[isapros] Re: OT: Requiring client-side certs for RDP

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Fri, 13 Jul 2007 19:21:03 -0600

Dude,
I thought you were a devotee of least priv!
I write out the scenarios if I ever get home.

Send via Windows Mobile though ISA Firewall protected Exchange Servers


-----Original Message-----
From: "Thor (Hammer of God)"<thor@xxxxxxxxxxxxxxx>
Sent: 7/13/07 6:12:36 PM
To: "isapros@xxxxxxxxxxxxx"<isapros@xxxxxxxxxxxxx>
Subject: [isapros] Re: OT: Requiring client-side certs for RDP

Right... but it's the same for VPN, or SSH or whatever... or FTP for
that matter (though that of course doesn't give you remote desktop).
The vulnerability you outline is not compounded by RDP in any way - it's
compounded by any type of remote access, really.

What method of remote access to you use that prevents access in the
scenario you outline?

t


> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Friday, July 13, 2007 4:38 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> 
> You don't need to BF the log on if you've stolen the creds or smart
> card. I know *you* wouldn't give out your creds, but I've heard that
> other's do -- and losing a wallet or card is pretty common -- just
look
> at the number of lost credit cards.
> 
> Or perhaps the laptop with the RDP client with the customer source and
> dest port config is stolen (I've heard that happens too). That's why
> you
> need least privs, no matter how secure your authentication and
> authorization might be.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > (Hammer of God)
> > Sent: Friday, July 13, 2007 5:32 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> >
> > Right- and don't forget that one would not only have to find it, but
> > they would have to BF the logon, which I know from experience is
> tough
> > to do, if not impossible in the "properly" configured environments.
> >
> > I use RDP strictly to get to all my servers for admin.  It
> > is, in fact,
> > the only way I do it.
> >
> > t
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Friday, July 13, 2007 4:25 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > >
> > > Least privs is not limited to app acls, but to any access point or
> > > process.
> > > If I define my rules such that only traffic from port X to port Y
> is
> > > allowed, Joe HackerDewd is going to spend a *lot* of time trying
to
> > > sort
> > > out the combination.
> > > If I instead choose to share that combination with a select
> > few, then
> > > I've defined the limits of this control.
> > >
> > > Granted, RDP as currently deployed leaves a lot to be desired in
> the
> > > way
> > > of access and functionality controls & sanfboxing, but as you've
> > > pointed
> > > out previously, hope is on the horizon...
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thomas W Shinder
> > > Sent: Friday, July 13, 2007 4:20 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > >
> > > Dude,
> > >
> > > Least privs!!! That has nothing to do with the transport. It's
> about
> > > allowing what's required and nothing more (except for da boyz).
> > >
> > > RDP does not do that (except for the per app publishing, which
gets
> > you
> > > least priv). Publishing a desktop for Tim to hack is not least
> priv.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > > Sent: Friday, July 13, 2007 5:08 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > Wait - I also allow SSL-protected RDP (though not on
> > default ports).
> > > > RDP via SSL performs far better than RDP over VPN any day.
> > > > Is RDP via VPN stronger? - yes.
> > > > Can someone scan my ports and detect my RDP listener? - yes.
> > > >
> > > > As has been stated so many times, "security" is the balance
> > > > between what
> > > > are and are not willing to risk.
> > > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > On Behalf Of Thomas W Shinder
> > > > Sent: Friday, July 13, 2007 4:02 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > >
> > > > Egzactly! So why give the guy who steals your lusers
> > credentails or
> > > > smart card the same opportunity? If there's something worth
> > stealing,
> > > > someone will try, and a Remote Desktop Connection is giving
> > > > the perp the
> > > > Keys to The Mint.
> > > >
> > > > That's why least privilege is always your friend.
> > Violating it is to
> > > >
> > > > 1. Laziness
> > > > 2. Wishful Thinking
> > > > 3. Ignorance
> > > > 4. Belief in the inhernet Goodness of all Men
> > > >
> > > > ;)
> > > >
> > > > Tom
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
Harrison
> > > > > Sent: Friday, July 13, 2007 4:56 PM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > > >
> > > > > <shot type="cheap">
> > > > > ..only to the women...
> > > > > </shot>
> > > > >
> > > > > If I didn't have a working relationship with Tim, I
> > > > wouldn't trust him
> > > > > on my network any further than I could throw him (and he's
> > > > > hard to toss
> > > > > around, lemmetellya!)
> > > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > On Behalf Of Thor (Hammer of God)
> > > > > Sent: Friday, July 13, 2007 3:48 PM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP
> > > > >
> > > > > Who, me???  I'm harmless!
> > > > >
> > > > > t
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > > Sent: Friday, July 13, 2007 3:37 PM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for
> RDP
> > > > > >
> > > > > > Or to put it another way, you think Tim presents no risk
> > > > to your org
> > > > > in
> > > > > > this scenario?
> > > > > >
> > > > > > Thomas W Shinder, M.D.
> > > > > > Site: www.isaserver.org
> > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > MVP -- ISA Firewalls
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> > > > > W Shinder
> > > > > > > Sent: Friday, July 13, 2007 4:30 PM
> > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > certs for RDP
> > > > > > >
> > > > > > > So, if you give Tim a machine on your network that
> > he can sit
> > > in
> > > > > > front
> > > > > > > of, and give him a limited user account, do you think
> you're
> > > > > > > completely
> > > > > > > protected from what he might be able to do?
> > > > > > >
> > > > > > > Thomas W Shinder, M.D.
> > > > > > > Site: www.isaserver.org
> > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > MVP -- ISA Firewalls
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> > > > > Gerald G. Young
> > > > > > > > Sent: Friday, July 13, 2007 4:24 PM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs
> for
> > > RDP
> > > > > > > >
> > > > > > > > You could use GPOs to further lock down the interface
for
> > the
> > > > > > > > RDP user.
> > > > > > > >
> > > > > > > > As far as I understand it, Remote Administration
> > only allows
> > > > > > > > for 2 concurrent connections.  The assumption is
> > that you're
> > > > > > > > using an administrator but that doesn't have to
> > be the case.
> > > > > > > >
> > > > > > > > You can lock down a regular user's use of the machine
> just
> > as
> > > > > > > > you would internally.  I'm not sure I see any increased
> > > > > > > > concern here, except for an in-protocol hack attack
> > > > against RDP.
> > > > > > > >
> > > > > > > > And with TLS, no more MITM attacks.
> > > > > > > >
> > > > > > > > Am I missing something?
> > > > > > > >
> > > > > > > > Cordially yours,
> > > > > > > > Jerry G. Young II
> > > > > > > > Application Engineer
> > > > > > > > Platform Engineering and Architecture
> > > > > > > > NTT America, an NTT Communications Company
> > > > > > > >
> > > > > > > > 22451 Shaw Rd.
> > > > > > > > Sterling, VA 20166
> > > > > > > >
> > > > > > > > Office: 571-434-1319
> > > > > > > > Fax: 703-333-6749
> > > > > > > > Email: g.young@xxxxxxxx
> > > > > > > >
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Thomas W
> > > > > Shinder
> > > > > > > > Sent: Friday, July 13, 2007 6:20 PM
> > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs
> for
> > > RDP
> > > > > > > >
> > > > > > > > Not really. You still give the intruder a full fledged
> > > > > > > machine to work
> > > > > > > > with.
> > > > > > > >
> > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > Site: www.isaserver.org
> > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > MVP -- ISA Firewalls
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Gerald
> > > G.
> > > > > > Young
> > > > > > > > > Sent: Friday, July 13, 2007 4:15 PM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > certs for RDP
> > > > > > > > >
> > > > > > > > > You realize that you don't NEED to add a user
> > to the local
> > > > > > > > > Administrators group to get access over RDP, yeah?
> > > > It's just
> > > > > > > > > that by default only the local Administrators group is
> > > > > > > > > allowed to access the server over RDP.  You can
> > > > grant that to
> > > > > > > > > a regular user and then su (runas) into an
> administrator
> > > > > > > > > account.  That would still meet least privilege reqs,
> > yeah?
> > > > > > > > >
> > > > > > > > > Cordially yours,
> > > > > > > > > Jerry G. Young II
> > > > > > > > > Application Engineer
> > > > > > > > > Platform Engineering and Architecture
> > > > > > > > > NTT America, an NTT Communications Company
> > > > > > > > >
> > > > > > > > > 22451 Shaw Rd.
> > > > > > > > > Sterling, VA 20166
> > > > > > > > >
> > > > > > > > > Office: 571-434-1319
> > > > > > > > > Fax: 703-333-6749
> > > > > > > > > Email: g.young@xxxxxxxx
> > > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf
> > Of Thomas
> > > > > > > W Shinder
> > > > > > > > > Sent: Friday, July 13, 2007 5:28 PM
> > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > certs for RDP
> > > > > > > > >
> > > > > > > > > BTW--why are you looking into RDP?
> > > > > > > > >
> > > > > > > > > I've always thought remote access to RDP was
> > > > poison, since it
> > > > > > > > > epitomizes
> > > > > > > > > the violation of least privilege.
> > > > > > > > >
> > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > Site: www.isaserver.org
> > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> > Thomas
> > > > > > > > W Shinder
> > > > > > > > > > Sent: Friday, July 13, 2007 3:23 PM
> > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > > certs for RDP
> > > > > > > > > >
> > > > > > > > > > Doesn't hurt to ask :)
> > > > > > > > > >
> > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> > Thor
> > > > > > > > > > > (Hammer of God)
> > > > > > > > > > > Sent: Friday, July 13, 2007 3:18 PM
> > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > client-side certs for
> > > > > > RDP
> > > > > > > > > > >
> > > > > > > > > > > Exactly.  Which is why I'm asking for it ;)
> > > > > > > > > > > t
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-
> > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas
> > W Shinder
> > > > > > > > > > > > Sent: Friday, July 13, 2007 2:16 PM
> > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side
> > > > > > > certs for RDP
> > > > > > > > > > > >
> > > > > > > > > > > > That's true -- this type of authentication is
> > > > > designed to
> > > > > > > > > > > protect the
> > > > > > > > > > > > client from "rogue" terminal servers. It
> > doesn't do
> > > > > > > > anything to
> > > > > > > > > > > protect
> > > > > > > > > > > > the server, nor is that the intent.
> > > > > > > > > > > >
> > > > > > > > > > > > Thomas W Shinder, M.D.
> > > > > > > > > > > > Site: www.isaserver.org
> > > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder
> > > > > > > > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > > > > > > > MVP -- ISA Firewalls
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > > > > Behalf Of Thor
> > > > > > > > > > > > > (Hammer of God)
> > > > > > > > > > > > > Sent: Friday, July 13, 2007 2:05 PM
> > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-
> side
> > > > > > > > certs for RDP
> > > > > > > > > > > > >
> > > > > > > > > > > > > Vista or the updated XP client.  You need to
> > > > > check under
> > > > > > > > > > > Advanced to
> > > > > > > > > > > > > select the connection type.
> > > > > > > > > > > > >
> > > > > > > > > > > > > But that is not what is important... what
> > > > is important
> > > > > is
> > > > > > > > > > > that *the
> > > > > > > > > > > > > client* decides what to do in the current
> > > > > deployment of
> > > > > > > > > > RDP/TLS in
> > > > > > > > > > > > > Win2k3 terminal services configurations.  For
> > > "true"
> > > > > > > > > > > > > connection-based-on-certificate security, you
> > > > > must have
> > > > > > > > > > > > > functionality on
> > > > > > > > > > > > > the server to request and validate a
> > certificate.
> > > > > > > > > > > > >
> > > > > > > > > > > > > This is why I went out of my way to describe
> the
> > > > > > > > behavior, to
> > > > > > > > > > > > > avoid all
> > > > > > > > > > > > > of this ;)  So, the question was, does
> > > > anyone know if
> > > > > > > > > > > this is being
> > > > > > > > > > > > > addressed in Longhorn...
> > > > > > > > > > > > >
> > > > > > > > > > > > > t
> > > > > > > > > > > > >
> > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-
> > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of
> > Jim Harrison
> > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:58 PM
> > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > client-side
> > > > > > > > > certs for RDP
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Ok - what client are you using?
> > > > > > > > > > > > > > I've configured my own TS (not TSG) to use
> SSL
> > > > > > > > > encraption and
> > > > > > > > > > > every
> > > > > > > > > > > > > > time
> > > > > > > > > > > > > > I connect with any hostname other than what
> is
> > > > > > > > > > presented by the
> > > > > > > > > > > > cert
> > > > > > > > > > > > > > subject, I get a "cert validation" popup.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-
> > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > On Behalf Of Steve Moffat
> > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:39 PM
> > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > client-side
> > > > > > > > > certs for RDP
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > No popups are presented......I helped with
> the
> > > > > testing.
> > > > > > > > > > > > > Straight into
> > > > > > > > > > > > > > the desktop.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > S
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-
> > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > On Behalf Of Jim Harrison
> > > > > > > > > > > > > > Sent: Friday, July 13, 2007 4:36 PM
> > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > client-side
> > > > > > > > > certs for RDP
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > It's true that the client *can*
> > connect, but not
> > > > > > > > > > until the user
> > > > > > > > > > > has
> > > > > > > > > > > > > > acknowledged the popups that are produced
> whtn
> > > the
> > > > > cert
> > > > > > > > > > > > > isn't trusted,
> > > > > > > > > > > > > > fails to match the connection, etc.  This
> > > > > is my point.
> > > > > > > > > > > > > > In fact, anyone programming against the TS
> COM
> > > > > > > > will have to
> > > > > > > > > > > > > make sure
> > > > > > > > > > > > > > they handle this event properly.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Correct - TSG is not "TS Server using
> > > > SSL" - that's
> > > > > > > > > > RDP over SSL
> > > > > > > > > > > > (no
> > > > > > > > > > > > > > HTTP involved).
> > > > > > > > > > > > > > TSG OTOH, is RPC/HTTP - you'll have to
> > > > > web-publish it
> > > > > > to
> > > > > > > > > > > > > see the URLs
> > > > > > > > > > > > > > used, but when you do, the
> > > > > > > > > > > > > /rpc/rpcproxy.dll?<servername>:3388 request
> > > > > > > > > > > > > > will clarify this for ya.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-
> > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:04 PM
> > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > client-side
> > > > > > > > > certs for RDP
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Actually, yes, it is *completely* wrong.
> > > > But let's
> > > > > > > > > make sure
> > > > > > > > > > > we're
> > > > > > > > > > > > > not
> > > > > > > > > > > > > > letting you launch one of your famous
> > > misdirection
> > > > > > > > > threads ;)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I'm not talking about TSG (Terminal Services
> > > > > > > > Gateway).  I'm
> > > > > > > > > > > talking
> > > > > > > > > > > > > > about Win2k3 Terminal Services configured
> > > > to require
> > > > > > > > > > > TLS/SSL: The
> > > > > > > > > > > > > > client
> > > > > > > > > > > > > > does *not* have to trust the CA at all - it
> > > > > > > does not have
> > > > > > > > > > > > > to trust the
> > > > > > > > > > > > > > cert, the ca, or the entire chain for that
> > > matter,
> > > > > even
> > > > > > > > > > > though the
> > > > > > > > > > > > > > articles say it must. It doesn't.  The
client
> > > > > > > can connect
> > > > > > > > > > > anyway...
> > > > > > > > > > > > > > That's what is wrong with the articles.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I'm asking if Longhorn terminal services
will
> > fix
> > > > > > > > > > this natively.
> > > > > > > > > > > > > Tom's
> > > > > > > > > > > > > > point about using ISA's SSL Client
> Certificate
> > > > > > > > > > > > > Authorization for this
> > > > > > > > > > > > > > is
> > > > > > > > > > > > > > a great suggestion for TSG, but that is a
> > > > > > > > different animal.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > t
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-
> > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> > Harrison
> > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 11:31 AM
> > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> client-
> > > side
> > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > It's not completely wrong; "..the
> > client must
> > > > > > > > > trust the root
> > > > > > > > > > > > > > > certificate
> > > > > > > > > > > > > > > authority.." actually means "the client
> > > > must trust
> > > > > > > > > > the CA that
> > > > > > > > > > > > > issues
> > > > > > > > > > > > > > > the TSG server certificate", but I
> > agree that
> > > > > > > it's less
> > > > > > > > > > > > > than clear.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Whether TSG will do this natively, I don't
> > know
> > > > > > > > (and kinda
> > > > > > > > > > > > doubt),
> > > > > > > > > > > > > > but
> > > > > > > > > > > > > > > I
> > > > > > > > > > > > > > > can certainly ask.
> > > > > > > > > > > > > > > As with OL, the question is more
> > client- than
> > > > > > > > > > > > > server-based; IIS and
> > > > > > > > > > > > > > any
> > > > > > > > > > > > > > > application that operates within it can
use
> > > user
> > > > > cert
> > > > > > > > > > > auth, but
> > > > > > > > > > > > so
> > > > > > > > > > > > > > far,
> > > > > > > > > > > > > > > no RPC/HTTP client is capable of
> > responding to
> > > a
> > > > > > > > > server that
> > > > > > > > > > > > > requires
> > > > > > > > > > > > > > > user cert auth.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-
> > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 10:41 AM
> > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> client-
> > > side
> > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > While dude's article is clearly wrong, the
> > MSFT
> > > > > > > > > > KB's should be
> > > > > > > > > > > > > > amended
> > > > > > > > > > > > > > > as well.  Saying "the client must trust
the
> > > root
> > > > > > > > > certificate
> > > > > > > > > > > > > > authority"
> > > > > > > > > > > > > > > is simply incorrect and misleading.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > But, more to the core question, since the
> > > > > ts gateway
> > > > > > > > > > > is not the
> > > > > > > > > > > > > place
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > enforce this, are there plans in place for
> > > > > > > > > longhorn terminal
> > > > > > > > > > > > > services
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > support client certificate requirements
> like
> > > IIS
> > > > > > does?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > t
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of
> > > > Jim Harrison
> > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 10:26 AM
> > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring
> > > > client-side
> > > > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > I just love it when "tribal knowledge"
> > > becomes
> > > > > > > > > > > > > "documented fact".
> > > > > > > > > > > > > > > > It's clear from the "article" that the
> > author
> > > > > never
> > > > > > > > > > > > > tested any of
> > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > configuration or application statements
> > > > > he makes.
> > > > > > > > > > > > > > > > Even the dialog for his "attempt
> > > > authentication"
> > > > > > > > > > screenshot
> > > > > > > > > > > > > clearly
> > > > > > > > > > > > > > > > states "Authentication will confirm
> > > > the identity
> > > > > of
> > > > > > > > > > > the remote
> > > > > > > > > > > > > > > computer
> > > > > > > > > > > > > > > > to which you connect" - NOT
> > > > "Authentication will
> > > > > > > > > > confirm the
> > > > > > > > > > > > > > identity
> > > > > > > > > > > > > > > > of
> > > > > > > > > > > > > > > > the user/machine **from which you
> > connect**".
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > In theory you *could* require user cert
> > > > > auth,  but
> > > > > > I
> > > > > > > > > > > > > don't know if
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > TSG client will respond appropriately.
> > > > > Since TSG
> > > > > > > > > > is "just"
> > > > > > > > > > > > > > RPC/HTTP,
> > > > > > > > > > > > > > > > it's rpcrt4.dll that handles the
> > translation
> > > > > > between
> > > > > > > > > > > > > RPC and HTTP
> > > > > > > > > > > > > > and
> > > > > > > > > > > > > > > > AFAIK, it only handles Basic and NTLM.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Because TSG is RPC/HTTP, you can
> configure
> > > the
> > > > > > > > > > /RPC vroot to
> > > > > > > > > > > > > > require
> > > > > > > > > > > > > > > > user certs and thus impose this
> > requirement
> > > on
> > > > > your
> > > > > > > > > > > connecting
> > > > > > > > > > > > > > > clients
> > > > > > > > > > > > > > > > to test this theory.  Of course,
> > if you also
> > > > > > > > share this
> > > > > > > > > > > > > vroot with
> > > > > > > > > > > > > > > > Exchange RPC/HTTP you'll break OL
> > > connections,
> > > > > > > > > since they
> > > > > > > > > > > can't
> > > > > > > > > > > > > > > handle
> > > > > > > > > > > > > > > > cert auth.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > [mailto:isapros-
> > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx]
> > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God)
> > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 9:29 AM
> > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > > > > > > > > > > > Subject: [isapros] OT: Requiring
> > client-side
> > > > > > > > > certs for RDP
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Greets:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Windows Server 2003 SP1 allows one to
> > > > configure
> > > > > > > > > > > > > > server-authentication
> > > > > > > > > > > > > > > > via certificate for RDP over TLS/SSL.
> > > >   The MSFT
> > > > > > > > > > > articles say
> > > > > > > > > > > > > > things
> > > > > > > > > > > > > > > > like "the client must trust the
> > certificate"
> > > > > > > > > etc in their
> > > > > > > > > > > > > > > > client-configuration notes, and other
> > > articles
> > > > > > > > > > specify that
> > > > > > > > > > > you
> > > > > > > > > > > > > can
> > > > > > > > > > > > > > > > control access to RDP by issuing self
> > > > > > > signed certs and
> > > > > > > > > > > > > controlling
> > > > > > > > > > > > > > > > distribution.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > This presents the illusion that one can
> > limit
> > > > > > > > > > connections to
> > > > > > > > > > > > RDP
> > > > > > > > > > > > > on
> > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > > Win2k3 server via this method.  See:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > http://support.microsoft.com/kb/895433
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > >
> > > >
> >
http://technet2.microsoft.com/windowsserver/en/Library/a92d8eb9-f53d-
> > > > > > > > > > > > > > > > 4e8
> > > > > > > > > > > > > > > > 6-ac9b-29fd6146977b1033.mspx
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > http://www.windowsecurity.com/articles/Secure-remote-desktop-
> > > > > > > > > > > > > > > > connections
> > > > > > > > > > > > > > > > -TLS-SSL-based-authentication.html
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Win2k3 Terminal Services allows one to
> > > > > > > > require security
> > > > > > > > > > > levels,
> > > > > > > > > > > > > but
> > > > > > > > > > > > > > > > only
> > > > > > > > > > > > > > > > provides "server" authentication - it
> does
> > > not
> > > > > > > > > > allow you to
> > > > > > > > > > > > > require
> > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > > particular certification to be
> > > > requested of the
> > > > > > > > > > > client (as IIS
> > > > > > > > > > > > > > does).
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Snips from the windowsecurity article
> > > compound
> > > > > this
> > > > > > > > > > > perception:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > <snip>
> > > > > > > > > > > > > > > > The threat becomes even bigger, when the
> > > > > > > > server running
> > > > > > > > > > > > > Microsoft
> > > > > > > > > > > > > > > > Windows Terminal Services is
> > > > accessible from the
> > > > > > > > > > > > > Internet through
> > > > > > > > > > > > > > an
> > > > > > > > > > > > > > > > RDP
> > > > > > > > > > > > > > > > connection on port 3389, even though
> > > > you have an
> > > > > > > > > > > > > advanced firewall
> > > > > > > > > > > > > > > such
> > > > > > > > > > > > > > > > as ISA Server in front of it. A scenario
> > that
> > > > > > > > is common
> > > > > > > > > > > > > especially
> > > > > > > > > > > > > > > for
> > > > > > > > > > > > > > > > Microsoft Small Business Server users.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > The good news however, is that you can
> > > prevent
> > > > > > these
> > > > > > > > > > > > > attacks. The
> > > > > > > > > > > > > > > > solution is certificate based computer
> > > > > > > > > > > authentication. If the
> > > > > > > > > > > > > > > computer
> > > > > > > > > > > > > > > > cannot authenticate itself by
> > > > presenting a valid
> > > > > > > > > > certificate
> > > > > > > > > > > to
> > > > > > > > > > > > > the
> > > > > > > > > > > > > > > > terminal server it is trying to
> > connect to,
> > > > > > > > then the RDP
> > > > > > > > > > > > > connection
> > > > > > > > > > > > > > > > will
> > > > > > > > > > > > > > > > be dropped before the user has a chance
> > > > > to attempt
> > > > > > > > > > > to log on.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > </snip>
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > This is simply untrue.  The
> > client does not
> > > > > > > > > > "present a valid
> > > > > > > > > > > > > > > > certificate" at all.  It either trusts
> > > > > the server
> > > > > > > > > > > or not, and
> > > > > > > > > > > > it
> > > > > > > > > > > > > is
> > > > > > > > > > > > > > > up
> > > > > > > > > > > > > > > > to the client to make that decision.
> > > > While RDP
> > > > > > > > > > > clients 6 and
> > > > > > > > > > > > > below
> > > > > > > > > > > > > > > > only
> > > > > > > > > > > > > > > > allow "No auth, attempt, or require"
> which
> > > > > > > do provide
> > > > > > > > > > > > > the expected
> > > > > > > > > > > > > > > > behavior, updated or alternate
> > clients (like
> > > > > Vista)
> > > > > > > > > > > allow you
> > > > > > > > > > > > to
> > > > > > > > > > > > > > > > connect
> > > > > > > > > > > > > > > > anyway.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > This being said, does anyone know if
> > > > the current
> > > > > > > > > > longhorn/ts
> > > > > > > > > > > > > > gateway
> > > > > > > > > > > > > > > > features will actually allow
> > > > > enforcement of client
> > > > > > > > > > > certificates
> > > > > > > > > > > > > > such
> > > > > > > > > > > > > > > a
> > > > > > > > > > > > > > > > requiring client certs that are signed
by
> > > > > > particular
> > > > > > > > > > > > > authorities?
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > Sorry for all the detail, but I
> > > > wanted to avoid
> > > > > > > > > > > people saying
> > > > > > > > > > > > > > "Sure,
> > > > > > > > > > > > > > > > just require TLS for RDP".
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > t
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > All mail to and from this domain is
> > > > GFI-scanned.
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > All mail to and from this domain is GFI-
> > > scanned.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > All mail to and from this domain is
> > GFI-scanned.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > All mail to and from this domain is
> > GFI-scanned.
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> >
> >
> >
> >

• Follow-Ups:
  • [isapros] Re: OT: Requiring client-side certs for RDP
    • From: Thor (Hammer of God)
  • [isapros] Re: OT: Requiring client-side carts for RDP
    • From: John T \(lists\)

Other related posts:

• » [isapros] OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP
• » [isapros] Re: OT: Requiring client-side certs for RDP

1. Home
2. isapros
3. Archive
4. 07-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---