Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    26,649
    what?
    Click two buttons?

    Fuck.

    You fucking nerds and your bullshit.

    :)
     
  2. DavidRa

    DavidRa Member

    Joined:
    Jun 8, 2002
    Messages:
    3,090
    Location:
    NSW Central Coast
    Aaaaaaaand this is why AlwaysOn VPN is a thing. Make it happen, admins.
     
    bcann and NSanity like this.
  3. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,621
    No arguments on either point there, 2 layers are obviously gonna be better than 1.

    But "RDP is bad because Exploits" is a misleading statement.

    Is VPN a layer when you're looking at it this way? IME, far to many VPN's (especially the ones setup for companies using "RDP to workstation" as remote access solution) will just dump the connecting device straight onto an internal subnet. This is a far greater security risk than me opening 3389 to the world.
     
  4. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,393
    Location:
    Brisbane
    [​IMG]
     
    looktall likes this.
  5. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    15,369
    Location:
    Canberra
    and what is RDGW if not a VPN for RDP?

    https://docs.microsoft.com/en-us/wi...esktop-services/rds-plan-access-from-anywhere

    1. Establish an encrypted SSL tunnel between the end-user's device and the RD Gateway Server:
    2. Authenticate the user into the environment:
    3. Pass traffic back and forth between the end-user's device and the specified resource:
    sounds like a VPN (albeit limited in scope to one service) to me.
     
  6. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,393
    Location:
    Brisbane
    You know RDP (by itself) technically does all 3 of those... right?
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,621
    If Telnet became ssh, but was still called telnet.
    you'd still get people saying 'telnet is bad'
     
  8. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,393
    Location:
    Brisbane
    only if it was written by microsoft.
     
  9. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    45,110
    Location:
    Brisbane
    Almost as if they've built a reputation of writing shitty software for 35 years. Go figure. :)
     
    Hive likes this.
  10. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,194
    Location:
    Briz Vegas
    SSH is still bad according to "infosec auditor" because it says so on the check list having port 22 exposed is not allowed... even after doing it for 20+ years without 1 incident because we don't allow plain text authentication and don't allow root access ever, but wtf would I know.

    I imagine RDP is similar, done properly is no issue.
     
  11. DavidRa

    DavidRa Member

    Joined:
    Jun 8, 2002
    Messages:
    3,090
    Location:
    NSW Central Coast
    I bet the same checklist doesn't ask about TCP 1723 and IP protocol 47 though.
     
    Hive and NSanity like this.
  12. dakiller

    dakiller (Oscillating & Impeding)

    Joined:
    Jun 27, 2001
    Messages:
    8,406
    Location:
    3844
    It was, till an exploit that could completely bypass authentication came out a year ago
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,621
    Are you talking about Bluekeep? That was for Winodows 7 or loss, That was released 6 months before 7 was EOL, a Scant 7 years after (the not vulnerable) windows 8 was released?
     
  14. DavidRa

    DavidRa Member

    Joined:
    Jun 8, 2002
    Messages:
    3,090
    Location:
    NSW Central Coast
    And it was successful because half the industry, led on by a bunch of clueless self-absorbed gamers decided the new Start panel was crap. As a result, thousands of IT departments buried their heads so deep in the sand that FIVE YEARS after Windows 10 hit, they're still digging themselves out.
     
    Aetherone, millsy, Dilbery and 3 others like this.
  15. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,393
    Location:
    Brisbane
    [​IMG]
     
    mooboyj, 2SHY, connico and 2 others like this.
  16. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,585
    Location:
    Adelaide
    BRB opening 3389 to the world cuz there are no active exploits for it.
     
  17. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,103
    Location:
    NSW
    Before i got here and put RDP behind a VPN (yes i could use rdp gateway, but that is another tale of FMD, why did the previous company configure that, that way), we had on average 10,000 to 40,000 doorknocks a day on our exposed to the general internet RDP server. The chances are that one of these days they were gonna get in, eventually, there are enough HIBP databases out there. Given its near enough impossible to prevent password re-use without making stupid password policies where users just pick stupid auto increment passwords, and i work in health and getting people to use 2fa tokens would cause fucking chernobyl here, i went with the option that gave better security, without the roof being blown off the company in a chernobyl like explosion by people having to use "Another fucking piece of technology" because their "Healthcare Professionals" and "They aren't IT Professionals, thats your job".

    For me, its not always just about picking the best way to protect something despite what i'd like it to be, it has to be digestible to the business, and our illustrious "Healthcare Professionals", who if on day one of them starting can't even pick a password with a simple policy, without locking their account or coming to me 20 minutes later because the computer is rejecting their password that they just changed, and without management buy in (Because again, their "Healthcare Professionals") then what can you do? It took 2 years of convincing to get it put behind a VPN, which was better then completely exposed, so small steps and little wins, combined with limited password attempts before account locking is the best the company would agree to.

    Fuck me, i still have a virtual fucking fax here, just because "Medical Professionals"
     
  18. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    67,145
    Location:
    brisbane
    Why is my email going to spam dammit!

     
  19. gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    161
    Location:
    Sydney
    I feel your pain on this, the amount of work around's I have needed to implement because doctors don't want another login does my head in. Though I am seeing a change coming through where more healthcare organisations are mandating 2 factor authentication and also using tactics of if you want to admit patients to our hospital then you do it this way or else (no more hospital admission cash for doc), amazing what telling someone they will loose money does for compliance.

    Seen and used 2 ways of doing remote access in a hospital environment, one did RDP behind a 2 factor VPN and the other used VMware Hoisions (I think it was that) as a remote/internal desktop management tool, no 2 factor but internally a user could walk up to any computer swipe a card and access their session (great for nurses and docs going from patient to patient).

    Out of hospitals I have seen some dodgy shit mainly put in place by "the computer guy that manages our PC's and knows fuck all about security".
     
  20. Myst

    Myst Member

    Joined:
    Feb 26, 2004
    Messages:
    1,350
    Location:
    Hobart, Tasmania
    Cisco Anyconnect works a treat for us in this scenario, laptop / tablet / whatever provided it supports anyconnect undocked and on cellular or foreign wifi / ethernet, connects to VPN straight away offering seamless transition between networks.
     
    Last edited: Jul 30, 2020
    Hive likes this.

Share This Page

Advertisement: