|
|
Security Basics
RDP over the internet Jan 10 2012 05:22PM mariofa88 gmail com (6 replies) RE: RDP over the internet Jan 10 2012 05:47PM William Baltas (bill baltas cleanwaterteam com) (2 replies) Re: RDP over the internet Jan 10 2012 06:00PM Mike Hale (eyeronic design gmail com) (4 replies) Re: RDP over the internet Mar 14 2012 01:41PM Alex Fiuvertiz (fiuvertiz gmail com) (3 replies) Re: RDP over the internet Mar 16 2012 09:29AM Ansgar Wiechers (bugtraq planetcobalt net) (1 replies) Re: RDP over the internet Mar 17 2012 01:46PM Thugzclub (thugzclub googlemail com) (1 replies) Re: RDP over the internet Mar 17 2012 06:04PM Ansgar Wiechers (bugtraq planetcobalt net) (1 replies) Re: RDP over the internet Mar 15 2012 06:43AM Mike Hale (eyeronic design gmail com) (1 replies) Re: RDP over the internet Mar 15 2012 10:12PM Thugzclub (thugzclub googlemail com) (3 replies) Re: RDP over the internet Jan 10 2012 06:46PM joseph itsec-asia com (2 replies) Re: RDP over the internet Jan 10 2012 07:29PM Ansgar Wiechers (bugtraq planetcobalt net) (1 replies) Re: RDP over the internet Jan 10 2012 10:05PM security (at) stealthnodes (dot) com [email concealed] (security stealthnodes com) Re: RDP over the internet Jan 10 2012 07:25PM Andre Silaghi (andre silaghi googlemail com) (1 replies) Re: RDP over the internet Jan 10 2012 06:43PM Ricardo Ferreira (ricardo ferreira sotechdatacenter com br) (2 replies) |
|
Privacy Statement |
> >> question is: do they get fixed in a timely manner?
> >
> > The fact is that "open port" is a potential attack vector because a
> > vulnerability may be discovered in the application.
>
> I'm sorry to have to break this to you, but as long as you're using
> TCP/IP you need an open port if you want to be able to establish a
> connection.
But it's clear that *any* open port represents additional risk. If that open port is not required for the function of the system (as terminal services/RDP generally is not), it's an unnecessary risk (however convenient it might be). And that risk is compounded if that port is running by necessity with system level permissions, and offering up a login screen that people use with their admin credentials. Also, terminal services is dependent on the loading of yet another service: RPC.
For these reasons, I don't believe the concern expressed over exposing RDP to the internet is "a massive generalisation". I think that concern is clearly justified. RDP is not of the same risk level as, say NTP.
And if, when we point out that risk, CEOs then see security officers as "the enemy", it's because the security folks have failed to (1) account for the value in the convenience offered by things like RDP, (2) reasonably evaluate that value against the risk, and (3) consider what actions, configurations and technologies are available to mitigate the risk.
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Ansgar Wiechers
> Sent: Saturday, March 17, 2012 11:05 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Re: RDP over the internet
>
> On 2012-03-17 Thugzclub wrote:
> > On 16 Mar 2012, at 09:29, Ansgar Wiechers
> <bugtraq (at) planetcobalt (dot) net [email concealed]> wrote:
> >> On 2012-03-14 Alex Fiuvertiz wrote:
> >>> http://www.securityfocus.com/bid/52353
> >>
> >> New vulnerabilities will be discovered every now and then. Duh. The
> >> question is: do they get fixed in a timely manner?
> >
> > The fact is that "open port" is a potential attack vector because a
> > vulnerability may be discovered in the application.
>
> I'm sorry to have to break this to you, but as long as you're using
> TCP/IP you need an open port if you want to be able to establish a
> connection.
>
> > This is why you need to rely application execution control products
> > like (Lumension, App Blocker) to prevent execution of unknown
> > binaries!
>
> Software Restriction Policies exist. However, application control is
> unlikely to be of much help when malware is run in the context of
> privileged accounts.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>
> --------------------------------------------------------------
> ----------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who
> needs an SSL certificate. We look at how SSL works, how it
> benefits your company and how your customers can tell if a
> site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache
> web server. Throughout, best practices for set-up are
> highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> e13b6be442f727d1
> --------------------------------------------------------------
> ----------
>
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]