Re: How do I change the port for remote desktop in win2003?

From: Leythos (void_at_nowhere.lan)
Date: 02/20/05 

Date: Sun, 20 Feb 2005 00:55:08 GMT

On Sun, 20 Feb 2005 00:45:29 +0000, Austin wrote:
>
>>It's not really a dual lan, it's a NIC on WAN (internet) and a NIC on
>>local network (LAN).
>
> Right. Just after I sent that I realized that was not an option for my
> setup. A server used as a vpn with one nic public one private serving
> a local network.
>
>
>>It's still a bad idea to put Windows 2003 server directly on the Internet.
>>Even if you only use a cheap router with NAT you are better off then a
>>direct connection.
>
> Yes definitely. I am pretty sure I am going to get the tz170.

The Sonic will be a nice unit.

>>Take the weekend to read up on the MS site about setting up a VPN
>>solutions on 2003, it will give you a couple ideas.
>
> Willl/ am doing thanks.
>
>
>>origin, I tend to block most of the foreign subnets in the firewall, and I
> Interesting idea!

I get flack for that, but when I look at our clients and where they do
business, there is no reason to allow foreign subnets into their systems,
not even their websites in most cases. I review the logs, look at them in
a couple spread sheets, determine when I don't know a particular IP and
then use a tool called Visual Route to trace it back to the owner - the
nice thing about VR is that it will give me all the NOC information for
each HOP along the way, so I can see the routers (at each hop) subnet
designation and block all the way from Ohio to China and only have to hit
the routers in china if I want.

>>I bought a D-LINK DI-804HV for one small shop that wanted to have VPN
>>access to the network from their homes/hotel. The DI-804HV was setup as a
>>PPTP end-point and the rules were configured to allow access to the
>>entire network once they PPTP'd into it.
>>
>>I also setup a couple port forwards that allow me to connect via VNC, but
>>I used very high port numbers that we don't see scanned in the monthly
>>sweep lists - ports above 60000 were used for two internal systems. Since
>>the VNC was setup to use NON-NT accounts, they attackers have to find the
>>non-standard port that I use, then get a user account/password for VNC,
>>and then they still have to get a user account/password for the server
>>just to logon - two layers of user/passwords and a non-standard port.
>
> I have used VNC but it seemed to use a lot of cpu even when no one was
> connected.

I'm using VNC 4.x and find it doesn't take anything in the background on
our servers if nothing in connected, and I use 256 color mode when I
connect anyway.

>>The PPTP is nice since once they connect they can run a batch file that
>>will map the server shares to their local computer using a user/password
>>combination and access the files as though they were in the office.
>>
>>
>>that you change the administrator account name to something other than
>>administrator.
>
> Have already done that,tx. For years I thought having a COMMON logon
> with admin priv. as well as advertising the last user to log in was a
> serious security risk. How ignorant can some companies be about BASIC
> security????

Yea, but that ignorance is what gives us work :)

>>The main point of this is to NOT put the servers directly on the
>>Internet, even NAT is better than a direct connection.
>
> Going with the tz170.
> For my limited requirments and bandwidth it should do fine. Thanks for
> all of you help.

NP, let me know how it comes out. 

-- 
spam999free@rrohio.com
remove 999 in order to email me
Loading