RDP issues
-
there is good and bad ways to skin the cat sure.. Why not just use the different ports on the outside to forward to the standard 3389 would be better way to skin that cat.
But to be honest that doesn't solve the base problem - security through obscurity is not security. Does not matter what port rdp is listening on.. Opening that to the public net is not really a secure option if you ask me.
-
there is good and bad ways to skin the cat sure.. Why not just use the different ports on the outside to forward to the standard 3389 would be better way to skin that cat.
But to be honest that doesn't solve the base problem - security through obscurity is not security. Does not matter what port rdp is listening on.. Opening that to the public net is not really a secure option if you ask me.
I agree
On the point of having the RDP on different ports within a lan setting, how do you prove it wasnt the admin logging in and rdp'ing onto a machine when the audits show it was the admin username and password used and no cctv exists in the office?
-
what would a service listening on a different port prove in that scenario?
-
what would a service listening on a different port prove in that scenario?
Hidden knowledge like a password can also apply to default ports.
As alot of hacking is done from within a company, if you have staff, permies or temps, with some knowledge of systems who like to poke around the network, then changing the default ports for RDP is one way to trip them up, especially if the RDP activity is never done in the main offices.
As admins get called into the main office to do all sorts of things on someone's computers like installing software which cant be pushed to the workstation, or other problems which involves an administrator password to make a change, its easier for passwords to be observed even when requested to look the other way plus theres other measures like the Infrared camera addon or using a special app on someone's phone to detect the sound and vibrations of keys pressed.
http://www.intego.com/mac-security-blog/iphone-case-atm-pins/
http://www.wired.com/2011/10/iphone-keylogger-spying/The 2nd link is a more common hack than you think considering the administrator username is on display which is enough to train some apps to work out the password, made easier if a problem keeps coming up which requires the admin to keep logging into a workstation and thus helps the app improve the probability of guessing the password. An even simpler method is just to have the phone on a stand to one side of the keyboard, appearing to be in sleep mode when its actually recording the keyboard.
Whilst you can audit software installed & other changes, and have trackers to record computer activity, if it shows the admin is logged in, then the admin must of done it, especially if they were on a coffee break or out to lunch or having a smoke. So if RDP activity is always done in the server room/IT dept, thats a bit of hidden knowledge which can be used to trip some internal hackers up, as they would potentially try a default port like 3389 instead of another one, likewise bots that port scan would need to investigate each open port on a network to figure out whats really behind it assuming it doesnt get picked up by network monitoring.
Just like no AV can find 100% of viruses as you can see here https://www.shadowserver.org/wiki/pmwiki.php/AV/VirusDailyStats, where theres a will theres a way. All AV software has a fundamental design flaw which is frequently exploited.
-
Why would users machines even be able to access something they don't have access to via RDP??
Can't "hack" into something with the username/password if they don't have access to even get there.. If rdp is used for admin, then only admin machines should have access. If admin walked away from his desk and did not lock his machine, or guess they know what the admins password is they could just unlock it.
Pretty sure his rdp session WITH odd ball port is saved on his past connections, etc..
So let me guess you think hiding your SSIDs is good security practice too?
-
I think we need to agree to disagree then.
-
Clearly I have no problems in disagreeing with your statements ;)
Changing your standard ports for services to non standard is simple attempt at obscurity, and as we all know security through obscurity is not security.. This is security 101
How does NIST state it – oh yeah "System security should not depend on the secrecy of the implementation or its components."
If your doing it to say keep your logs a bit cleaner from the bots hitting your port on the outside ok.. But it is not a valid security measure. And would seem completely pointless on the inside.. And could even lead to problems.. Hey can you get into that server in that remote DC, billy quit and we have the username and passwords but RDP is not coming up ;)
-
It could be argued that the single, correct AES256 key in use is simply obscure in a sea of 2^256 possibilities but I digress…
-
hehe –- that is a valid point Derelict, valid point ;)
-
Clearly I have no problems in disagreeing with your statements ;)
Changing your standard ports for services to non standard is simple attempt at obscurity, and as we all know security through obscurity is not security.. This is security 101
How does NIST state it – oh yeah "System security should not depend on the secrecy of the implementation or its components."
What gives you the impression it was an attempt at security through obscurity?
-
You are literally obscuring the standard port number for common services by moving it to a different location. It will trick a lot of dumb scans that happen constantly on the Internet but it won't stop a scanner dedicated to finding remote access servers (RDP, SSH, VNC etc) no matter which port they're listening on. It doesn't take a lot of time to parallel-scan huge swathes of port space per IP address when you have many computers at your command.
-
So let me guess you think hiding your SSIDs is good security practice too?
… think hiding your SSIDs is good
securitypractice? Yes. -
@KOM:
You are literally obscuring the standard port number for common services by moving it to a different location. It will trick a lot of dumb scans that happen constantly on the Internet but it won't stop a scanner dedicated to finding remote access servers (RDP, SSH, VNC etc) no matter which port they're listening on. It doesn't take a lot of time to parallel-scan huge swathes of port space per IP address when you have many computers at your command.
I think we are talking cross purposes here.
In my original post I do state
https://forum.pfsense.org/index.php?topic=97868.msg545715#msg545715
"although vpn is still preferred route.
"In fact I've said the same thing in a rehashed way right here.
https://forum.pfsense.org/index.php?topic=94177.msg526779#msg526779
"If you want to hide the fact you have (multiple) port forwards setup for RDP on the internet, setup OpenVPN on another ip address range to get you inside the lan, then change your pfsense portwards from wan to openvpn. The less you expose wan side the better imo.
"In this post from this thread https://forum.pfsense.org/index.php?topic=97868.msg546006#msg546006
"On the point of having the RDP on different ports within a lan setting, how do you prove it wasnt the admin logging in and rdp'ing onto a machine when the audits show it was the admin username and password used and no cctv exists in the office?"its a different scenario now, just focusing on lan, dont care about wan which is what I think some of you havent let go of, but the premise is that having non default RDP ports lanside can be used to trip someone up who makes assumptions about the lan whilst only being in possession of the admin username & pwd from their workstation.
We know its a windows workstation and others exist as thats why we are using RDP, instead of say VNC, Teamview, Goto, etc etc. Trip doesnt stop people getting to their destination, but it can be useful for showing up anomalies where hidden knowledge is not known to the right people.
So can you answer the question?
If you need to clarify anything more about the lan setup, whats running and whats not, just ask. ;)
-
So let me guess you think hiding your SSIDs is good security practice too?
… think hiding your SSIDs is good
securitypractice? Yes.I dont like any 2.4GHz frequencies full stop, 900Mhz is better especially when considering an antenna 15metres up has a maximum coverage radius of upto 50Km making it ideal for mesh networks, and tends to be unlicenced in many countries around the world.
-
What does 900Mhz has to do with not broadcasting ssid? So you think its a good practice not to broadcast it? rolleyes..
-
What does 900Mhz has to do with not broadcasting ssid? So you think its a good practice not to broadcast it? rolleyes..
I dont use wifi full stop, sure not broadcasting the SSID can make it a little harder for others to spot who dont have things like air crack, but I just dont like that frequency so I dont use it. Besides theres also this.
https://decorrespondent.nl/1101/What-we-give-away-when-we-log-on-to-a-public-Wi-Fi-network/31040493-53737dbaNow 900Mhz is a different frequency all together with totally different properties and is one I do like for mesh networks, but like any over the air network, always encrypt and its also why SETI could ultimately fail when considering advanced intelligent lifeforms may use fibre, copper or laser line of sight communications amongst other communication carrier methods, to reduce the ability of eavesdroppers even though there is still radial beam divergence with some lasers which could potentially enable an eavesdropper.
-
Now 900Mhz is a different frequency all together with totally different properties…, but like any over the air network, always encrypt and its also why SETI could ultimately fail when considering advanced intelligent lifeforms may use fibre, copper or laser line of sight communications amongst other communication carrier methods, to reduce the ability of eavesdroppers even though there is still radial beam divergence with some lasers which could potentially enable an eavesdropper
You win. :D
-
"sure not broadcasting the SSID can make it a little harder for others to spot who dont have things like air crack,"
huh? You know who it makes it harder on - the users of said network, like your buddy that is over and wants to connect to your wifi network that your giving him the creds to do.
Who else, yeah grandma across the street prob wont see it on her phone. As to everyone else, not so much the broadcast of the SSID is only 1 out of 5 different thinks that broadcast the SSID. Probe responses contain the ssid, associations requests, re-associations requests and probe requests all contain the SSID. So you turning of beacon is not hiding anything from anyone..
You sure do not need aircrack to find the SSID of network that is not sending out beacons. There are many point and click tools that any user barely able to use google could run that will give show them the SSID from these other methods of finding it. Easy free one off the top of my head is https://www.acrylicwifi.com/en/wlan-software/wlan-scanner-acrylic-wifi-free/
So your tinfoil hat is on so tight you don't use a tablet or laptop in your own home?? WTF??
-
So your tinfoil hat is on so tight you don't use a tablet or laptop in your own home?? WTF??
Got the song as well. https://www.youtube.com/watch?v=wFNO2sSW-mU ;D
Of course there are other reasons why I dont use wifi which you havent mentioned, but I'll let you find them out in due course if so inclined. :)
-
thank you
