RE: [fw-wiz] Using RDP Port 3389

From: Melson, Paul (
Date: 04/12/04

  • Next message: Mitchell Rowton: "Re: [fw-wiz] Looking for papers on protecting servers"
    To: <>, <>
    Date: Mon, 12 Apr 2004 09:40:02 -0400

    If it were me, I would have three concerns about allowing RDP
    connections from the Internet.

    1. The default Event logging and user controls for Terminal Services are
    inadequate. Any user in a domain/workgroup that your server belongs to
    can log in remotely, as well as local users. (There is an excellent
    overview of these and other Terminal Services security issues in Chapter
    12 of "Hacking Exposed Windows 2000: Network Security and Solutions" -
    ISBN: 0072192623.)

    2. Historically, there have been security vulnerabilities found in
    Terminal Services, so there is at least an even chance that there will
    be more. Since the Terminal Services service runs as Local/System, any
    compromise is total compromise.

    3. Default encryption settings are negotiated between client and
    workstation and at least theoretically weak. You've got to use Terminal
    Services Advanced Client in order to have 128-bit encryption. (This may
    have changed with 2K3, I don't know.)

    So, if you must have remote access to your servers, my recommendation
    would be to use some sort of client VPN to authenticate and encrypt
    users before they access servers directly. If VPN is not an option,
    restrict source addresses at the firewall to those that can be trusted
    and should be accessing the servers.


    > -----Original Message-----
    > Hello,
    > I would like to know if anyone has had any security issues
    > opening port 3389 for Remote Desktop/Terminal Services for
    > external access to their server(s). I'm using Win2003
    > Enterprise Server.
    > I found this article for using IPSec on this port.
    > Everett
    firewall-wizards mailing list

  • Next message: Mitchell Rowton: "Re: [fw-wiz] Looking for papers on protecting servers"