Re: Encryption with RDP/Terminal Server in W.2003 Server

From: Vera Noest [MVP] (Vera.Noest_at_remove-this.hem.utfors.se)
Date: 06/07/04 

Date: Mon, 07 Jun 2004 07:36:13 -0700

Thanks, Ian, glad to be of help!

I'm actually not a network protocol expert, so I've done a bit of
cutting and pasting from Patricks previous posts on the topic:

<qote>
PPTP VPN doesn't add any measureable security to already
encrypted RDP traffic, so if you're using VPN for added
security make sure it's certificate based like IPSec/L2TP
so users can only connect from certain computers.
</quote>

Maybe those companies never investigated the security that is
"build-in" into the rdp-protocol, and simply assumed that they
needed VPN? Or maybe they also need other communication with their
network, that's not encrypted.

 --
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

"=?Utf-8?B?SWFuIFR1cm5lcg==?="
<anonymous@discussions.microsoft.com> wrote in
news:B15CB92D-AED5-4F3E-849F-C11EE4F44B8A@microsoft.com:

> Thanks Vera. However, some companies set use RDP and Teminal
> Server but do that over a VPN 'layer'. I have assumes they do it
> for the extra security inherent with VPN. Why do they do that if
> RDP uses 128bit encryption which should be EXCELLENT; what's the
> advantage? Am I missing something here?
>
> As always, you guys are our SAVIOURS! Without your (and your
> colleagues') help, many of us would be floundering for MONTHS!
>
> Ian

Relevant Pages

  • Re: Internet security on "hotspots"
    ... Network Security Engineer ... visiting HTTPS sites so, she doesn't need encryption'. ... then a VPN wasn't needed. ... personal firewall can be a dangerous venture. ...
    (Focus-Microsoft)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: Firewall advice required please
    ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
    (comp.security.firewalls)
  • Re: PPTP or L2TP/IPSec?
    ... Security is always a cost benefit ratio, measured in either time, money, agro, or all of the above. ... I think your distrust of the SBS RWW is misplaced, and recommend it over VPN, but that is your call and your comfort level, as all of this discussion really. ... Regarding "attack of the password" given enough time and effort, any one device can be breached, or the financial insitutions, the defense departments, etc would not have such a difficult job. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] VPN endpoints
    ... > VPN is secure by default and it uses several encryption algorithm to ... As long as it is within the VPN jurisdiction (i mean the client ... VPNs are not secure by default, ... implementation and architecture have a lot to do with security for VPNs, ...
    (Firewall-Wizards)