NightOwl888
Guppy
As I am sure many of you are aware, the credit card industry is cracking down on security. It is now mandatory to pass PCI DSS port scanning security audits if you electonically store credit card information on your web site.
I recently did a scan and although there were no serious problems with our Windows Server 2003/IIS6 VPS, one issue that came up was Remote Desktop access. It seems there is a well-known flaw which makes it vulnerable to man-in-the-middle attacks. A detailed description of the problem can be found here: http://www.oxid.it/downloads/rdp-gbu.pdf.
While there is a fix available, I discovered a problem with this fix when using JodoHost (or any VPS vendor for that matter). The fix is to install an SSL certificate as shown in the following article, and require an SSL connection from the client: http://www.windowsecurity.com/artic...connections-TLS-SSL-based-authentication.html. While there are some decisions to make about where to get the SSL certificate, it is simple enough to get up and running.
However, remember, JodoHost support represenatives use Remote Desktop to access your VPS when there is a problem. I had an issue last night and the rep could not even log in to our VPS because 1) he didn't have a trust relationship set up with my PKI 2) he may not have had a recent enough version of Remote Desktop 3) he didn't have Remote Desktop configured to connect with SSL. Fortunately, I was able to work through and find the problem on my own, but how do I get support next time?
In addition, the best type of SSL security is to use your own PKI to create a certificate for which the general public won't have a trust relationship with. However, this means JodoHost would have to have a trust relationship with your PKI too. It seems an easier (although less secure) option would be to get a certificate from a large public SSL vendor, which would still meet the PCI requirements, but also allow JodoHost in without requiring them to install a certificate on their support clients.
I know I can't be alone here when I talk about locking down Remote Desktop on a JodoHost VPS to satisfy PCI DSS requirements. So, how do we go about convincing JodoHost that it is imperitive that their support have SSL configured on their Remote Desktop clients for those of us that don't have the luxury of turning it off on our servers? ?( ?(
I recently did a scan and although there were no serious problems with our Windows Server 2003/IIS6 VPS, one issue that came up was Remote Desktop access. It seems there is a well-known flaw which makes it vulnerable to man-in-the-middle attacks. A detailed description of the problem can be found here: http://www.oxid.it/downloads/rdp-gbu.pdf.
While there is a fix available, I discovered a problem with this fix when using JodoHost (or any VPS vendor for that matter). The fix is to install an SSL certificate as shown in the following article, and require an SSL connection from the client: http://www.windowsecurity.com/artic...connections-TLS-SSL-based-authentication.html. While there are some decisions to make about where to get the SSL certificate, it is simple enough to get up and running.
However, remember, JodoHost support represenatives use Remote Desktop to access your VPS when there is a problem. I had an issue last night and the rep could not even log in to our VPS because 1) he didn't have a trust relationship set up with my PKI 2) he may not have had a recent enough version of Remote Desktop 3) he didn't have Remote Desktop configured to connect with SSL. Fortunately, I was able to work through and find the problem on my own, but how do I get support next time?
In addition, the best type of SSL security is to use your own PKI to create a certificate for which the general public won't have a trust relationship with. However, this means JodoHost would have to have a trust relationship with your PKI too. It seems an easier (although less secure) option would be to get a certificate from a large public SSL vendor, which would still meet the PCI requirements, but also allow JodoHost in without requiring them to install a certificate on their support clients.
I know I can't be alone here when I talk about locking down Remote Desktop on a JodoHost VPS to satisfy PCI DSS requirements. So, how do we go about convincing JodoHost that it is imperitive that their support have SSL configured on their Remote Desktop clients for those of us that don't have the luxury of turning it off on our servers? ?( ?(
