RDP security

[gs]

a consultant told my boss that RDP is not secure and the consultant is
proposing vpn setup. is this true even with all the latest security patch
and the optional allow vista client to log in patch is installed

by default will the rdp client be forced to use 128 bit Kerberos?


I did some Google searching it still leaves me wondering. although the
search result does indicate default secure rdp setup on windows 2003 servers


The way I see using vpn is risky unless the client is manageable and
verified. Ms IT uses radius server, IAS, sql server and a whole bunch of
security infrastructure and framework to achieve security.

in this organization there are only 6 users for remote access and they are
all using XP or vista.

 

[Shenan Stanley]

a consultant told my boss that RDP is not secure and the
consultant is proposing vpn setup. is this true even with all the
latest security patch and the optional allow vista client to log in
patch is installed
by default will the rdp client be forced to use 128 bit Kerberos?


I did some Google searching it still leaves me wondering. although
the search result does indicate default secure rdp setup on windows
2003 servers

The way I see using vpn is risky unless the client is manageable and
verified. Ms IT uses radius server, IAS, sql server and a
whole bunch of security infrastructure and framework to achieve
security.
in this organization there are only 6 users for remote access and
they are all using XP or vista.

RDP is secure. RDP uses RSA Security's RC4 cipher, a stream cipher designed
to efficiently encrypt small amounts of data. RC4 is designed for secure
communications over networks. It encrypts data by using a 128-bit key.

Using VPN on top of it just gives one *more* security.

As both are free (other than any charge to get it setup, albeit pretty
simplistic to do in my opinion) I see no harm in using both. In fact - by
using a VPN tunnel - you eliminate the larger 'security risk' in my opinion
of Remote Desktop - the open port 3389 to the outside world. By only
opening that port to the local network and using a VPN session to become a
part of that local network before using remote desktop, you have made the
footprint of vulnerability smaller.

Make sure you use the 6.0 or later version!

As far as the VPN tunnel being a NECESSITY - not really. I guess it depends
on what you see as a risk and what type of setup you already have (what else
you would get out of such a setup, etc.) How you connect to the internet
even. I mean - you could even have a router with built-in VPN capability
installed so that you VPN into the router and then you can remote desktop to
a computer behind it for the most simplistic overall solution.

 

[rewired]

RDP is secure. RDP uses RSA Security's RC4 cipher, a stream cipher designed

to efficiently encrypt small amounts of data. RC4 is designed for secure
communications over networks. It encrypts data by using a 128-bit key.

According to my experience RDP still is vulnerable to man-in-the-middle
attacks and cant be used securely without an extra layer of protection
between the client and the server. Although the protocol uses RSA
encryption it does in the Windows XP/2000/2003 implementations not warn
the user when the certificate cant be validated so the user cant be sure
if the password is intercepted or not. See this whitepaper for more
information http://www.oxid.it/downloads/rdp-gbu.pdf
Using an SSH/VPN tunnel on top of RDP can add an extra bit of security
to the protocol.