I've actually never heard of anyone hacking in via RDP...maybe I'm wrong. Here's a good article about securing an open Terminal Server. http://support.microsoft.com/?id=895433
On Tue, Apr 1, 2008 at 3:48 PM, <[EMAIL PROTECTED]> wrote: > > Never said no firewall in front of it -- we were only NATing a single port > (3389) to that box, and RDP is 128-bit encrypted. Not saying it's a good > idea, but for a short stint and some IP whitelisting it wasn't the end of > the world either... > > > > > *"Ziots, Edward" <[EMAIL PROTECTED]>* > > 04/01/2008 04:42 PM > Please respond to > "NT System Admin Issues" <[email protected]> > > To > "NT System Admin Issues" <[email protected]> > cc > Subject > RE: Public TS - opinions? > > > > > The few times we've had to do it we whitelisted the IPs on the firewall > that we wanted to allow connections from. If the connecting IP was on a > whitelist we'd NAT to the internal IP on port 3389 and the user would be in. > We had three users that needed access this way, so we whitelisted their home > office IPs (they were technically dynamic, but never really changed). Worked > in a pinch, although didn't make me feel good either. SSL VPN was the end > solution that allowed them easy access relatively inexpensively. > > Jeff > > > > *"Bob Fronk" <[EMAIL PROTECTED]>* > > 04/01/2008 04:34 PM > Please respond to > "NT System Admin Issues" <[email protected]> > > To > "NT System Admin Issues" <[email protected]> > cc > Subject > Public TS - opinions? > > > > > > > I have a client that wants to keep a terminal server available publicly to > be accessed from multiple sites where a VPN is not possible due to money and > equipment constraints. The outside users just use the Remote Desktop and > connect directly to the public IP. > > I feel this is a security risk. > > What is the groups opinion and what do you think is a good work around or > ways to at least reduce the security problems? > > Bob Fronk > > > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should not > read, distribute, copy or alter this email. Any views or opinions expressed > in this email are those of the author and do not represent those of the > Davis H. Elliot Company . Warning: Although precautions have been taken to > make sure no viruses are present in this email, the company cannot accept > responsibility for any loss or damage that arise from the use of this email > or attachments. > > > > > > > Agreed, > > SSLL VPN if you have it and have them connect to it, and then tunnel the > RDP to the server. You control the access at your point of presence through > to the server. > > A Public facing server without a firewall or other security control in > front of it, is just asking for trouble. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > -----Original Message-----* > From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] * > Sent:* Tuesday, April 01, 2008 4:39 PM* > To:* NT System Admin Issues > * > Subject:* Re: Public TS - opinions? > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
