[isapros] Re: OT: Requiring client-side certs for RDP
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 13 Jul 2007 16:22:45 -0500
Doesn't hurt to ask :)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Friday, July 13, 2007 3:18 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: OT: Requiring client-side certs for RDP
>
> Exactly. Which is why I'm asking for it ;)
> t
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, July 13, 2007 2:16 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> >
> > That's true -- this type of authentication is designed to
> protect the
> > client from "rogue" terminal servers. It doesn't do anything to
> protect
> > the server, nor is that the intent.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > > (Hammer of God)
> > > Sent: Friday, July 13, 2007 2:05 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > >
> > > Vista or the updated XP client. You need to check under
> Advanced to
> > > select the connection type.
> > >
> > > But that is not what is important... what is important is
> that *the
> > > client* decides what to do in the current deployment of RDP/TLS in
> > > Win2k3 terminal services configurations. For "true"
> > > connection-based-on-certificate security, you must have
> > > functionality on
> > > the server to request and validate a certificate.
> > >
> > > This is why I went out of my way to describe the behavior, to
> > > avoid all
> > > of this ;) So, the question was, does anyone know if
> this is being
> > > addressed in Longhorn...
> > >
> > > t
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Friday, July 13, 2007 12:58 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > Ok - what client are you using?
> > > > I've configured my own TS (not TSG) to use SSL encraption and
> every
> > > > time
> > > > I connect with any hostname other than what is presented by the
> > cert
> > > > subject, I get a "cert validation" popup.
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Steve Moffat
> > > > Sent: Friday, July 13, 2007 12:39 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > No popups are presented......I helped with the testing.
> > > Straight into
> > > > the desktop.
> > > >
> > > > S
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Jim Harrison
> > > > Sent: Friday, July 13, 2007 4:36 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > It's true that the client *can* connect, but not until the user
> has
> > > > acknowledged the popups that are produced whtn the cert
> > > isn't trusted,
> > > > fails to match the connection, etc. This is my point.
> > > > In fact, anyone programming against the TS COM will have to
> > > make sure
> > > > they handle this event properly.
> > > >
> > > > Correct - TSG is not "TS Server using SSL" - that's RDP over SSL
> > (no
> > > > HTTP involved).
> > > > TSG OTOH, is RPC/HTTP - you'll have to web-publish it to
> > > see the URLs
> > > > used, but when you do, the
> > > /rpc/rpcproxy.dll?<servername>:3388 request
> > > > will clarify this for ya.
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thor (Hammer of God)
> > > > Sent: Friday, July 13, 2007 12:04 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > Actually, yes, it is *completely* wrong. But let's make sure
> we're
> > > not
> > > > letting you launch one of your famous misdirection threads ;)
> > > >
> > > > I'm not talking about TSG (Terminal Services Gateway). I'm
> talking
> > > > about Win2k3 Terminal Services configured to require
> TLS/SSL: The
> > > > client
> > > > does *not* have to trust the CA at all - it does not have
> > > to trust the
> > > > cert, the ca, or the entire chain for that matter, even
> though the
> > > > articles say it must. It doesn't. The client can connect
> anyway...
> > > > That's what is wrong with the articles.
> > > >
> > > > I'm asking if Longhorn terminal services will fix this natively.
> > > Tom's
> > > > point about using ISA's SSL Client Certificate
> > > Authorization for this
> > > > is
> > > > a great suggestion for TSG, but that is a different animal.
> > > >
> > > > t
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > Sent: Friday, July 13, 2007 11:31 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > > >
> > > > > It's not completely wrong; "..the client must trust the root
> > > > > certificate
> > > > > authority.." actually means "the client must trust the CA that
> > > issues
> > > > > the TSG server certificate", but I agree that it's less
> > > than clear.
> > > > >
> > > > > Whether TSG will do this natively, I don't know (and kinda
> > doubt),
> > > > but
> > > > > I
> > > > > can certainly ask.
> > > > > As with OL, the question is more client- than
> > > server-based; IIS and
> > > > any
> > > > > application that operates within it can use user cert
> auth, but
> > so
> > > > far,
> > > > > no RPC/HTTP client is capable of responding to a server that
> > > requires
> > > > > user cert auth.
> > > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thor (Hammer of God)
> > > > > Sent: Friday, July 13, 2007 10:41 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > > >
> > > > > While dude's article is clearly wrong, the MSFT KB's should be
> > > > amended
> > > > > as well. Saying "the client must trust the root certificate
> > > > authority"
> > > > > is simply incorrect and misleading.
> > > > >
> > > > > But, more to the core question, since the ts gateway
> is not the
> > > place
> > > > > to
> > > > > enforce this, are there plans in place for longhorn terminal
> > > services
> > > > > to
> > > > > support client certificate requirements like IIS does?
> > > > >
> > > > > t
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > > > Sent: Friday, July 13, 2007 10:26 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: OT: Requiring client-side
> certs for RDP
> > > > > >
> > > > > > I just love it when "tribal knowledge" becomes
> > > "documented fact".
> > > > > > It's clear from the "article" that the author never
> > > tested any of
> > > > the
> > > > > > configuration or application statements he makes.
> > > > > > Even the dialog for his "attempt authentication" screenshot
> > > clearly
> > > > > > states "Authentication will confirm the identity of
> the remote
> > > > > computer
> > > > > > to which you connect" - NOT "Authentication will confirm the
> > > > identity
> > > > > > of
> > > > > > the user/machine **from which you connect**".
> > > > > >
> > > > > > In theory you *could* require user cert auth, but I
> > > don't know if
> > > > > the
> > > > > > TSG client will respond appropriately. Since TSG is "just"
> > > > RPC/HTTP,
> > > > > > it's rpcrt4.dll that handles the translation between
> > > RPC and HTTP
> > > > and
> > > > > > AFAIK, it only handles Basic and NTLM.
> > > > > >
> > > > > > Because TSG is RPC/HTTP, you can configure the /RPC vroot to
> > > > require
> > > > > > user certs and thus impose this requirement on your
> connecting
> > > > > clients
> > > > > > to test this theory. Of course, if you also share this
> > > vroot with
> > > > > > Exchange RPC/HTTP you'll break OL connections, since they
> can't
> > > > > handle
> > > > > > cert auth.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > Sent: Friday, July 13, 2007 9:29 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] OT: Requiring client-side certs for RDP
> > > > > >
> > > > > > Greets:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Windows Server 2003 SP1 allows one to configure
> > > > server-authentication
> > > > > > via certificate for RDP over TLS/SSL. The MSFT
> articles say
> > > > things
> > > > > > like "the client must trust the certificate" etc in their
> > > > > > client-configuration notes, and other articles specify that
> you
> > > can
> > > > > > control access to RDP by issuing self signed certs and
> > > controlling
> > > > > > distribution.
> > > > > >
> > > > > >
> > > > > >
> > > > > > This presents the illusion that one can limit connections to
> > RDP
> > > on
> > > > a
> > > > > > Win2k3 server via this method. See:
> > > > > >
> > > > > > http://support.microsoft.com/kb/895433
> > > > > >
> > > > > >
> > > >
> > >
> http://technet2.microsoft.com/windowsserver/en/Library/a92d8eb9-f53d-
> > > > > > 4e8
> > > > > > 6-ac9b-29fd6146977b1033.mspx
> > > > > >
> > > > > >
> http://www.windowsecurity.com/articles/Secure-remote-desktop-
> > > > > > connections
> > > > > > -TLS-SSL-based-authentication.html
> > > > > >
> > > > > >
> > > > > >
> > > > > > Win2k3 Terminal Services allows one to require security
> levels,
> > > but
> > > > > > only
> > > > > > provides "server" authentication - it does not allow you to
> > > require
> > > > a
> > > > > > particular certification to be requested of the
> client (as IIS
> > > > does).
> > > > > >
> > > > > >
> > > > > >
> > > > > > Snips from the windowsecurity article compound this
> perception:
> > > > > >
> > > > > > <snip>
> > > > > > The threat becomes even bigger, when the server running
> > > Microsoft
> > > > > > Windows Terminal Services is accessible from the
> > > Internet through
> > > > an
> > > > > > RDP
> > > > > > connection on port 3389, even though you have an
> > > advanced firewall
> > > > > such
> > > > > > as ISA Server in front of it. A scenario that is common
> > > especially
> > > > > for
> > > > > > Microsoft Small Business Server users.
> > > > > >
> > > > > > The good news however, is that you can prevent these
> > > attacks. The
> > > > > > solution is certificate based computer
> authentication. If the
> > > > > computer
> > > > > > cannot authenticate itself by presenting a valid certificate
> to
> > > the
> > > > > > terminal server it is trying to connect to, then the RDP
> > > connection
> > > > > > will
> > > > > > be dropped before the user has a chance to attempt
> to log on.
> > > > > >
> > > > > > </snip>
> > > > > >
> > > > > >
> > > > > >
> > > > > > This is simply untrue. The client does not "present a valid
> > > > > > certificate" at all. It either trusts the server
> or not, and
> > it
> > > is
> > > > > up
> > > > > > to the client to make that decision. While RDP
> clients 6 and
> > > below
> > > > > > only
> > > > > > allow "No auth, attempt, or require" which do provide
> > > the expected
> > > > > > behavior, updated or alternate clients (like Vista)
> allow you
> > to
> > > > > > connect
> > > > > > anyway.
> > > > > >
> > > > > >
> > > > > >
> > > > > > This being said, does anyone know if the current longhorn/ts
> > > > gateway
> > > > > > features will actually allow enforcement of client
> certificates
> > > > such
> > > > > a
> > > > > > requiring client certs that are signed by particular
> > > authorities?
> > > > > >
> > > > > >
> > > > > >
> > > > > > Sorry for all the detail, but I wanted to avoid
> people saying
> > > > "Sure,
> > > > > > just require TLS for RDP".
> > > > > >
> > > > > >
> > > > > >
> > > > > > t
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > All mail to and from this domain is GFI-scanned.
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > > >
> > > >
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > >
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > >
> > >
> > >
> > >
>
>
>
>
Other related posts:
