Does VDI Conquer the Dashrender Challenge?
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've held this belief for many years.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've head this belief for many years.
What?
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
What do you mean? We use Windows on that too, just not as often.
I'm assuming the Scale would do the same for the storage with Windows... because that's part of the Scale system.
-
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've head this belief for many years.
What?
poor typing skills -
-
If you do RDP from Linux, and have Linux users, RDP is totally secure.
To address short coming of the Windows products and users, you can get add ons to RDS that add "fail2ban" style functionality, and add a secondary authentication mechanism to make it harder to brute force. But it is all silly that it is needed.
Also, like any protocol, you can lock it at the firewall. Some firewalls will have the needed functionality to increase RDP security.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
What do you mean? We use Windows on that too, just not as often.
I'm assuming the Scale would do the same for the storage with Windows... because that's part of the Scale system.
Correct
-
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've head this belief for many years.
What?
That RDP is secure and the concerns around the protocol are FUD.
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
If you do RDP from Linux, and have Linux users, RDP is totally secure.
To address short coming of the Windows products and users, you can get add ons to RDS that add "fail2ban" style functionality, and add a secondary authentication mechanism to make it harder to brute force. But it is all silly that it is needed.
Also, like any protocol, you can lock it at the firewall. Some firewalls will have the needed functionality to increase RDP security.
How would a firewall increase RDP security? by doing the lockout at the firewall?
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
If you do RDP from Linux, and have Linux users, RDP is totally secure.
To address short coming of the Windows products and users, you can get add ons to RDS that add "fail2ban" style functionality, and add a secondary authentication mechanism to make it harder to brute force. But it is all silly that it is needed.
Also, like any protocol, you can lock it at the firewall. Some firewalls will have the needed functionality to increase RDP security.
How would a firewall increase RDP security? by doing the lockout at the firewall?
Right
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've held this belief for many years.
I have had so many sudo-Jared FFS's by at least 5 other security individuals about this subject over the last 15 years. I try to state the logic behind RDP with good passwords and lockout (RDP Guard) but get the "No Direct RDP connections" that is so ingrained in the security mantra.
It has just become a dead talking point for me.I just tell the doc's, "I have no problem spending more of your money that other "experts" want to rip from your pocket."
-
@pmoncho said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've held this belief for many years.
I have had so many sudo-Jared FFS's by at least 5 other security individuals about this subject over the last 15 years. I try to state the logic behind RDP with good passwords and lockout (RDP Guard) but get the "No Direct RDP connections" that is so ingrained in the security mantra.
The same "security people" that think constantly changing passwords that are short and easy for computers to brute force is how passwords should be managed, no doubt.
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@pmoncho said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've held this belief for many years.
I have had so many sudo-Jared FFS's by at least 5 other security individuals about this subject over the last 15 years. I try to state the logic behind RDP with good passwords and lockout (RDP Guard) but get the "No Direct RDP connections" that is so ingrained in the security mantra.
The same "security people" that think constantly changing passwords that are short and easy for computers to brute force is how passwords should be managed, no doubt.
ABSOLUTELY!
-
@pmoncho said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've held this belief for many years.
I have had so many sudo-Jared FFS's by at least 5 other security individuals about this subject over the last 15 years. I try to state the logic behind RDP with good passwords and lockout (RDP Guard) but get the "No Direct RDP connections" that is so ingrained in the security mantra.
It has just become a dead talking point for me.I just tell the doc's, "I have no problem spending more of your money that other "experts" want to rip from your pocket."
Yep, exactly.