4

We don't run any Microsoft products natively in our office, but there are a few folks who use a linux RDP client to access an application on remote virtual desktops with a service provider. Would it be worth the effort to tunnel the RDP through ssh, or should I not be too concerned?

We're currently using Remmina which in turn uses FreeDesktop (RDP version 6) with TLS.

Bryan Agee
  • 1,186
  • 1
  • 10
  • 17
  • Are you sure that SSH is necessarily the best option? E.g. RDP over SSL is a lot more common... Or consider a VPN. – AviD Aug 14 '11 at 23:49
  • 1
    Assuming that the provider can enable it on the server, SSH is fairly easy to implement on *nix clients. – Bryan Agee Aug 15 '11 at 18:56
  • So is SSL... and is your assumption validated? from the way you phrased the question, I assume the server is Windows-based - SSH much less common, SSL is builtin... Is there a specific problem preventing using SSL on the *nix clients? There is a lot of guidance and experience around RDP over SSL... – AviD Aug 15 '11 at 19:02
  • I need to find out about server-side ssh capability; we are currently running RDP v6 over TLS, but want to know if it would be worth adding ssh. – Bryan Agee Aug 15 '11 at 19:10
  • 1
    Ah, see - thats a key bit of information there... You're actually asking about tunneling (RDP over) SSL over SSH, right? The fact that you already have SSL is missing from the question, and qould probably change most answers... – AviD Aug 15 '11 at 19:40
  • Excellent point--I will edit accordingly. Thanks AviD! – Bryan Agee Aug 15 '11 at 20:06

3 Answers3

8

Update: The question has since it was originally posted been edited to highlight one difference, namely that RDP v6 over TLS is used. While the answer may still be considered "okay", I must now argue that tunneling TLS over SSH is unnecessary due to a lack of relevant and likely threat-scenarios - assuming correct configuration of TLS certificates etc.

In an ideal world security decisions should always be supported by data, factual and objective data. Determining whether or not it's "worth the effort" to tunnel RDP through SSH would be done by combining knowledge of known attacks, classification of the information accessed (from a confidentiality, integrity and availability perspective) and the "cost" of implementing countermeasures.

Fact - There are a number of issues with protocol versions < 6.0 of RDP, such as MiTM-attacks (weak authentication, as briefly described here).

While I'm not aware of any real attacks leveraging the above mentioned vulnerability one clearly can't exclude the possibility of that happening, or to have happened. There are however a number of demonstrations scattered around the web illustrating how it could be exploited.

There are a number of things you need to figure out to make a "good" decision.

  1. "Sensitivity" of the information accessed
  2. The effort (time) of implementing the countermeasure (SSH-tunneling)
  3. Likelihood of someone intentionally targeting you to leverage the vulnerability to realize the threat. (Unfortunately very difficult, since data sharing within the security community of past incidents are few and far in between!)

If the effort for tunneling the connection over SSH is not overly costly and time consuming it would be a reasonable countermeasure to use as it would mitigate the above threat entirely.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Christoffer
  • 1,030
  • 1
  • 6
  • 14
  • 4
    There **are** free implementations of RDP 6.0+: http://www.freerdp.com/ the git version supports both network level authentication and TLS transport. – Hubert Kario Aug 14 '11 at 13:36
  • 1
    Ahh, excellent, I didn't know about that project, thanks for the heads up! – Christoffer Aug 14 '11 at 21:08
0

Locking down RDP might be a good idea. MS says RDP should be patched immediately

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
0

Considering that ssh tunneling can be configured together with key files and ssh-agent (so you have to decrypt your key once during a session) I'd say that it's obvious to configure it this way.

I'd suggest that using either network level authentication together with http://www.freerdp.com client, SSH tunneling or VPN is the recommended lowest security allowed.

Hubert Kario
  • 3,708
  • 3
  • 27
  • 34