > > only
> > > > > > > > > > > > > > > > > > allow "No auth, attempt, or require"
> > > which
> > > > > > > > > do provide
> > > > > > > > > > > > > > > the expected
> > > > > > > > > > > > > > > > > > behavior, updated or alternate
> > > > clients (like
> > > > > > > Vista)
> > > > > > > > > > > > > allow you
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > > > > connect
> > > > > > > > > > > > > > > > > > anyway.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > This being said, does anyone know if
> > > > > > the current
> > > > > > > > > > > > longhorn/ts
> > > > > > > > > > > > > > > > gateway
> > > > > > > > > > > > > > > > > > features will actually allow
> > > > > > > enforcement of client
> > > > > > > > > > > > > certificates
> > > > > > > > > > > > > > > > such
> > > > > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > > > > requiring client certs that are
> signed
> > by
> > > > > > > > particular
> > > > > > > > > > > > > > > authorities?
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > Sorry for all the detail, but I
> > > > > > wanted to avoid
> > > > > > > > > > > > > people saying
> > > > > > > > > > > > > > > > "Sure,
> > > > > > > > > > > > > > > > > > just require TLS for RDP".
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > t
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > > All mail to and from this domain is
> > > > > > GFI-scanned.
> > > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > > All mail to and from this domain is
> GFI-
> > > > > scanned.
> > > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > All mail to and from this domain is
> > > > GFI-scanned.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > All mail to and from this domain is
> > > > GFI-scanned.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > All mail to and from this domain is GFI-scanned.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > All mail to and from this domain is GFI-scanned.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > > >
> > > >
> > > >
> > > >
> > > >
> >
> >
> >
> 
> 


All mail to and from this domain is GFI-scanned.

• Follow-Ups:
  • [isapros] Re: OT: Requiring client-side carts for RDP
    • From: Thor (Hammer of God)

• References:
  • [isapros] Re: OT: Requiring client-side certs for RDP
    • From: Thomas W Shinder
  • [isapros] Re: OT: Requiring client-side carts for RDP
    • From: John T \(lists\)
  • [isapros] Re: OT: Requiring client-side carts for RDP
    • From: Thor (Hammer of God)

Other related posts:

• » [isapros] Re: OT: Requiring client-side carts for RDP
• » [isapros] Re: OT: Requiring client-side carts for RDP
• » [isapros] Re: OT: Requiring client-side carts for RDP
• » [isapros] Re: OT: Requiring client-side carts for RDP
• » [isapros] Re: OT: Requiring client-side carts for RDP
• » [isapros] Re: OT: Requiring client-side carts for RDP
• » [isapros] Re: OT: Requiring client-side carts for RDP

1. Home
2. isapros
3. Archive
4. 07-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---