ah, i misunderstood.
that capability is there - it's part of "network access control"; but i've
never deployed it and i know next to nothing about it, i'm afraid.
________________________________________
From: Ben Scott [mailvor...@gmail.com]
Sent: Thursday, July 02, 2009 5:28 PM
To: NT System Admin Issues
Subject: Re: Terminal Services question
On Thu, Jul 2, 2009 at 3:54 PM, Michael B.
Smith<mich...@owa.smithcons.com> wrote:
> RDP in Vista (and above) and Server 2008 (and above) provide the capability of
> TLS-encrypting the RDP sessions - built in.
That's not what I was talking about. I was talking about strong
authentication of the *client* -- in other words, the *client* needs
to have a trusted keypair ("certificate", in TLS-speak) for the server
to allow the connection.
Microsoft's documentation makes it sound like you can have the
client authenticate the server with a TLS PKI, but there doesn't seem
to be any provision for authenticating the client to the server.
http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc786838(WS.10).aspx
It's a common mistake to read "security" and think "transport
encryption". Transport encryption gives you confidentiality. PKI
gives you authentication. They're not the same thing.
Confidentiality without authentication just protects against
eavesdropping, not impersonation. Attackers can still guess
passwords, and then get in. I just won't be able to sniff the
connection to see what the attackers are doing.
Now, if RDP can also authenticate clients-to-servers via PKI, then
it would address this issue.
However, it wouldn't address issues #2 (exposure) and #3 (defense in
depth) in my original message.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
