RE: [fw-wiz] Using RDP Port 3389

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 04/12/04

  • Next message: Mitchell Rowton: "Re: [fw-wiz] Looking for papers on protecting servers"
    To: <woodse@vra.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 12 Apr 2004 09:40:02 -0400
    
    

    If it were me, I would have three concerns about allowing RDP
    connections from the Internet.

    1. The default Event logging and user controls for Terminal Services are
    inadequate. Any user in a domain/workgroup that your server belongs to
    can log in remotely, as well as local users. (There is an excellent
    overview of these and other Terminal Services security issues in Chapter
    12 of "Hacking Exposed Windows 2000: Network Security and Solutions" -
    ISBN: 0072192623.)

    2. Historically, there have been security vulnerabilities found in
    Terminal Services, so there is at least an even chance that there will
    be more. Since the Terminal Services service runs as Local/System, any
    compromise is total compromise.

    3. Default encryption settings are negotiated between client and
    workstation and at least theoretically weak. You've got to use Terminal
    Services Advanced Client in order to have 128-bit encryption. (This may
    have changed with 2K3, I don't know.)

    So, if you must have remote access to your servers, my recommendation
    would be to use some sort of client VPN to authenticate and encrypt
    users before they access servers directly. If VPN is not an option,
    restrict source addresses at the firewall to those that can be trusted
    and should be accessing the servers.

    PaulM

    > -----Original Message-----
    > Hello,
    >
    > I would like to know if anyone has had any security issues
    > opening port 3389 for Remote Desktop/Terminal Services for
    > external access to their server(s). I'm using Win2003
    > Enterprise Server.
    >
    > I found this article for using IPSec on this port.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;816521
    >
    > Everett
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mitchell Rowton: "Re: [fw-wiz] Looking for papers on protecting servers"

    Relevant Pages

    • RE: Secure / Encrypt Terminal Services
      ... if you change the ts port - the pocket pc clients ... client connection port. ... doesn't alter the ts encryption level available ... Secure / Encrypt Terminal Services ...
      (Focus-Microsoft)
    • Re: terminal server that hands out licenese to other servers..
      ... I have 100 servers. ... And I have 19 Terminal Services licenses. ... No CALs ...
      (microsoft.public.windows.terminal_services)
    • Re: TS Security Issue
      ... and acceptible connection methods (unless they're contractually obligated to ... terminal servers: ... Your Terminal Services Security Website ...
      (microsoft.public.windows.terminal_services)
    • Re: Secure file transfer
      ... paste files or whatever else over the encrypted terminal services connection ... It's in the TS client install folder. ... SSL certificate for HTTPS encryption, that will allow downloads of shared ...
      (microsoft.public.windowsxp.security_admin)
    • Re: W2k Terminal Service work abnormally after install SMS 2003 Advanced Client?
      ... i should do this to proof the cause is sms client... ... servers, Terminal Services hangs when logging off. ... My Terminal Services ...
      (microsoft.public.sms.admin)