Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Specific application and port requirements for ASG-RemoteDesktop.
#1
Hi Support,
 
Our company would like to deploy your product but have been requested for the Specific application and port requirements for ASG-RemoteDesktop.
 
This application will be installed in a locked down environment and we must show the security hardening that has taken place to not open any network or application vulnerabilities.
 
Essentially we need some industry verification at general security auditing and some references with reviews as well.
 
Are you able to provide documentation for this.
 
Kind regards
 
Wayne
Reply
#2
I have found the following from a previous older post. Is there any further specific information such as a list of ports (RDP / Putty / ICA) rather than tracking down each specific application and finding it.

--------------------------------
Please forgive me if the questions I am asking have already been posted. I did some preliminary searches but did not find the information I was seeking.

I have been asked by several of our employees to take a look at Visionapp vRD freeware v1.5 and assess it from a security perspective. During a cursory investigation I have not been able to identify any mention of vulnerabilities or exploits for this product. Please let me know if there have been any security advisories regarding this product or any issues that would be of concern from a security perspective. I found very limited information for this product regarding the security controls that it employs as is often the case with freeware. The readme.txt file included with the setup file makes mention of the use of encryption and specifically mentions AES-256 encryption. Can you please point me to any whitepapers or other documentation that would provide a more detailed explanation of the way in which encryption is used? Some specific questions that come to mind are:

1) It appears that this application can store connection and credential information. Is this information protected using encryption? If so, what encryption method is used?
2) How is information in transit protected?
3) Does this application act as a front-end for Microsoft’s native terminal services client or does it operate in a stand-alone manner? If the Microsoft terminal services client is required, how is the communication between the two applications protected?
4) What methods are used to ensure that sensitive information may not be leaked by using temp files, storing information in cleartext, etc.?

Please include any other information that you would feel is beneficial in better understanding this product.

Thanks in advance,

Infosec

---------------------------------------------------------
22-05-2007, 12:06 PM

1. Only the passwords are encrypted with AES-256. The symmetric key generation for encryption is based on unique Windows Security Identifier (SID) of the current windows user.

2. vRD works with the remote desktop activeX (mstscax.dll) from Microsoft. The credentials are transmitted over the RDP protocol. By default, Windows XP Remote Desktop and Windows Server 2003 Remote Desktop and Terminal Services use high (128-bit RC4) encryption to encrypt most data transmissions in both the client-to-server direction and the server-to-client direction.

3. vRD act as a front-end. The Microsoft terminal services client ActiveX control is loaded in the process of vRD.

4. Plain passwords never leave the process of vRD! The decrypted password is only available for a very short time, when the parameter of the activeX Control is set.

Regards,

Jozsef
Reply
#3
Hi Wayne,
please write to michael.scholz@asg.com and I will send you a small document about encrpytion and how it is used in ASG-RD. Hopefully it helps a bit.
Best regards,
Michael
-- michael.scholz@asg.com --
Reply




Users browsing this thread: 1 Guest(s)