hear-hear. If the creds you use for the VPN connection are the same as for the RDP connection, then the "BF" risk is relatively the same for each connection. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Friday, July 13, 2007 7:03 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: OT: Requiring client-side certs for RDP I am! But they have to be equally applied to all scenarios... t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Friday, July 13, 2007 6:21 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > Dude, > I thought you were a devotee of least priv! > I write out the scenarios if I ever get home. > > Send via Windows Mobile though ISA Firewall protected Exchange Servers > > > -----Original Message----- > From: "Thor (Hammer of God)"<thor@xxxxxxxxxxxxxxx> > Sent: 7/13/07 6:12:36 PM > To: "isapros@xxxxxxxxxxxxx"<isapros@xxxxxxxxxxxxx> > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > Right... but it's the same for VPN, or SSH or whatever... or FTP for > that matter (though that of course doesn't give you remote desktop). > The vulnerability you outline is not compounded by RDP in any way - > it's > compounded by any type of remote access, really. > > What method of remote access to you use that prevents access in the > scenario you outline? > > t > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Friday, July 13, 2007 4:38 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > You don't need to BF the log on if you've stolen the creds or smart > > card. I know *you* wouldn't give out your creds, but I've heard that > > other's do -- and losing a wallet or card is pretty common -- just > look > > at the number of lost credit cards. > > > > Or perhaps the laptop with the RDP client with the customer source > and > > dest port config is stolen (I've heard that happens too). That's why > > you > > need least privs, no matter how secure your authentication and > > authorization might be. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > > > (Hammer of God) > > > Sent: Friday, July 13, 2007 5:32 PM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > > > Right- and don't forget that one would not only have to find it, > but > > > they would have to BF the logon, which I know from experience is > > tough > > > to do, if not impossible in the "properly" configured environments. > > > > > > I use RDP strictly to get to all my servers for admin. It > > > is, in fact, > > > the only way I do it. > > > > > > t > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Friday, July 13, 2007 4:25 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > > > > > Least privs is not limited to app acls, but to any access point > or > > > > process. > > > > If I define my rules such that only traffic from port X to port Y > > is > > > > allowed, Joe HackerDewd is going to spend a *lot* of time trying > to > > > > sort > > > > out the combination. > > > > If I instead choose to share that combination with a select > > > few, then > > > > I've defined the limits of this control. > > > > > > > > Granted, RDP as currently deployed leaves a lot to be desired in > > the > > > > way > > > > of access and functionality controls & sanfboxing, but as you've > > > > pointed > > > > out previously, hope is on the horizon... > > > > > > > > -----Original Message----- > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Thomas W Shinder > > > > Sent: Friday, July 13, 2007 4:20 PM > > > > To: isapros@xxxxxxxxxxxxx > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > > > > > Dude, > > > > > > > > Least privs!!! That has nothing to do with the transport. It's > > about > > > > allowing what's required and nothing more (except for da boyz). > > > > > > > > RDP does not do that (except for the per app publishing, which > gets > > > you > > > > least priv). Publishing a desktop for Tim to hack is not least > > priv. > > > > > > > > Thomas W Shinder, M.D. > > > > Site: www.isaserver.org > > > > Blog: http://blogs.isaserver.org/shinder > > > > Book: http://tinyurl.com/3xqb7 > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > > Sent: Friday, July 13, 2007 5:08 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > > > > > > > Wait - I also allow SSL-protected RDP (though not on > > > default ports). > > > > > RDP via SSL performs far better than RDP over VPN any day. > > > > > Is RDP via VPN stronger? - yes. > > > > > Can someone scan my ports and detect my RDP listener? - yes. > > > > > > > > > > As has been stated so many times, "security" is the balance > > > > > between what > > > > > are and are not willing to risk. > > > > > > > > > > -----Original Message----- > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > On Behalf Of Thomas W Shinder > > > > > Sent: Friday, July 13, 2007 4:02 PM > > > > > To: isapros@xxxxxxxxxxxxx > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > > > > > > > Egzactly! So why give the guy who steals your lusers > > > credentails or > > > > > smart card the same opportunity? If there's something worth > > > stealing, > > > > > someone will try, and a Remote Desktop Connection is giving > > > > > the perp the > > > > > Keys to The Mint. > > > > > > > > > > That's why least privilege is always your friend. > > > Violating it is to > > > > > > > > > > 1. Laziness > > > > > 2. Wishful Thinking > > > > > 3. Ignorance > > > > > 4. Belief in the inhernet Goodness of all Men > > > > > > > > > > ;) > > > > > > > > > > Tom > > > > > > > > > > Thomas W Shinder, M.D. > > > > > Site: www.isaserver.org > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > Book: http://tinyurl.com/3xqb7 > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim > Harrison > > > > > > Sent: Friday, July 13, 2007 4:56 PM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for > RDP > > > > > > > > > > > > <shot type="cheap"> > > > > > > ..only to the women... > > > > > > </shot> > > > > > > > > > > > > If I didn't have a working relationship with Tim, I > > > > > wouldn't trust him > > > > > > on my network any further than I could throw him (and he's > > > > > > hard to toss > > > > > > around, lemmetellya!) > > > > > > > > > > > > -----Original Message----- > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > > > > > On Behalf Of Thor (Hammer of God) > > > > > > Sent: Friday, July 13, 2007 3:48 PM > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for > RDP > > > > > > > > > > > > Who, me??? I'm harmless! > > > > > > > > > > > > t > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > > > > > > Sent: Friday, July 13, 2007 3:37 PM > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs for > > RDP > > > > > > > > > > > > > > Or to put it another way, you think Tim presents no risk > > > > > to your org > > > > > > in > > > > > > > this scenario? > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > Site: www.isaserver.org > > > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas > > > > > > W Shinder > > > > > > > > Sent: Friday, July 13, 2007 4:30 PM > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side > > > certs for RDP > > > > > > > > > > > > > > > > So, if you give Tim a machine on your network that > > > he can sit > > > > in > > > > > > > front > > > > > > > > of, and give him a limited user account, do you think > > you're > > > > > > > > completely > > > > > > > > protected from what he might be able to do? > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > > Site: www.isaserver.org > > > > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > > > > > > Gerald G. Young > > > > > > > > > Sent: Friday, July 13, 2007 4:24 PM > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs > > for > > > > RDP > > > > > > > > > > > > > > > > > > You could use GPOs to further lock down the interface > for > > > the > > > > > > > > > RDP user. > > > > > > > > > > > > > > > > > > As far as I understand it, Remote Administration > > > only allows > > > > > > > > > for 2 concurrent connections. The assumption is > > > that you're > > > > > > > > > using an administrator but that doesn't have to > > > be the case. > > > > > > > > > > > > > > > > > > You can lock down a regular user's use of the machine > > just > > > as > > > > > > > > > you would internally. I'm not sure I see any increased > > > > > > > > > concern here, except for an in-protocol hack attack > > > > > against RDP. > > > > > > > > > > > > > > > > > > And with TLS, no more MITM attacks. > > > > > > > > > > > > > > > > > > Am I missing something? > > > > > > > > > > > > > > > > > > Cordially yours, > > > > > > > > > Jerry G. Young II > > > > > > > > > Application Engineer > > > > > > > > > Platform Engineering and Architecture > > > > > > > > > NTT America, an NTT Communications Company > > > > > > > > > > > > > > > > > > 22451 Shaw Rd. > > > > > > > > > Sterling, VA 20166 > > > > > > > > > > > > > > > > > > Office: 571-434-1319 > > > > > > > > > Fax: 703-333-6749 > > > > > > > > > Email: g.young@xxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Thomas W > > > > > > Shinder > > > > > > > > > Sent: Friday, July 13, 2007 6:20 PM > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side certs > > for > > > > RDP > > > > > > > > > > > > > > > > > > Not really. You still give the intruder a full fledged > > > > > > > > machine to work > > > > > > > > > with. > > > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > > > Site: www.isaserver.org > > > > > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Gerald > > > > G. > > > > > > > Young > > > > > > > > > > Sent: Friday, July 13, 2007 4:15 PM > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > You realize that you don't NEED to add a user > > > to the local > > > > > > > > > > Administrators group to get access over RDP, yeah? > > > > > It's just > > > > > > > > > > that by default only the local Administrators group > is > > > > > > > > > > allowed to access the server over RDP. You can > > > > > grant that to > > > > > > > > > > a regular user and then su (runas) into an > > administrator > > > > > > > > > > account. That would still meet least privilege reqs, > > > yeah? > > > > > > > > > > > > > > > > > > > > Cordially yours, > > > > > > > > > > Jerry G. Young II > > > > > > > > > > Application Engineer > > > > > > > > > > Platform Engineering and Architecture > > > > > > > > > > NTT America, an NTT Communications Company > > > > > > > > > > > > > > > > > > > > 22451 Shaw Rd. > > > > > > > > > > Sterling, VA 20166 > > > > > > > > > > > > > > > > > > > > Office: 571-434-1319 > > > > > > > > > > Fax: 703-333-6749 > > > > > > > > > > Email: g.young@xxxxxxxx > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > > > Of Thomas > > > > > > > > W Shinder > > > > > > > > > > Sent: Friday, July 13, 2007 5:28 PM > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > BTW--why are you looking into RDP? > > > > > > > > > > > > > > > > > > > > I've always thought remote access to RDP was > > > > > poison, since it > > > > > > > > > > epitomizes > > > > > > > > > > the violation of least privilege. > > > > > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > > > > Site: www.isaserver.org > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > > > Thomas > > > > > > > > > W Shinder > > > > > > > > > > > Sent: Friday, July 13, 2007 3:23 PM > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client-side > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > Doesn't hurt to ask :) > > > > > > > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > > > > > Site: www.isaserver.org > > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf > Of > > > Thor > > > > > > > > > > > > (Hammer of God) > > > > > > > > > > > > Sent: Friday, July 13, 2007 3:18 PM > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > > > > client-side certs for > > > > > > > RDP > > > > > > > > > > > > > > > > > > > > > > > > Exactly. Which is why I'm asking for it ;) > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > [mailto:isapros- > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas > > > W Shinder > > > > > > > > > > > > > Sent: Friday, July 13, 2007 2:16 PM > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client- > side > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > That's true -- this type of authentication is > > > > > > designed to > > > > > > > > > > > > protect the > > > > > > > > > > > > > client from "rogue" terminal servers. It > > > doesn't do > > > > > > > > > anything to > > > > > > > > > > > > protect > > > > > > > > > > > > > the server, nor is that the intent. > > > > > > > > > > > > > > > > > > > > > > > > > > Thomas W Shinder, M.D. > > > > > > > > > > > > > Site: www.isaserver.org > > > > > > > > > > > > > Blog: http://blogs.isaserver.org/shinder > > > > > > > > > > > > > Book: http://tinyurl.com/3xqb7 > > > > > > > > > > > > > MVP -- ISA Firewalls > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > > > > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > > > > > Behalf Of Thor > > > > > > > > > > > > > > (Hammer of God) > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 2:05 PM > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring client- > > side > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > Vista or the updated XP client. You need to > > > > > > check under > > > > > > > > > > > > Advanced to > > > > > > > > > > > > > > select the connection type. > > > > > > > > > > > > > > > > > > > > > > > > > > > > But that is not what is important... what > > > > > is important > > > > > > is > > > > > > > > > > > > that *the > > > > > > > > > > > > > > client* decides what to do in the current > > > > > > deployment of > > > > > > > > > > > RDP/TLS in > > > > > > > > > > > > > > Win2k3 terminal services configurations. For > > > > "true" > > > > > > > > > > > > > > connection-based-on-certificate security, you > > > > > > must have > > > > > > > > > > > > > > functionality on > > > > > > > > > > > > > > the server to request and validate a > > > certificate. > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is why I went out of my way to describe > > the > > > > > > > > > behavior, to > > > > > > > > > > > > > > avoid all > > > > > > > > > > > > > > of this ;) So, the question was, does > > > > > anyone know if > > > > > > > > > > > > this is being > > > > > > > > > > > > > > addressed in Longhorn... > > > > > > > > > > > > > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros- > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of > > > Jim Harrison > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:58 PM > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > > client-side > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Ok - what client are you using? > > > > > > > > > > > > > > > I've configured my own TS (not TSG) to use > > SSL > > > > > > > > > > encraption and > > > > > > > > > > > > every > > > > > > > > > > > > > > > time > > > > > > > > > > > > > > > I connect with any hostname other than what > > is > > > > > > > > > > > presented by the > > > > > > > > > > > > > cert > > > > > > > > > > > > > > > subject, I get a "cert validation" popup. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros- > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] > > > > > > > > > > > > > > > On Behalf Of Steve Moffat > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:39 PM > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > > client-side > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > No popups are presented......I helped with > > the > > > > > > testing. > > > > > > > > > > > > > > Straight into > > > > > > > > > > > > > > > the desktop. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > S > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros- > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] > > > > > > > > > > > > > > > On Behalf Of Jim Harrison > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 4:36 PM > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > > client-side > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It's true that the client *can* > > > connect, but not > > > > > > > > > > > until the user > > > > > > > > > > > > has > > > > > > > > > > > > > > > acknowledged the popups that are produced > > whtn > > > > the > > > > > > cert > > > > > > > > > > > > > > isn't trusted, > > > > > > > > > > > > > > > fails to match the connection, etc. This > > > > > > is my point. > > > > > > > > > > > > > > > In fact, anyone programming against the TS > > COM > > > > > > > > > will have to > > > > > > > > > > > > > > make sure > > > > > > > > > > > > > > > they handle this event properly. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Correct - TSG is not "TS Server using > > > > > SSL" - that's > > > > > > > > > > > RDP over SSL > > > > > > > > > > > > > (no > > > > > > > > > > > > > > > HTTP involved). > > > > > > > > > > > > > > > TSG OTOH, is RPC/HTTP - you'll have to > > > > > > web-publish it > > > > > > > to > > > > > > > > > > > > > > see the URLs > > > > > > > > > > > > > > > used, but when you do, the > > > > > > > > > > > > > > /rpc/rpcproxy.dll?<servername>:3388 request > > > > > > > > > > > > > > > will clarify this for ya. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > [mailto:isapros- > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God) > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 12:04 PM > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > > client-side > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Actually, yes, it is *completely* wrong. > > > > > But let's > > > > > > > > > > make sure > > > > > > > > > > > > we're > > > > > > > > > > > > > > not > > > > > > > > > > > > > > > letting you launch one of your famous > > > > misdirection > > > > > > > > > > threads ;) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I'm not talking about TSG (Terminal > Services > > > > > > > > > Gateway). I'm > > > > > > > > > > > > talking > > > > > > > > > > > > > > > about Win2k3 Terminal Services configured > > > > > to require > > > > > > > > > > > > TLS/SSL: The > > > > > > > > > > > > > > > client > > > > > > > > > > > > > > > does *not* have to trust the CA at all - it > > > > > > > > does not have > > > > > > > > > > > > > > to trust the > > > > > > > > > > > > > > > cert, the ca, or the entire chain for that > > > > matter, > > > > > > even > > > > > > > > > > > > though the > > > > > > > > > > > > > > > articles say it must. It doesn't. The > client > > > > > > > > can connect > > > > > > > > > > > > anyway... > > > > > > > > > > > > > > > That's what is wrong with the articles. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I'm asking if Longhorn terminal services > will > > > fix > > > > > > > > > > > this natively. > > > > > > > > > > > > > > Tom's > > > > > > > > > > > > > > > point about using ISA's SSL Client > > Certificate > > > > > > > > > > > > > > Authorization for this > > > > > > > > > > > > > > > is > > > > > > > > > > > > > > > a great suggestion for TSG, but that is a > > > > > > > > > different animal. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros- > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim > > > Harrison > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 11:31 AM > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > client- > > > > side > > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It's not completely wrong; "..the > > > client must > > > > > > > > > > trust the root > > > > > > > > > > > > > > > > certificate > > > > > > > > > > > > > > > > authority.." actually means "the client > > > > > must trust > > > > > > > > > > > the CA that > > > > > > > > > > > > > > issues > > > > > > > > > > > > > > > > the TSG server certificate", but I > > > agree that > > > > > > > > it's less > > > > > > > > > > > > > > than clear. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Whether TSG will do this natively, I > don't > > > know > > > > > > > > > (and kinda > > > > > > > > > > > > > doubt), > > > > > > > > > > > > > > > but > > > > > > > > > > > > > > > > I > > > > > > > > > > > > > > > > can certainly ask. > > > > > > > > > > > > > > > > As with OL, the question is more > > > client- than > > > > > > > > > > > > > > server-based; IIS and > > > > > > > > > > > > > > > any > > > > > > > > > > > > > > > > application that operates within it can > use > > > > user > > > > > > cert > > > > > > > > > > > > auth, but > > > > > > > > > > > > > so > > > > > > > > > > > > > > > far, > > > > > > > > > > > > > > > > no RPC/HTTP client is capable of > > > responding to > > > > a > > > > > > > > > > server that > > > > > > > > > > > > > > requires > > > > > > > > > > > > > > > > user cert auth. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros- > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] > > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God) > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 10:41 AM > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > client- > > > > side > > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > While dude's article is clearly wrong, > the > > > MSFT > > > > > > > > > > > KB's should be > > > > > > > > > > > > > > > amended > > > > > > > > > > > > > > > > as well. Saying "the client must trust > the > > > > root > > > > > > > > > > certificate > > > > > > > > > > > > > > > authority" > > > > > > > > > > > > > > > > is simply incorrect and misleading. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > But, more to the core question, since the > > > > > > ts gateway > > > > > > > > > > > > is not the > > > > > > > > > > > > > > place > > > > > > > > > > > > > > > > to > > > > > > > > > > > > > > > > enforce this, are there plans in place > for > > > > > > > > > > longhorn terminal > > > > > > > > > > > > > > services > > > > > > > > > > > > > > > > to > > > > > > > > > > > > > > > > support client certificate requirements > > like > > > > IIS > > > > > > > does? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros- > > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] On Behalf Of > > > > > Jim Harrison > > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 10:26 AM > > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > > Subject: [isapros] Re: OT: Requiring > > > > > client-side > > > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I just love it when "tribal knowledge" > > > > becomes > > > > > > > > > > > > > > "documented fact". > > > > > > > > > > > > > > > > > It's clear from the "article" that the > > > author > > > > > > never > > > > > > > > > > > > > > tested any of > > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > configuration or application statements > > > > > > he makes. > > > > > > > > > > > > > > > > > Even the dialog for his "attempt > > > > > authentication" > > > > > > > > > > > screenshot > > > > > > > > > > > > > > clearly > > > > > > > > > > > > > > > > > states "Authentication will confirm > > > > > the identity > > > > > > of > > > > > > > > > > > > the remote > > > > > > > > > > > > > > > > computer > > > > > > > > > > > > > > > > > to which you connect" - NOT > > > > > "Authentication will > > > > > > > > > > > confirm the > > > > > > > > > > > > > > > identity > > > > > > > > > > > > > > > > > of > > > > > > > > > > > > > > > > > the user/machine **from which you > > > connect**". > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > In theory you *could* require user cert > > > > > > auth, but > > > > > > > I > > > > > > > > > > > > > > don't know if > > > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > TSG client will respond appropriately. > > > > > > Since TSG > > > > > > > > > > > is "just" > > > > > > > > > > > > > > > RPC/HTTP, > > > > > > > > > > > > > > > > > it's rpcrt4.dll that handles the > > > translation > > > > > > > between > > > > > > > > > > > > > > RPC and HTTP > > > > > > > > > > > > > > > and > > > > > > > > > > > > > > > > > AFAIK, it only handles Basic and NTLM. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Because TSG is RPC/HTTP, you can > > configure > > > > the > > > > > > > > > > > /RPC vroot to > > > > > > > > > > > > > > > require > > > > > > > > > > > > > > > > > user certs and thus impose this > > > requirement > > > > on > > > > > > your > > > > > > > > > > > > connecting > > > > > > > > > > > > > > > > clients > > > > > > > > > > > > > > > > > to test this theory. Of course, > > > if you also > > > > > > > > > share this > > > > > > > > > > > > > > vroot with > > > > > > > > > > > > > > > > > Exchange RPC/HTTP you'll break OL > > > > connections, > > > > > > > > > > since they > > > > > > > > > > > > can't > > > > > > > > > > > > > > > > handle > > > > > > > > > > > > > > > > > cert auth. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > > > > > > > > From: isapros-bounce@xxxxxxxxxxxxx > > > > > > [mailto:isapros- > > > > > > > > > > > > > > > > > bounce@xxxxxxxxxxxxx] > > > > > > > > > > > > > > > > > On Behalf Of Thor (Hammer of God) > > > > > > > > > > > > > > > > > Sent: Friday, July 13, 2007 9:29 AM > > > > > > > > > > > > > > > > > To: isapros@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > > Subject: [isapros] OT: Requiring > > > client-side > > > > > > > > > > certs for RDP > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Greets: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Windows Server 2003 SP1 allows one to > > > > > configure > > > > > > > > > > > > > > > server-authentication > > > > > > > > > > > > > > > > > via certificate for RDP over TLS/SSL. > > > > > The MSFT > > > > > > > > > > > > articles say > > > > > > > > > > > > > > > things > > > > > > > > > > > > > > > > > like "the client must trust the > > > certificate" > > > > > > > > > > etc in their > > > > > > > > > > > > > > > > > client-configuration notes, and other > > > > articles > > > > > > > > > > > specify that > > > > > > > > > > > > you > > > > > > > > > > > > > > can > > > > > > > > > > > > > > > > > control access to RDP by issuing self > > > > > > > > signed certs and > > > > > > > > > > > > > > controlling > > > > > > > > > > > > > > > > > distribution. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This presents the illusion that one can > > > limit > > > > > > > > > > > connections to > > > > > > > > > > > > > RDP > > > > > > > > > > > > > > on > > > > > > > > > > > > > > > a > > > > > > > > > > > > > > > > > Win2k3 server via this method. See: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://support.microsoft.com/kb/895433 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://technet2.microsoft.com/windowsserver/en/Library/a92d8eb9-f53d- > > > > > > > > > > > > > > > > > 4e8 > > > > > > > > > > > > > > > > > 6-ac9b-29fd6146977b1033.mspx > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.windowsecurity.com/articles/Secure-remote-desktop- > > > > > > > > > > > > > > > > > connections > > > > > > > > > > > > > > > > > -TLS-SSL-based-authentication.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Win2k3 Terminal Services allows one to > > > > > > > > > require security > > > > > > > > > > > > levels, > > > > > > > > > > > > > > but > > > > > > > > > > > > > > > > > only > > > > > > > > > > > > > > > > > provides "server" authentication - it > > does > > > > not > > > > > > > > > > > allow you to > > > > > > > > > > > > > > require > > > > > > > > > > > > > > > a > > > > > > > > > > > > > > > > > particular certification to be > > > > > requested of the > > > > > > > > > > > > client (as IIS > > > > > > > > > > > > > > > does). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Snips from the windowsecurity article > > > > compound > > > > > > this > > > > > > > > > > > > perception: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > <snip> > > > > > > > > > > > > > > > > > The threat becomes even bigger, when > the > > > > > > > > > server running > > > > > > > > > > > > > > Microsoft > > > > > > > > > > > > > > > > > Windows Terminal Services is > > > > > accessible from the > > > > > > > > > > > > > > Internet through > > > > > > > > > > > > > > > an > > > > > > > > > > > > > > > > > RDP > > > > > > > > > > > > > > > > > connection on port 3389, even though > > > > > you have an > > > > > > > > > > > > > > advanced firewall > > > > > > > > > > > > > > > > such > > > > > > > > > > > > > > > > > as ISA Server in front of it. A > scenario > > > that > > > > > > > > > is common > > > > > > > > > > > > > > especially > > > > > > > > > > > > > > > > for > > > > > > > > > > > > > > > > > Microsoft Small Business Server users. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The good news however, is that you can > > > > prevent > > > > > > > these > > > > > > > > > > > > > > attacks. The > > > > > > > > > > > > > > > > > solution is certificate based computer > > > > > > > > > > > > authentication. If the > > > > > > > > > > > > > > > > computer > > > > > > > > > > > > > > > > > cannot authenticate itself by > > > > > presenting a valid > > > > > > > > > > > certificate > > > > > > > > > > > > to > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > > > terminal server it is trying to > > > connect to, > > > > > > > > > then the RDP > > > > > > > > > > > > > > connection > > > > > > > > > > > > > > > > > will > > > > > > > > > > > > > > > > > be dropped before the user has a chance > > > > > > to attempt > > > > > > > > > > > > to log on. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > </snip> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is simply untrue. The > > > client does not > > > > > > > > > > > "present a valid > > > > > > > > > > > > > > > > > certificate" at all. It either trusts > > > > > > the server > > > > > > > > > > > > or not, and > > > > > > > > > > > > > it > > > > > > > > > > > > > > is > > > > > > > > > > > > > > > > up > > > > > > > > > > > > > > > > > to the client to make that decision. > > > > > While RDP > > > > > > > > > > > > clients 6 and > > > > > > > > > > > > > > below > > > > > > > > > > > > > > > > > only > > > > > > > > > > > > > > > > > allow "No auth, attempt, or require" > > which > > > > > > > > do provide > > > > > > > > > > > > > > the expected > > > > > > > > > > > > > > > > > behavior, updated or alternate > > > clients (like > > > > > > Vista) > > > > > > > > > > > > allow you > > > > > > > > > > > > > to > > > > > > > > > > > > > > > > > connect > > > > > > > > > > > > > > > > > anyway. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This being said, does anyone know if > > > > > the current > > > > > > > > > > > longhorn/ts > > > > > > > > > > > > > > > gateway > > > > > > > > > > > > > > > > > features will actually allow > > > > > > enforcement of client > > > > > > > > > > > > certificates > > > > > > > > > > > > > > > such > > > > > > > > > > > > > > > > a > > > > > > > > > > > > > > > > > requiring client certs that are signed > by > > > > > > > particular > > > > > > > > > > > > > > authorities? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Sorry for all the detail, but I > > > > > wanted to avoid > > > > > > > > > > > > people saying > > > > > > > > > > > > > > > "Sure, > > > > > > > > > > > > > > > > > just require TLS for RDP". > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is > > > > > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI- > > > > scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is > > > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is > > > GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned.