Who is at Fault?



  • Scenario:
    User runs as local admin (why is outside of the scope of this scenario)
    Tech port forwards to user's workstation to expose RDP
    Aside from creating a strong password for user, tech does nothing else to secure RDP access

    Software support for a specific program is allowed in by user and creates a new admin account with a weak password for the user to test

    Password is guessed/brute forced from the web and computer is compromised.



  • both parties are guilty of blatant stupidity.



  • As well as whoever allowed an admin account to be a daily driver. That is totally relevant, even if you try to claim it isn't.



  • @jaredbusch said in Who is at Fault?:

    As well as whoever allowed an admin account to be a daily driver. That is totally relevant, even if you try to claim it isn't.

    It is relevant, however it complicates the scenario at lot more and is beyond the people currently in the scenario.



  • @flaxking said in Who is at Fault?:

    @jaredbusch said in Who is at Fault?:

    As well as whoever allowed an admin account to be a daily driver. That is totally relevant, even if you try to claim it isn't.

    It is relevant, however it complicates the scenario at lot more and is beyond the people currently in the scenario.

    But one or both actions could have been impossible had that not been setup in the first place.



  • @jaredbusch said in Who is at Fault?:

    @flaxking said in Who is at Fault?:

    @jaredbusch said in Who is at Fault?:

    As well as whoever allowed an admin account to be a daily driver. That is totally relevant, even if you try to claim it isn't.

    It is relevant, however it complicates the scenario at lot more and is beyond the people currently in the scenario.

    But one or both actions could have been impossible had that not been setup in the first place.

    But it is a predefined constraint that the tech, user, and software support tech all have to work with.



  • Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.



  • @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂



  • @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂



  • @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉



  • @thwr said in Who is at Fault?:

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉

    Same thing still happens though. Just there is all but no risk of a successful access, because of the certificate base.



  • @jaredbusch said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉

    Same thing still happens though. Just there is all but no risk of a successful access, because of the certificate base.

    That's the point. It's a whole different story



  • @thwr said in Who is at Fault?:

    @jaredbusch said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉

    Same thing still happens though. Just there is all but no risk of a successful access, because of the certificate base.

    That's the point. It's a whole different story

    Really, are you saying that RDP with a good password is less secure than a VPN with a good password?

    I'm not sure you can do RDP auth based on certificate?



  • @dashrender said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @jaredbusch said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉

    Same thing still happens though. Just there is all but no risk of a successful access, because of the certificate base.

    That's the point. It's a whole different story

    Really, are you saying that RDP with a good password is less secure than a VPN with a good password?

    I'm not sure you can do RDP auth based on certificate?

    I wouldn't even start this kind of discussion. Do you really think that someone who puts RDP into the wild and got hacked (probably by brute force and weak passwords) really cares about client certificates? I doubt that.



  • @thwr said in Who is at Fault?:

    @dashrender said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @jaredbusch said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉

    Same thing still happens though. Just there is all but no risk of a successful access, because of the certificate base.

    That's the point. It's a whole different story

    Really, are you saying that RDP with a good password is less secure than a VPN with a good password?

    I'm not sure you can do RDP auth based on certificate?

    I wouldn't even start this kind of discussion. Do you really think that someone who puts RDP into the wild and got hacked (probably by brute force and weak passwords) really cares about client certificates? I doubt that.

    MS publishes RDP directly on the internet - this is my point. So taking certs out of the conversation - are you saying MS is crazy?



  • @dashrender said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @dashrender said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @jaredbusch said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    @scottalanmiller said in Who is at Fault?:

    @net-runner said in Who is at Fault?:

    @thwr said in Who is at Fault?:

    Someone exposed RDP on the firewall? Are you serious? Put a VPN tunnel in front for remote access.

    This! Forwarding sensitive stuff like RDP to WAN is just... you know. You can try doing this, however, to see how thousands of brute connections (mostly Chinese IPs) start to initiate within a couple of minutes. Looks pretty scary 🙂

    Same thing happens to exposed VPNs 🙂

    I won't compare a certificate based VPN with RDP 😉

    Same thing still happens though. Just there is all but no risk of a successful access, because of the certificate base.

    That's the point. It's a whole different story

    Really, are you saying that RDP with a good password is less secure than a VPN with a good password?

    I'm not sure you can do RDP auth based on certificate?

    I wouldn't even start this kind of discussion. Do you really think that someone who puts RDP into the wild and got hacked (probably by brute force and weak passwords) really cares about client certificates? I doubt that.

    MS publishes RDP directly on the internet - this is my point. So taking certs out of the conversation - are you saying MS is crazy?

    I'm talking about this specific scenario here, not RDP in general.



  • This scenerio is the fault of:

    • IT for giving the user local admin,
    • the local user for allowing a remote person to create a local account
    • the local user for not checking the password requirements for that account
    • the remote support for using a shit password
    • the remote support for allowing use to have access to RDP (assuming it wasn't needed)