All your RDP are belong to us?

[j3ll0]

Quote:

Originally Posted by StratosFear

I had someone who had the email signature "Head of IT" (I'm not even kidding) blast me just last week because I needed access to his server and he had RDP locked down by IP. I happened to be working from home (one of the many advantages of my job) so I gave him my home IP. He got back to me the next Monday when I was in the office asking me to connect so I told him I couldn't unless he allows access to my Work IP. He went absolutely crazy at me. How dare I give him a personal IP to allow access via RDP. It's these customers you just want to slap across the face.

Not picking a fight with you, but going through a nice proper change control process to make a change on a firewall to allow access from the Interwebz to RDP SHOULD take some time. I don't know your customers, but taking some time to get that change through wouldn't make me want to slap anyone.

.

[nimmers]

Quote:

Originally Posted by Iceman

Actually, apart from being sensitive to fragmentation, it's a pretty good protocol that for being around as long as it has, does not have a huge number of flaws.

So its ok in 2012 to have networked services exposed to the internet and running as root?

Everyone except Microsoft worked out this kind of thing is a bad idea a long time ago. It took this for them to actually change it for the better.

[yoink]

Quote:

Originally Posted by StratosFear

<snip>
I had someone who had the email signature "Head of IT" (I'm not even kidding) blast me just last week because I needed access to his server and he had RDP locked down by IP. I happened to be working from home (one of the many advantages of my job) so I gave him my home IP. He got back to me the next Monday when I was in the office asking me to connect so I told him I couldn't unless he allows access to my Work IP. He went absolutely crazy at me. How dare I give him a personal IP to allow access via RDP. It's these customers you just want to slap across the face.

One question though: shouldn't you be securely RDP'ing into your work over VPN first, and THEN get to the customers RDP

[ra66it]

I have RDP locked down to specific IPs and also VPN access for senior staff on dynamic IP.

One consultant engaged for a short term project got really shitty about the RDP lockdown and had the audacity to suggest that it was overkill, nobody gets hacked via rdp, and I didn't need it etc. Tried to go over my head to one of the directors.

[Iceman]

Quote:

Originally Posted by nimmers

So its ok in 2012 to have networked services exposed to the internet and running as root?

Everyone except Microsoft worked out this kind of thing is a bad idea a long time ago. It took this for them to actually change it for the better.

You're confusing the service/protocol with both the default implementation and the framework in which it's implemented.

[FiShy]

I encap all my rdp in ssh, mostly for shits and giggles.

[Daemon]

Quote:

Originally Posted by Iceman

You're confusing the service/protocol with both the default implementation and the framework in which it's implemented.

That's ok, Microsoft got all this confused as well

On a positive note, I haven't heard of too many instances where this RDP exploit has caused many problems. With only 443 bytes required to crash a system I was expecting a few thousand attempts from zombie PC's.

[StratosFear]

Quote:

Originally Posted by j3ll0

Not picking a fight with you, but going through a nice proper change control process to make a change on a firewall to allow access from the Interwebz to RDP SHOULD take some time. I don't know your customers, but taking some time to get that change through wouldn't make me want to slap anyone.

.

It wasn't the time taken that was the issue. He was adamant that giving my home IP access to his server via RDP was a huge security risk rather than giving my work connection access.

IF anything it is more secure as you're only giving me access rather than the 1000 computers sitting on my work network.