Our firewall (and many others) can detect port scans and IP range scans and blacklist that IP for a set amount of time, so I wasn't overly concerned about that, but it's a good tip.
"Sam Cayze" <[EMAIL PROTECTED]> 04/01/2008 04:50 PM Please respond to "NT System Admin Issues" <[email protected]> To "NT System Admin Issues" <[email protected]> cc Subject RE: Public TS - opinions? At list change the port! Everybody's scanning port 3389 for open connections. Combine this with other measures, like whitelisting, and preferable SSL. From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 3:43 PM To: NT System Admin Issues Subject: RE: Public TS - opinions? The few times we've had to do it we whitelisted the IPs on the firewall that we wanted to allow connections from. If the connecting IP was on a whitelist we'd NAT to the internal IP on port 3389 and the user would be in. We had three users that needed access this way, so we whitelisted their home office IPs (they were technically dynamic, but never really changed). Worked in a pinch, although didn't make me feel good either. SSL VPN was the end solution that allowed them easy access relatively inexpensively. Jeff "Bob Fronk" <[EMAIL PROTECTED]> 04/01/2008 04:34 PM Please respond to "NT System Admin Issues" <[email protected]> To "NT System Admin Issues" <[email protected]> cc Subject Public TS - opinions? I have a client that wants to keep a terminal server available publicly to be accessed from multiple sites where a VPN is not possible due to money and equipment constraints. The outside users just use the Remote Desktop and connect directly to the public IP. I feel this is a security risk. What is the groups opinion and what do you think is a good work around or ways to at least reduce the security problems? Bob Fronk This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Davis H. Elliot Company . Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. Agreed, SSLL VPN if you have it and have them connect to it, and then tunnel the RDP to the server. You control the access at your point of presence through to the server. A Public facing server without a firewall or other security control in front of it, is just asking for trouble. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 4:39 PM To: NT System Admin Issues Subject: Re: Public TS - opinions? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
