- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
December 01, 2006 | Comments: (0)
New Vista RDP Client for XP and W2K3
Microsoft has released a new Remote Desktop Protocol (RDP) client for XP SP2 and W2K3 SP1 for connecting to Vista and later Windows computers.
You can get the new client here.
As much as I like RDP for managing remote Windows computers, it has had a serious flaw in it that makes it vulnerable to attack, as reported by several sources including the author of hacker tool Cain & Able. You can read his excellent article here.
Essentially, with RDP there is a private key that should be private and unknown. Somehow, Microsoft chose to make this key the same key in every version of Windows and make it easy to obtain (a.k.a. "the public private key"). This crypto implementation error allows RDP traffic to be MitM'd and the session decoded.
I have successfully used Cain & Able to decode RDP traffic, including the password sent between the RDP client and the remote server, no matter how long or complex that password is, or what the encryption settings are for Terminal Services/RDP.
Interestingly, I haven't always been able to get it to work successfully in all the environments I have tried it in. Not sure why. But it is successful enough that I always supplement RDP with another layer of encryption/authentication, like IPSec, SSL, TLS, or SSH.
Microsoft's defense is that while they have promised encryption, they did not promise authentication, and the public-private key is an authentication issue. Unfortunately, it means that RDP cannot be relied upon as being secure. Use RDP without another authentication supplement, and you are risking having your password stolen.
Microsoft fixed the problem in Vista (and Longhorn server) by adding better authentication. You can configure Vista (and LH) to accept old RDP connections, or to require the new, updated RDP clients. The link above, and here, let's you install the new, more secure RDP client.
Wikipedia has a great list of new RDP 6.0 (as the new client and server is called) features available here. Strangely, though, it doesn't mention upgraded security in the list.
Posted by Roger Grimes on December 1, 2006 05:03 PM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
