(Although they've been patched, it's definitely not a great track record compared to e.g. The final problem is that some of the security issues that previously affected Windows RDP service were pre-authentication, meaning that they could have been exploited before verifying your password – and therefore also before verifying your "smart card" credentials. (Not necessarily Windows Server – Samba can do AD – but it still needs AD.) It is also an alternative for the user's AD password, not a second factor. ![]() (I am specifically referring to the "CCID/PIV" mode in Yubikey NEO and later models, emulating a PIV card which doesn't even need drivers like other smartcards do.)Īnother issue is that from what I've found out, "Smart Card Authentication" in RDP relies on Active Directory, as it's implemented through Kerberos PKINIT and not through ordinary direct certificate authentication. But you don't have to carry a whole card reader around – as mentioned, there are USB-stick-shaped smart cards, of which Yubikey is a popular one. That's actually the whole point of smart cards – the private key cannot be extracted from them, even by a malicious PC the card performs signing operations internally and returns only that result. pfx file, you'd still be trusting any random computer with your certificate keypair on the USB stick. Really even if you didn't have to install the. pfx file into the "software-based" Windows certificate store.īut the biggest issue with this plan is that then a copy of your private key remains in whichever machine you install it on (as the RDP client doesn't support reading it directly from a file), so you'd be trusting any random computer with your password and your certificate keypair. "Smart Card Authentication" doesn't strictly require the certificate to be on a physical smartcard (which do come in the shape of self-contained USB tokens) – it only requires the certificate to be available through Windows CAPI, but it'll actually accept certificates whose private key was simply imported from a. Or smart cards (what I'd like to use is specifically a USB flash drive). It's smart cards that are likely to require Windows Server. IPsec works just fine on client versions of Windows, although it is quite confusing to set up – Windows 10 has like three IPsec clients the legacy XP one (obsolete IKEv1-only), the new one that's part of Windows Firewall (wf.msc) and the one that is configured as an "IKEv2 VPN" connection. (Yet another alternative is Guacamole which is a browser-based gateway to VNC and RDP servers.)Ĭonfusing IPsec setup which also seems to only work on Windows Server, or smart cards So really, consider using a VPN tunnel just for that reason – or SSH if you want to carry it around to random PCs where VPN apps would be difficult to install. Although requiring NLA (which is the default) improves the situation a bit, it's still considered an unnecessarily high risk. This is not recommended, as the RDP service in Windows has historically had many security issues that were exploitable without authentication. Can I do this with just regular RDP and Wake-on-LAN or do I need to set up a tunnel of sorts with proper client certificate authentication support, such as VPN or SSH (which would probably mean ditching RDP altogether and using VNC or a similar alternative)?įorward the RDP and Wake-on-LAN ports to my machine, naturally. Most resources I've found on implementing this security measure require the use of Windows Server, confusing IPsec setup which also seems to only work on Windows Server, or smart cards (what I'd like to use is specifically a USB flash drive).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |