3

Suppose a client wants to directly connect to Terminal Server exposed to the Internet, without a VPN, ... what software & settings is needed to properly protect against WiFi based attacks? (assume MITM is possible, and multiple client platforms are permitted)

Background Information

VPN-less RDP is common not only in branch offices, but is also frequently used with cloud-hosted servers. Given that RDP is the default mechanism to administer IaaS and PaaS solutions I'm trying to estimate the probility that an untrained administrator may connect to these hosts without the necessary security controls in place.

I'm interested in information on how to properly configure a server and any additional software required for a PC, OSX, and possibly Linux.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

3

The old versions of RDP can do some encryption, but it is vulnerable to Man-in-the-Middle attacks for lack of validation of the server public key (older versions used weak encryption as well, or even no encryption at all except for the password sending).

Beginning with version 5.2 of the protocol, SSL/TLS can be used (the TLS traffic is encapsulated in the RDP-specific transport protocol), thus with a server certificate which the client can validate; this gives the needed protection against attackers, including MitM. The server must be Windows Server 2003 or more recent; as a RDP server, Windows XP cannot do that. However, the RDP client which comes with WinXP SP3 knows this protocol and can use it.

An alternative is Terminal Service Gateway, which is an extra service which reverts the structure: an SSL/TLS connection, on port 443, and inside it the RDP protocol. The TSG must be Windows 2008 or more recent. There again, the client in WinXP SP3 can use that.

Unfortunately, alternative clients for other operating systems, like rdesktop, do not support RDP 5.2 or TSG yet (if they do, I would love to hear about it). The Microsoft client exists for MacOS X (it comes with Office, it might be downloadable separately) but not for Linux. For proper security of RDP with multi-platform support, you will need a VPN.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I know Wyse PocketCloud supports 256 bit encrypted RDP connections on Android and iOS in the Pro version. I don't know if they have a desktop version, but I would hazard that one must almost certainly exist from one of the vendors. In a truly desperate situation, you could run an Android emulation on linux and use PocketCloud within it. – AJ Henderson Nov 28 '12 at 14:17