Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.
Click two buttons?
You fucking nerds and your bullshit.
Aaaaaaaand this is why AlwaysOn VPN is a thing. Make it happen, admins.
No arguments on either point there, 2 layers are obviously gonna be better than 1.
But "RDP is bad because Exploits" is a misleading statement.
Is VPN a layer when you're looking at it this way? IME, far to many VPN's (especially the ones setup for companies using "RDP to workstation" as remote access solution) will just dump the connecting device straight onto an internal subnet. This is a far greater security risk than me opening 3389 to the world.
and what is RDGW if not a VPN for RDP?
Establish an encrypted SSL tunnel between the end-user's device and the RD Gateway Server:
Authenticate the user into the environment:
Pass traffic back and forth between the end-user's device and the specified resource:
sounds like a VPN (albeit limited in scope to one service) to me.
You know RDP (by itself) technically does all 3 of those... right?
If Telnet became ssh, but was still called telnet.
you'd still get people saying 'telnet is bad'
only if it was written by microsoft.
Almost as if they've built a reputation of writing shitty software for 35 years. Go figure.
SSH is still bad according to "infosec auditor" because it says so on the check list having port 22 exposed is not allowed... even after doing it for 20+ years without 1 incident because we don't allow plain text authentication and don't allow root access ever, but wtf would I know.
I imagine RDP is similar, done properly is no issue.
I bet the same checklist doesn't ask about TCP 1723 and IP protocol 47 though.
It was, till an exploit that could completely bypass authentication came out a year ago
Are you talking about Bluekeep? That was for Winodows 7 or loss, That was released 6 months before 7 was EOL, a Scant 7 years after (the not vulnerable) windows 8 was released?
And it was successful because half the industry, led on by a bunch of clueless self-absorbed gamers decided the new Start panel was crap. As a result, thousands of IT departments buried their heads so deep in the sand that FIVE YEARS after Windows 10 hit, they're still digging themselves out.
BRB opening 3389 to the world cuz there are no active exploits for it.
Before i got here and put RDP behind a VPN (yes i could use rdp gateway, but that is another tale of FMD, why did the previous company configure that, that way), we had on average 10,000 to 40,000 doorknocks a day on our exposed to the general internet RDP server. The chances are that one of these days they were gonna get in, eventually, there are enough HIBP databases out there. Given its near enough impossible to prevent password re-use without making stupid password policies where users just pick stupid auto increment passwords, and i work in health and getting people to use 2fa tokens would cause fucking chernobyl here, i went with the option that gave better security, without the roof being blown off the company in a chernobyl like explosion by people having to use "Another fucking piece of technology" because their "Healthcare Professionals" and "They aren't IT Professionals, thats your job".
For me, its not always just about picking the best way to protect something despite what i'd like it to be, it has to be digestible to the business, and our illustrious "Healthcare Professionals", who if on day one of them starting can't even pick a password with a simple policy, without locking their account or coming to me 20 minutes later because the computer is rejecting their password that they just changed, and without management buy in (Because again, their "Healthcare Professionals") then what can you do? It took 2 years of convincing to get it put behind a VPN, which was better then completely exposed, so small steps and little wins, combined with limited password attempts before account locking is the best the company would agree to.
Fuck me, i still have a virtual fucking fax here, just because "Medical Professionals"
Why is my email going to spam dammit!
I feel your pain on this, the amount of work around's I have needed to implement because doctors don't want another login does my head in. Though I am seeing a change coming through where more healthcare organisations are mandating 2 factor authentication and also using tactics of if you want to admit patients to our hospital then you do it this way or else (no more hospital admission cash for doc), amazing what telling someone they will loose money does for compliance.
Seen and used 2 ways of doing remote access in a hospital environment, one did RDP behind a 2 factor VPN and the other used VMware Hoisions (I think it was that) as a remote/internal desktop management tool, no 2 factor but internally a user could walk up to any computer swipe a card and access their session (great for nurses and docs going from patient to patient).
Out of hospitals I have seen some dodgy shit mainly put in place by "the computer guy that manages our PC's and knows fuck all about security".
Cisco Anyconnect works a treat for us in this scenario, laptop / tablet / whatever provided it supports anyconnect undocked and on cellular or foreign wifi / ethernet, connects to VPN straight away offering seamless transition between networks.