Re: exposing TS directly to Internet

From: michael (admin_at_pcs.minsk.by)
Date: 10/15/04 

Date: 15 Oct 2004 04:24:01 -0700

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<HOybd.182537$wV.14835@attbi_s54>...
> Of course you can do that and a firewall to protect all other ports will go
> a long way to protect the computer. Be sure to do other normal securing
> procedures such as requiring the use of complex passwords, having an account
> lockout policy with a lockout threshold of no less than ten and a reset
> interval of around ten minutes to deter brut force password attacks, using
> antivirus, disabling unneeded services, and keeping current with critical
> updates. Since the built in administrator account can not be locked out and
> is the top target of attacks I would disable that account from logon through
> TS in it's account properties.
>
> It would increase security quite a bit if you could configure the firewall
> to only accept inbound port 3389 from authorized IP addresses of your users.
> That may not be possible if they roam or do not have static IP addresses.
> Also using a VPN to access the TS would increase security particularly if
> you can use l2tp that would require computer certificates for authentication
> to logon to the VPN. Users could then logon to the VPN and then access the
> TS via it's LAN IP address and it would not have to be exposed to the
> internet. --- Steve

>

Well, Steve. Thanks. I understand that using VPN is the best choice to
secure data communication through the Internet. But let's suppose we
can't build a VPN. I'd like to collect information on any experience
in using MS 2003 directly connected to the Internet with respect to
its resistance to certain attacks on its 3389 port and RDP protocol.

Relevant Pages

  • Re: exposing TS directly to Internet
    ... blocked IP address list for port 3389 TCP. ... Since the built in administrator account can not be locked out ... >> to logon to the VPN. ... > secure data communication through the Internet. ...
    (microsoft.public.win2000.security)
  • Re: cannot send mail from Windows mail
    ... When a username/password combination doesn't work in Windows Mail, ... I mean I dont use it but as outgoing address for my ISP account. ... youir username and password are correct for your mail server". ... Ask your home ISP if they support SMTP on a port other than 25. ...
    (microsoft.public.windows.vista.mail)
  • Re: cannot send mail from Windows mail
    ... Enable your Gmail account for POP: ... Do not change the incoming server. ... Should O ask my ISP? ... Ask your home ISP if they support SMTP on a port other than 25. ...
    (microsoft.public.windows.vista.mail)
  • Re: VPN Client
    ... To allow VPN, you actually need to open outbound 1723 port on remote client ... Microsoft CSS Online Newsgroup Support ... | not just the server side. ...
    (microsoft.public.windows.server.sbs)
  • RE: Mysterious "Support" account created on Win2k server
    ... Once a worm/trojan or an attacker successfully connect to a system via port ... Once a system is compromised with an administrator account, ... > for guessing admin ids and passwords. ...
    (Incidents)