Re: rdp security + 2 factor authentication

From: Nick Owen (captainspalding_at_gmail.com)
Date: 10/12/04 

Date: 12 Oct 2004 05:47:49 -0700

ethicaltwit@yahoo.co.uk (Jake) wrote in message news:<7eae89b6.0410111334.5b93fb63@posting.google.com>...
> I have read that RDP is considered secure without a VPN since RDP
> traffic is encrypted by default.

Here is an MS article on RDP encryption:
http://support.microsoft.com/?id=275727. Most, but not all data is
encrpyted.

> I work for a small co. and am considering allowing some users to log
> in to TS from their home computers (probably with tsweb). Server is
> W2K3.
> The relevant port(s) would be opened on the LAN firewall.
>
> I have cannot police the client machines with regard to patches,
> firewalls, viruses, malware etc. However, it seems to me the risks can
> be minimised by using 2 factor authentication using a physical token
> device issuing one-time passwords, since this would make it virtually
> impossible for a malicious user or program to authenticate. There
> appear to be one or two reasonably priced solutions available for
> doing this.

With the increasing number of trojans and password sniffers out there
two-factor is warranted, but then, I'm in the business, so consider
the source ;). You can judge based on the costs, the risks, the
likelihood of attack,etc.

>
> This solution is simple, flexible and inexpensive compared to issuing
> locked-down company-owned laptops with a VPN client.
>
> Anyone have any comments for or against this strategy?

Based on the MS article, I'd say it's pretty solid strategy. You
might also consider a SSL VPN appliance, in front of your terminal
server, but I don't know what the cost of those boxes are. You would
be better served spending on 2 factor, most likely, because of all the
other benefits you would get (locking down your admin accounts and
infrastructure with 2-factor, e.g,).

Nick Owen 

--
Nick Owen
CEO
WiKID Systems, Inc.
http://www.wikidsystems.com
Two factor authentication, without the hassle factor
> 
> Thanks,
> Jake

Relevant Pages

  • Re: VPN over wireless
    ... The RSA key is for authentication, ... Only the payload data packets are encrypted. ... The key exchange mechanism varies with the type of encryption. ... With a VPN, only the packets going between the VPN client and VPN ...
    (alt.internet.wireless)
  • Re: RDP 6.0 security
    ... In normal practice, I do as you described - namely, after the VPN ... But knowing that RDP 6.0 DOES encrypt the password is reassuring for those ... occasions that I cannot establish a VPN connection in some ... I do use the highest encryption ...
    (microsoft.public.windowsxp.network_web)
  • Re: RDP 6.0 security
    ... I was unable to establish a VPN connection from a remote location ... If the RDP 6.0 protocol is now secure end-to-end by design, ... I recommend configuring the server to only use 128-bit encryption if all of your RDP clients support that... ...
    (microsoft.public.windowsxp.network_web)
  • Re: To VPN or not to VPN
    ... The orginal RDP is not well encrypted. ... The RDP stack handles encryption so there is some ... To implement a VPN solution just ... >> with the security of remote desktop connection? ...
    (microsoft.public.win2000.networking)
  • Re: VPN -- the next consumer "turnkey"?
    ... >>It seems VPN is making it's way into more and more of the consumer wireless ... > encryption and processing is a rather large resource hog. ... None of the traffic hit the internet so ... WPA Encryption is intimately entangled with authentication. ...
    (alt.internet.wireless)