Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft: RDP Vulnerability Should Be Patched Immediately

Soulskill posted more than 2 years ago | from the barn-doors-and-horses dept.

Cloud 126

wiredmikey writes "Microsoft is urging organizations to apply the sole critical update in this month's Patch Tuesday release as soon as possible. The critical bulletin – one of six security bulletins issued as part of Tuesday's release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP). Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon's AWS, need to patch as quickly as possible, said Qualys CTO Wolfgang Kandek. Besides the RDP bugs, this month's Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio."

cancel ×

126 comments

Sorry! There are no comments related to the filter you selected.

Not worrying (-1, Flamebait)

hcs_$reboot (1536101) | more than 2 years ago | (#39349385)

I'm feeling well. I'm on Linode (Linux). Not a flamebait. It could happen to Linux as well. But it doesn't.

Re:Not worrying (1)

Anonymous Coward | more than 2 years ago | (#39349447)

Safe, unless you are running bitcoin operations there.

Re:Not worrying (3, Funny)

hcs_$reboot (1536101) | more than 2 years ago | (#39349583)

Ok, so there are some weaknesses / bugs and patches to be applied to Linux. There are, there were, and there will be. Always. But are we on the same scale here? We are talking about a remote administration GUI security hole ; that nice graphics and windows based environment that allows almost any brainless geek to damage the system from any angle, visually, like a game.

Re:Not worrying (2)

philip.paradis (2580427) | more than 2 years ago | (#39349597)

I believe the GP was referring to this story [slashdot.org] .

Re:Not worrying (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39349637)

And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?

Re:Not worrying (4, Funny)

TheInternetGuy (2006682) | more than 2 years ago | (#39349671)

And having a vulnerability in a GUI (RDP) protocol is somehow worse than having vulnerabilities in SSH how exactly?

Any fool can use the GUI, but with SSH at least you can be sure that you are being hacked and exploited by a fellow geek.

Re:Not worrying (1)

Anonymous Coward | more than 2 years ago | (#39349889)

Is this sarcastic or is this somehow really supposed to be reassuring?

You do know that they have point-and-click exploit kits, right? Ever heard of the term 'script kiddie'? Countless UNIX vulnerabilities have been packaged up into various graphical tools that non-experts can use to take advantage of vulnerable systems.

Re:Not worrying (0)

Anonymous Coward | more than 2 years ago | (#39350713)

Script kiddie? You mean most so-called IS/IT security analysts after about 1995 or so?

Re:Not worrying (1)

jaymemaurice (2024752) | more than 2 years ago | (#39350605)

The worst thing about SSH vunerabilty exploits is you can sucessfully issue a batch of commands rooting the box... and even make ssh tunnels to remote resources like printers and DVRs and root them too... at least with an RDP exploit, its a PITA to script a large scale attack.

Re:Not worrying (2, Funny)

SuricouRaven (1897204) | more than 2 years ago | (#39350857)

Windows: So awkward to use, even the hackers will get mired in in the GUI.

Re:Not worrying (4, Informative)

bertok (226922) | more than 2 years ago | (#39349505)

It could happen to Linux as well. But it doesn't.

Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH [google.com] and X11 [google.com] . Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.

Re:Not worrying (1)

Anonymous Coward | more than 2 years ago | (#39349563)

I've had trouble with a VNC bug in the past. I was using a boot CD to copy Windows security updates so I wouldn't have to hook up the unsecured freshly installed Windows to the net, and suddenly the mouse started moving in a very mechanical fashion and it started to type (exactly one character per second) a command which was obviously intended to go into a console window (but fortunately ended up in an open text document). I pulled out the ethernet cable to get my mouse and keyboard back and killed the VNC daemon; that solved the problem, but it was still freaky.

Re:Not worrying (-1, Troll)

hcs_$reboot (1536101) | more than 2 years ago | (#39349569)

Yes, but Linux people are used to SSH and text based commands, at least for servers. What I mean is that Linux admins are much less used to / tempted to enjoy the luxury of a windowed environment to perform the administration of their servers, than Windows admins who learn from day 1 that administration goes through the nice and easy to understand GUI. I'm happy with a restricted SSH access, and this is not likely to change soon.

Re:Not worrying (1)

Anonymous Coward | more than 2 years ago | (#39349595)

WTF does SSH vs. GUI have to do with security? If anything, once exploited SSH would be less secure, because its easier to inject commands into a command prompt than it is to automate a GUI.

Re:Not worrying (1)

bloodhawk (813939) | more than 2 years ago | (#39349611)

???? and what the hell does a CLI vs GUI have to do with security in this case?

Re:Not worrying (1, Funny)

hcs_$reboot (1536101) | more than 2 years ago | (#39349655)

RDP [wikipedia.org] is a GUI, SSH (for instance) is not. From wiki:

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer

Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?

Re:Not worrying (4, Insightful)

lucm (889690) | more than 2 years ago | (#39349701)

RDP [wikipedia.org] is a GUI, SSH (for instance) is not. From wiki:

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer

Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?

I would suspect that someone who has the skill set required to "hack a computer" would not be slowed down much in his mischievous activity by an austere text based prompt..

Re:Not worrying (1)

water-and-sewer (612923) | more than 2 years ago | (#39351261)

Although they might get gummed up by the new ribbon interface in the menus. "Dammit, where did that button go?"

Re:Not worrying (1)

jd2112 (1535857) | more than 2 years ago | (#39351805)

Windows 8: Security through "where the hell did the Start menu go?"

Re:Not worrying (0)

Anonymous Coward | more than 2 years ago | (#39349799)

No, I don't think it is easier. Why do you think windows and menus make things any more hackable?

Re:Not worrying (2)

lucm (889690) | more than 2 years ago | (#39349913)

No, I don't think it is easier. Why do you think windows and menus make things any more hackable?

I know: someone using WinRunner or AutoHotKey could do brute-force hacking on a GUI!

This is brilliant, I must immediately check IRC (or Experts-Exchange) to see if there are scripts available to do that.

Re:Not worrying (0, Troll)

flyingfsck (986395) | more than 2 years ago | (#39349805)

Microsoft bought RDP from Citrix. Microsoft doesn't develop software, they buy/steal and redistribute it. For example Internet Explorer and Stax...

Re:Not worrying (3, Informative)

qu33ksilver (2567983) | more than 2 years ago | (#39350133)

Actually you are wrong. I am from Citrix so I know, RDP is developed by Microsoft, Citrix has its own proprietary protocol called ICA(Independant Computing Architecture) which is just a wrapper around RDP. Its true that RDP came from WinFrame which was a Citrix product but you are wrong in saying that Microsoft bought RDP from Citrix.

Re:Not worrying (2)

Richard_at_work (517087) | more than 2 years ago | (#39350591)

Microsoft developed the original RDP technologies (before someone jumps in, not *all* RDP tech, just the ones involved in this timeline), and sold it off to Citrix, who dramatically improved it. MS then licensed it back from Citrix as an independent product and included it into Windows.

Re:Not worrying (1)

Collapsing Empire (1268240) | more than 2 years ago | (#39349943)

Wow. Just wow.

Please don't tell me you're in any way shape or form responsible for IT security.

I hope you understand that graphical exploit kits do exist that target UNIX systems. This commenter [slashdot.org] pointed it out.

An attacker who knows what he is doing will attack both Windows and UNIX systems. One that doesn't will just use a tool that a skilled person wrote to "point and click" his way into a box regardless of what OS it is running.

Re:Not worrying (2)

leenks (906881) | more than 2 years ago | (#39350101)

The vulnerability is in the protocol, not that it is a remote GUI protocol. The fact it is a gui protocol is moot in this case - the attack allows someone (using a terminal, a gui, whatever) to send crafted packets to the RDP service (note, service) on a Windows machine that may allow them to run arbitrary code remotely, in just the same way that someone (using a terminal, a gui, whatever - see the consistency here?) to send crafted packets to XYZ service (note service) on a Linux/BSD/whatever machine that may allow them to run arbitrary code remotely.

The nice thing with this attack failed attempts supposedly result in a BSOD too :-)

Re:Not worrying (2)

Millennium (2451) | more than 2 years ago | (#39350269)

Don't you think it is easier to hack a computer from a windowed based tool where you see the menus and all, than from an austere text based prompt?

Only to the extent that GUIs are easier to use in general. They are not inherently more hackable than text prompts: text may give you a little extra obscurity, but that's not something that should be relied on in a security context.

Re:Not worrying (2)

bertok (226922) | more than 2 years ago | (#39349641)

Nothing stops you from using Windows Remote Management [microsoft.com] to do exactly the same thing with Windows.

Re:Not worrying (0)

Anonymous Coward | more than 2 years ago | (#39351287)

Seems to have a lot more dependencies than SSH.

You basically need the admin to set up so many things correctly (so that stuff works) AND at the same time not secure it properly so that you can pwn them.

Re:Not worrying (1)

slashgrim (1247284) | more than 2 years ago | (#39352587)

Nothing stops you from using Windows Remote Management [microsoft.com] to do exactly the same thing with Windows.

Windows applications may support a subset of remote management, but unfortunately there is often the case that one needs a desktop application to fully configure an app. On Linux the default is text file configs modifiable via CLI, whereas Windows' applications _expect_ you to have a GUI. Until that expectation changes, RDP will be the most powerful remote management available on Windows.

Re:Not worrying (2)

X.25 (255792) | more than 2 years ago | (#39350957)

Linux does have comparable remote-access protocols to RDP, all of which have had plenty of remote exploits in past. For example have a look at CERT advisories on SSH and X11. Don't even get me started on VNC, which is often not updated automatically because it's an installable add-on instead of a system component.

You didn't get a chance to look at years on those advisories, eh?

In year 2002 everything was vulnerable. Literally.

In year 2012, one would expect that such critical component like RDP would be audited 100 times by Microsoft. Seemingly not.

Re:Not worrying (1)

hobarrera (2008506) | more than 2 years ago | (#39353417)

Anyone who cares about security, would use vnc over SSH, and properly configure SSH as well.

Re:Not worrying (3, Insightful)

nzac (1822298) | more than 2 years ago | (#39349509)

I think all of those have happened in Linux at some stage, with the exception of privilege escalation exploits in an IDE.
It just happens less and the number of exploits is reduced due to rapid updates, on average much better admin and version fragmentation from different distros.

Re:Not worrying (0)

Anonymous Coward | more than 2 years ago | (#39349511)

What do you mean it "COULD" happen to linux. don't you follow the latest patch releases. IT DOES happen to linux every month as well, or did you think those patches we download and install every month are just for the fun of it?

Re:Not worrying (1)

hcs_$reboot (1536101) | more than 2 years ago | (#39349609)

It's not the same thing. The problem is the tool in the first place. A GUI to perform admin of a remote server is dangerous. It makes the tool usable to a larger audience. Windows people are used to windowed environment. That has always been the case (at least in the 2000s). This makes the administration more comfortable, and easy to perform. When you don't know what to do, go through the menus and find what you need. That system has some drawbacks - the RDP problem is part of the price to pay.

Re:Not worrying (2)

jaymemaurice (2024752) | more than 2 years ago | (#39349653)

So you are trying to tell me a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same?

Windows has all the same security functions linux does and then some and can be made to be highly secure. It also has a command line that is more useful then the majority of inexperienced know. Admins who don't know how to/or care to maintain some of their systems exist on both camps. It is not the tool.

What you are saying is the same as saying impact wrenches are bad tools for mechanics because they are easy to use and strip bolts and all mechanics should all use torque wrenches instead.

Re:Not worrying (1)

hcs_$reboot (1536101) | more than 2 years ago | (#39349729)

a system where many admins cannot write firewall rules and file ACLs is better then a system with a GUI for the same

Fortunately, "admins" who don't understand iptables or chmod (there are graphical aides anyway) are usually using something else, like Windows. I'm not saying Linux is safer, always and forever, I'm saying the way Linux is to be apprehended makes it more likely to be operated by skilled professionals. There are of course brilliant people Windows side, and both systems complexity is similar, but the thing is that the GUI layer makes it accessible to more people who think they understand the system since the graphical tool is visually convenient. It's like Javascript and C/C++. Some people program in Javascript - more accessible since the interpreter takes care of many things - and only know JS. They think they master programming. Do they? I don't think so - at least most of them.

Re:Not worrying (0)

jaymemaurice (2024752) | more than 2 years ago | (#39349825)

I know you are not correct in that many web developers who develop on Linux try and maintain the equipment on their own. What they previously did on Windows they can no longer do. Linux is mainstream now and you no longer need to have any intelligence to run a LAMP server... and many of them run linux because they feel it makes them seem more "elite" then the windows server users they once were. Sadly, they install the complete CD with compiler and all and don't do the updates because they can't resolve the dependancy hell of their distribution.

Re:Not worrying (1)

dwywit (1109409) | more than 2 years ago | (#39350337)

+1 Testify, Brother! Too many non-windows admins IMHO have little idea of the capabilities of Powershell

Re:Not worrying (-1)

Anonymous Coward | more than 2 years ago | (#39351653)

Windows has all the same security functions linux does...

Educate yourself before making silly statements such as this.

The average Windows admin is a clickie-clickie fool who doesn't understand the why's... they just know how to clickie-clickie. That's why they're $15 an hour and you can throw a rock and hit one almost anywhere... it's something you can get "certified" on with little knowledge or expertise. A joke, really, to the industry. And an insult to competent admins everywhere.

You want a car analogy? It's like bringing your brand-new bike to a race -- training wheels and all -- and the ensuing raucous laughter you will be subjected to because you're too green to understand there's a whole larger world you're missing.

Re:Not worrying (1)

toadlife (301863) | more than 2 years ago | (#39352901)

Now that your screed is over, would you care to address the actual statement you replied to; that Windows has the same security functions Linux does?

Re:Not worrying (0)

Anonymous Coward | more than 2 years ago | (#39349687)

We are talking about people using exploits to abuse a protocol bug, whether it is a command line or a gui is irrelevant (regardless of how much I hate GUI based management). All a CLI offers is a little more obscurity and if that is something you think helps you during vulnerability exploits then step right this way I also have a bridge to sell you.

Re:Not worrying (0)

hcs_$reboot (1536101) | more than 2 years ago | (#39349807)

Ok, so let's take the problem from another angle: an admin installs a GUI to perform administration of his high value system from the Internet. Yes, the hack requires some strong knowledge, I must agree. But an admin who decides to install such convenient graphical tool is wrong in the first place. Such a RDP protocol is obviously more complex than a simple ssh, and is more likely to get cracked. What I'm trying to say, and this is the real problem, is that Windows admins are so used to GUIs that they miss other more secure alternatives. You said you hate GUI based management. The regular Windows admins hate the console based management.

Re:Not worrying (1)

zyzko (6739) | more than 2 years ago | (#39350621)

SSH has had several bugs - both design flaws and implementation flaws. Heck, even things like ntp servers have been exploited. Ssh is in no way "simple" (though it has been getting better at not having remote code execution flaws) and it can be misconfigured and used in very creative ways.

The "hate" here seems to be that it is actually possible to administer Windows conveniently using RDP and that there is something inherently wrong with that. Administering IT systems should not be black magic done in deep dungeons where mere mortals can't enter. Sure, it is wise to implement policies so that people are not going to easily screw up. GUI doesn't make any administration more secure on less secure, you can fail in unthinkable ways with or without gui tools...

By the way, X11 predates RDP and running graphical programs over network on UNIX machines has been common (including administration tools).

And btw, I do systems administration - on Linux and using console (and a few graphical tools like firefall builder) and on Windows using RDP to do stuff that is easily handled through GUI (one-time settings etc.) and through Powershell when automation is needed or tasks that would be hard or impossible in GUI. And I do not see my RDP usage no more a security risk than running ssh is (both environments have defined security policies with access rules / control, roles are used to separate privileges and users are not given unneeded privileges). I am screwed if my internet-facing sshd implementation has remote root exploit, as I am with RDP server. Or Apache. Or PostgreSQL.

Re:Not worrying (-1)

Anonymous Coward | more than 2 years ago | (#39349533)

I'm feeling well. I don't own a computer. Not an irrelevant comment. It could happen if i bought a computer. But I won't.

Re:Not worrying (1)

bloodhawk (813939) | more than 2 years ago | (#39349577)

Me thinks you need to do a little more research before posting. CERT or maybe secunia may be enlightening for you.

Re:Not worrying (1)

Tuan121 (1715852) | more than 2 years ago | (#39350461)

How insightful. I'd never have imagined to see a comment like this on Slashdot, thanks for contributing to the discussion!

Re:Not worrying (1)

hcs_$reboot (1536101) | more than 2 years ago | (#39352151)

I'd never have imagined to see a comment like this on Slashdot

You must be kidding, or you must be new, or you must suffer from the Memento syndrom. There are plenty of posts like this one. They're usually from AC, and don't survive in the >-1 universe more than a couple of minutes. Or maybe you were looking after some karma? My post being an easy target, and you expected some recognition from your criticism, like the schoolboy proud to blame another student in front of the teacher, for something the teacher disapproves. Frankly, after a few hours of work, I look back at it and I agree that it may sound plain stupid. Or maybe because some readers took it that literally, I feel sad. My post was funnier than insightful. Or maybe more interesting than funny. Or, even, more informative than interesting. Because I still believe what I said, not meaning any flamebait or whatever. I have been a long time, and still am, in the computers business, and I meet, interview and work with IT people in different companies, various countries. I see how they behave. I see how they perform, and take a guess on how they will perform. There is a difference between the staff used to Windows and the staff used to Unix (same position). I'm not saying one is more clever than this other. Certainly not. I just believe that the Linux/Unix staff - I mean in companies, not the student at home - is usually more opened to different systems (including Windows) than the Windows staff. That "openess" allow them to find solutions either in engineering or in development faster and usually better. This is actually a general rule. The more you see/travel/visit/meet/eat/read/learn, the more likely you are to find interesting alternatives to a given "idea/problem". A neural network needs a lot of various information to be performant. Some Unix people go work on Windows, and they produce a valuable output. But the majority of the Windows staff has never worked on a Unix based OS. My post was establishing the base for that: Windows people are usually less keen to work on Unix, than Unix people on Windows. Yes, some Unix geeks are reluctant to work on Windows. But they could. Many of the Windows staff cannot (or don't want to) stand in front of a console, or have to deal with the network interfaces file, or the iptables. Why deal with iptables when a GUI does it for you? Right. Agreed. And the GUI is less likely to make a mistake (iptables is pretty complex after all). But someones who makes the effort of understanding iptables will stand better in front of other technical problems. This is merely an observation. You can take that the positive side: Windows people prefer a clean and nicely made GUI.

Re:Not worrying (1)

Ihmhi (1206036) | more than 2 years ago | (#39350525)

Well, it's honestly not worth finding exploits for Linode or most other forms of Linux. (Not a flamebait.) Why bother trying to break into the computers of less than 1% of people.

(See, others can do it too!)

Can we get a "Macs don't get viruses!" guy to chime in? And maybe someone from Amiga or BSD?

Re:Not worrying (0)

Anonymous Coward | more than 2 years ago | (#39350615)

Yeah, except for linode divulging the master admin password. That's a pretty awesome VPS provider you have there.

Re:Not worrying (0)

hairyfeet (841228) | more than 2 years ago | (#39350701)

Insightful? For what? bragging your on an OS lower than the margin for error and therefor not worth a criminal's time. hey you should brag you are on OS/2, I bet it ain't needed a single patch in years! Meanwhile you can enjoy such fun recreational activities as 1.-hunting for fixes on forums every 6 months when the latest update deathmarch craps on 1 or more of your drivers, 2.- Having such wonderful documentation that is at best just a pile of CLI use flags, at worse a 'todo" file, 3.-having an "OS" that is just a hodge podge of programs written by a bunch of groups that have nothing to do with each other, so some follow Windows conventions, some mac, and some unix, 4.- having such wonderful QA that Dell has to run their own repos [theinquirer.net] just to keep the OS from going "LOL I made a stinky!" on itself and killing the wireless, need i go on?

As for your much vaunted security? might want to look at some things, ready?

Get ready, here [secunia.com] they [secunia.com] come! [secunia.com] BTW if you'd like a little more food for thought, what OS was 3 of the 4 CAs running that were compromised? take [netcraft.com] a look [netcraft.com] and see [netcraft.com] . Maybe they just had bad configs? Surely someone with knowledge would be safe right? Guess again [slashdot.org] and its not a fluke [slashdot.org] by any means [theregister.co.uk] .

Quick... (-1, Flamebait)

davester666 (731373) | more than 2 years ago | (#39349393)

Somebody finally fix the root of the problem and hack Microsoft's server to push out a Linux iso...

Re:Quick... (0)

Anonymous Coward | more than 2 years ago | (#39349487)

Right, so the average user gets treated to a random text based or any installer at boot and says "Hmm, never done that before...better throw it out and get one of those new Windows 8 computers!"

captcha: bricks
yes, bricks. what people will think of their computers after you put linux on it.
that's not an insult to linux...just most people don't even know it exists or wtf to do with it.

Re:Quick... (1)

hcs_$reboot (1536101) | more than 2 years ago | (#39349539)

just most people don't even know it exists or wtf to do with it

TFA is about admin management through RDP - not the lambda user around. Allowing a SSH (via a simple user) to connect to a server, and allow some text-based administration from the specialists is one thing, opening a GUI remote administration tool with menus and all that give hints on the howtos mess up with the machine is something else.

Re:Quick... (1)

philip.paradis (2580427) | more than 2 years ago | (#39349669)

Speaking as someone who's been doing this for fifteen years, your grasp of information security is appallingly bad. I operate a sizable deployment comprised of Linux, *BSD, and Mac systems. Judging by your last few posts, I sincerely hope you are not employed in a role where any of your duties are closely aligned with the protection of information assets.

Re:Quick... (1)

lucm (889690) | more than 2 years ago | (#39349739)

Somebody finally fix the root of the problem and hack Microsoft's server to push out a Linux iso...

But if someone does hack the Microsoft server (I'm sure they have only one) and install Linux, Windows will disappear and wannabe geeks will have to find another easy target for their wannabe bashing

Re:Quick... (0)

Anonymous Coward | more than 2 years ago | (#39349783)

Who cares? I'm a over-smug Mac user!

RDP is Worthless (-1)

Anonymous Coward | more than 2 years ago | (#39349437)

Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.

Re:RDP is Worthless (1)

Anonymous Coward | more than 2 years ago | (#39349481)

I've had a time or two at work where a remote admin needed desktop access to see what was wrong and correct it. Granted, if it were the linux box next to it they could have just SSH'd into it.

Re:RDP is Worthless (5, Insightful)

DigiShaman (671371) | more than 2 years ago | (#39349619)

WOW! Are you detached from reality. Microsoft products are used because of market share and industry momentum. Bitch all you want about design and implementation, but the world isn't going to stop and replace everything with Linux/Unix as though it was some grand Moon Shot program. It will not happen. Get over it.

Re:RDP is Worthless (-1)

Anonymous Coward | more than 2 years ago | (#39349695)

Durrr yuh think? Great job retard, you figured it out. Of course it's because of market share. Yes I'm seriously proposing everyone switch to Linux overnight. Holy fucking crap, are you Steve Ballmer? I'm sorry your software is so shitty and Linux/Unix dominates market share everywhere but the desktop. Lol get over yourself dude.

Re:RDP is Worthless (0)

Anonymous Coward | more than 2 years ago | (#39349769)

Technology conforms to organizations and businesses, not the other way around. CLI has proven to suck absolute balls in consumer markets. It's why the GUI is so popular. People are *gasp* visual creatures.

Re:RDP is Worthless (1)

dwywit (1109409) | more than 2 years ago | (#39350375)

Cheap (free), secure, easy. Pick 2.

Re:RDP is Worthless (1)

KiloByte (825081) | more than 2 years ago | (#39350425)

Then why did you pick only 0.5 for Windows?

Re:RDP is Worthless (1)

ka9dgx (72702) | more than 2 years ago | (#39350905)

Cheap, Secure, Easy, not Vaporware, pick any 2... ;-)

Capability based security systems could give cheap, secure, easy... but they are definitely vaporware at this point in time.

Re:RDP is Worthless (1)

dwywit (1109409) | more than 2 years ago | (#39350403)

Linux and its applications only dominate ANYWHERE because they're cheap/free. Granted, they work well enough for the market they're aimed at, but there's a lot more to the IT world than the internet.

Re:RDP is Worthless (1)

StuartHankins (1020819) | more than 2 years ago | (#39351841)

Linux and its applications only dominate ANYWHERE because they're cheap/free

False. Many of us use Linux / UNIX for workloads and tasks that Windows won't run at all, or that run significantly slower using Windows. Scalability, downtime prevention, and consistent operation is unparalleled in the mainframe / mini segment which is *nix territory -- not Windows.

We spend a lot of money annually to keep our Linux systems supported, both from an employee cost as well as support / upgrades from the vendor, so I can assure you we haven't made this choice because it's cheaper software-wise. It's cheaper because we can do more with smaller systems, we have less downtime, and we spend less time tuning and maintaining Linux systems than we did using Windows.

Re:RDP is Worthless (5, Insightful)

lucm (889690) | more than 2 years ago | (#39349827)

Who are all these admins doing stuff over RDP and why are they still employed? I've seen these installations myself but I simply cannot believe it. It's so dumb that it boggles the mind. Why would I need to login to a full display server to remotely administrate... anything? Oh, unless I'm on Windows where some applications cannot be used without the GUI. Lol. This is so pathetic. If you simply must use a GUI, just tunnel an X client over SSH and never worry about applying patches again- oh but wait, I forgot again that we're on Windows so you can't do that. Why anyone would rely on this backwards, insecure, cumbersome, and ultimately counter-productive bullshit is completely beyond me.

The dangerous people are not the admins that are using RDP. The dangerous people are the idiots that think that because they use an X client over SSH they don't have to worry about applying patches again.

So it does not surprise me that the fact that people rely on technologies that you don't understand is completely beyond you. Once you get real work experience, other than maintaining that FTP server for a non-profit or that Drupal server for Uncle Bob's tackle and bait shop, we can have this discussion again.

Re:RDP is Worthless (0)

Anonymous Coward | more than 2 years ago | (#39351241)

There are applications (XServers) for windows that will allow you to do the X11 over SSH just fine.. sorry to burst your bubble...

Re:RDP is Worthless (1)

HideyoshiJP (1392619) | more than 2 years ago | (#39352137)

You don't. You use MMC or some custom vendor console (native and/or web). RDP is really only for special cases.

I still don't get it (-1, Troll)

Anonymous Coward | more than 2 years ago | (#39349461)

Why do companies keep purchasing and spending thousands of dollars to an operating system that obviously isn't secure, while Linux is stable, free, open and has become easier to use thanks to a plethora of GUIs.

Re:I still don't get it (1)

dwywit (1109409) | more than 2 years ago | (#39350345)

Post with your real name and we'll talk to you, troll

Re:I still don't get it (0)

Anonymous Coward | more than 2 years ago | (#39353533)

Shut up, you sweat from a baboon's balls.

VNC over SSH tunnels, public keys, no root login (4, Insightful)

PolygamousRanchKid (1290638) | more than 2 years ago | (#39349463)

Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

Any other ports?

It's tunnels. All the way down.

Re:VNC over SSH tunnels, public keys, no root logi (0)

Anonymous Coward | more than 2 years ago | (#39349573)

True. I use it for IMAP as well. SSH replaces every VPN solution out there.

Re:VNC over SSH tunnels, public keys, no root logi (5, Interesting)

Slashcrap (869349) | more than 2 years ago | (#39349679)

Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

Any other ports?

It's tunnels. All the way down.

Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. And MS should definitely think of adding IPSEC support one of these days (yes, I know). Of course people are probably less likely to bother, since unless you're French, RDP is fully encrypted (standard VNC only encrypts the password) and talking of passwords it allows them to be more than 8 characters long. You can even have a username too, if you use the right version and configure PAM (joke - there is no right version for that because it's a terrible idea security wise). It has also never had a bug where the client could tell the server it didn't support any of its authentication schemes and so the server simply let it connect without authentication.

In fact this is the first time I've heard of a potential serious vulnerability in Remote Desktop, so frankly this is not the area to be smug about.

Anyway this is a bit too MS positive for my liking, so I'll just add that TurboVNC + VirtualGL + VirtualBox = one fucking awesome free VDI implementation. Add SSH, OpenVPN or IPSEC to taste if you want (although VirtualGL handles SSH itself transparently if you want). Actually for remote admin purposes you only need the 1st part (unless it's a bunch of 3D workstations you're supporting). And possibly a new hobby to use to soak up all the time you used to waste waiting for the screen to refresh. I would also mention FreeNX, but a) I think it gets outperformed by the above and b) I am fucked if I'm setting that damned thing up again just to verify.

Oh yeah, one more neat trick - Virtualbox can run in headless mode on a box with no GUI (or with one, doesn't matter). In this mode it serves up the VM display using an extended version of RDP. The great thing is this doesn't just apply to Windows VMs - it can serve any OS it can run over RDP. Watch the look on your colleague's faces as you get them to fire up MSTSC and connect straight into Ubuntu. Or OS2, OSX, Win 3.1 etc.. etc.. You can even dump them into an EFI shell or the virtual BIOS. Literally minutes of laughs to be had. Oh yeah, you may need the non-open source extension pack for that. Also they're adding VNC in the next release. I have no fucking idea why.

And no, I have no idea why you're not allowed to use RDP encryption in France. I have no idea why they're not allowed to use deoderant either, come to think of it.

Re:VNC over SSH tunnels, public keys, no root logi (1)

Anonymous Coward | more than 2 years ago | (#39349765)

Yeah, it sure is unfortunate that you can't do exactly the same thing with RDP. ....

Actually you can:
- cygwin on the Windows box
- sshd service under cygwin
- connect via ssh into your windows box
- tunnel through the ssh into port 3389 on the same box
- open Terminal Services client, connect to localhost:XXXX
Works like a charm for me.

Re:VNC over SSH tunnels, public keys, no root logi (0)

Anonymous Coward | more than 2 years ago | (#39350835)

You don't even need cygwin, you can use something more userfriendly, like putty.
That's what i do

Re:VNC over SSH tunnels, public keys, no root logi (1)

MiG82au (2594721) | more than 2 years ago | (#39351507)

You can't log into Putty, it's a client not a server. I've used Copssh as an ssh server on a Windows machine. Am I unaware of a way to use PuTTY as a server?

Re:VNC over SSH tunnels, public keys, no root logi (0)

Pieroxy (222434) | more than 2 years ago | (#39351855)

http://www.putty.org/ [putty.org]

The page is simple enough, I'll let you figure it out.

Note: I've never used it - yet.

Re:VNC over SSH tunnels, public keys, no root logi (0)

Anonymous Coward | more than 2 years ago | (#39353057)

I thought the page would be simple enough that you could figure it out...

The SSHD program listed on that page is NOT related to the PuTTY project, it's managed by BitVise and has a $100/license cost associated with it for non-personal use.

So, PuTTY is still not a server.

Re:VNC over SSH tunnels, public keys, no root logi (0)

Anonymous Coward | more than 2 years ago | (#39349781)

try nomachine.com

Re:VNC over SSH tunnels, public keys, no root logi (0)

Anonymous Coward | more than 2 years ago | (#39350885)

Gee, I manage my cloud over SSH tunnels. Authentication is done with public/private key pairs. No SSH root user login. In the rare cases that I need a GUI, it's VNC over an SSH tunnel.

FYI, there have been security flaws found in ssh servers in the past.

Maybe you're too inexperienced to know that.

Re:VNC over SSH tunnels, public keys, no root logi (1)

gotpaint32 (728082) | more than 2 years ago | (#39351603)

You can definitely tunnel RDP, its built right into Windows and called Terminal Server Gateway. With that you can use client cert validation and tunnel in over SSL. Add some nice middleware and it will even allow you to use hardware password tokens (if you can afford them).
What people seem to be forgetting is that RDP alone is not really a "secure" communications channel for public networks. If you need high security, users should be VPNing into your LAN and then RDPing over that tunnel.

Out of the frying pan (2)

MicroSlut (2478760) | more than 2 years ago | (#39349587)

As if it isn't bad enough that an RDP worm is already spreading due to weak passwords. If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks. Don't get me wrong. I have seen situations that actually call for an Internet facing RDP, such as screaming sales execs behind third party firewalls that block egress GRE, 443, and 22, with the variety of IP addresses causing admins to play wack-a-mole in Webmin to allow individual IPs, but these admins have already patched. If a rogue Fawkes writes a worm for a Massive DDoS or particularly nasty payloads many of us will suffer. An exam should be required to run these services and it should be harder to get than a drivers license. Am I ranting?

Re:Out of the frying pan (1)

lucm (889690) | more than 2 years ago | (#39349969)

If users/admins are incompetent enough to use passwords fit for luggage you can only guess how many unprotected Internet facing RDP servers will be ravaged within the next few weeks.

This is not a problem unique to Windows. At least once or twice a year I stumble upon machines where I can use SCOTT TIGER, toor or "secret" credentials.

Privilege escalation??? (1)

Alex Belits (437) | more than 2 years ago | (#39349673)

Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.

Re:Privilege escalation??? (1)

dkf (304284) | more than 2 years ago | (#39350145)

Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced.

Why complain? It's exactly the right thing for Microsoft to be doing.

Their big problem is the massive overhang of software that's not been properly designed for security (e.g., too much is still default-allow) and which people continue to want to use. The various Unix-based OSes have an advantage here, even if it is one of happenstance: Unix apps have been designed for use in privilege-separated environments, and have been for many decades. Microsoft got with the program later, and that's always much harder. (Also, their commitment to supporting crufty older software, while generally pretty commendable, works against them a lot in this case.)

Re:Privilege escalation??? (1)

msobkow (48369) | more than 2 years ago | (#39350633)

So it took them a few decades to learn that a privilege escalation is only one step removed from a full intrusion. At least they did eventually learn.

Re:Privilege escalation??? (1)

Anonymous Coward | more than 2 years ago | (#39350639)

Since when Microsoft started counting those as bugs? Their usual policy is only to count remote exploits as "real" bugs worth being announced

No ! Don't let facts stop you from MS bashing ! What kind of a anti-ms troll are you? You need to undergo training buddy..

Step 1: Ignore all the thousands of security bugs that Linux developers introduce into codebase every year.
Step 2: Read more slashdot.

in other words... (0)

Anonymous Coward | more than 2 years ago | (#39349789)

it is once again the second tuesday of the month. so... same old, same old.

First real breach in Windows for a loong time (1)

fluor2 (242824) | more than 2 years ago | (#39349953)

Microsoft has been counting IE security holes as Remote Execution a long time, which actually requires user intervention at the client-side.

I'm rather surprised that it took this long before somebody found a possible breach in the RDP implementation.

Who does RDP over the internet? (1)

MrCrassic (994046) | more than 2 years ago | (#39350629)

I would think that most people who absolutely needed to remote into their machines over the Internet would use some kind of tunnelling to a jumpbox or remote access appliance to RDP to an internal server...

Re:Who does RDP over the internet? (0)

Anonymous Coward | more than 2 years ago | (#39350993)

Never underestimate the stupidity of IT administrators.

Re:Who does RDP over the internet? (0)

Anonymous Coward | more than 2 years ago | (#39351057)

It's not always the IT dept. Never underestimate the stupidity of the check writers, who don't feel the need to pay for a VPN solution, or don't want to be encumbered by a couple of extra mouse clicks.

The end is near (-1)

ka9dgx (72702) | more than 2 years ago | (#39351039)

This marks the end of the internet, as there are surely millions of Windows 2000 servers out there with RDP enabled in business critical roles. You linux fan boys can laugh all you want at the stupidity of it, but this will eventually take out everything as it interrupts supply chains all over the world.

If you have any Microsoft stock, sell it now, the implications of their policies on older software are about to come rocketing back at them in a tsunami.

I hope the fsck I'm wrong about this... we'll know in about a month.

Questions and Observations (2)

EmagGeek (574360) | more than 2 years ago | (#39351059)

First, I've never once seen a best practices document that says "put RDP on the Internet." Maybe one exists, or maybe there are special cases somewhere that allow for it, but to me it just seems stupid to connect a Windows machine directly to the Internet, or port-forward directly to one from the edge device.

Second, has anyone heard of an exploit for this that involves a prior uncovered exploit - basically you get some malware that "phones home" to an SSH server and opens a reverse tunnel back to the local RDP server? It seems to me that this would be one way they would do it.

Re:Questions and Observations (1)

drinkypoo (153816) | more than 2 years ago | (#39351237)

The really sad thing is that there's ipsec in Windows and it's a trivial matter to create a policy that requires all connections to a particular service to be encrypted.

Re:Questions and Observations (1)

theprofessor102 (2564611) | more than 2 years ago | (#39352031)

your the first to hit it on the head! Why would anyone put a window box any where close to the internet. Where is the vpn! No vpn no connection. VPN then RDP problem solved.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>