remote desktop ports

rpc stands for Remote Proceedure Call. Do not open these ports on your firewall.

Systemguy

Correct. However, you'll probably want to tunnel that connection through SSH or a VPN and not make port 3389 publicly available.

cu

Why tunnel or vpn to port 3389? By default RDP uses encryption, 128 bit up to 256 bit. And why not use 3389 publically, I have been for the past 5 years with no problems at all.

Wayne McGlinn Brisbane, Oz

because, like many other MS services, it could have a hole exposed at any moment. If you use a trusted appliance for a VPN end-point, typically a firewall, you don't have near the exposure level and you can place additional limits on the connections without exposing ANY MS services.

I never allow direct connection to the company servers/network and we've never had a single compromised computer/network in almost 30 years (although it was a lot different in those early days).

Ok, I'll admit to running a Checkpoint Firewall in front :) But still, by using a ssl-like mechanism to secure the RDP channel, it's as least as secure as SSH (128 bit-wise, I mean) And yes, there could be a hole, but by following best practices in regard to Terminal Serives logon permissions, Anonymous User and the group Everyone's NTFS permissions, I'm confident it's pretty safe. Like you, I've been resposible for a multitude of networks, from Netware 2.15, NT 3.5, Solaris 2.3 and onwards. Open the front door, but direct them into a lockable reception area.

Wayne

I think you've still missed the point, based on your statement "it's as least as secure as SSH (128 bit-wise, I mean)" - the point is to NOT expose Windows to the public in a means where a exploit would grant access to the server/network.

In this case RDP does NOT need to be exposed directly as there are viable, proven, more secure, means available to provide access to the network. As a simple example, even a PPTP connection between a remote user and the firewall, where the user is required to PPTP end-point into the firewall, and then limited to TCP3389 to a specific LAN IP for his RDP session, is more secure than just allowing TCP3389 to LAN IP. I've not seen the Firewall PPTP cracked yet, and since we Admin types issue firewall user names and passwords that users can't change, we get the ability to make a firewall vpn end-point login as hard as we want and we ensure that the user/pass for the vpn doesn't match the LAN user/pass so that a second login is required to get access.

"And yes, there could be a hole, but by following best practices in regard to Terminal Serices logon permissions" this tells me a lot, don't take this as an attack, more a warning, but you need to understand that there are a couple things here: There is the right way, the wrong way and the Microsoft way, which may not be either of the first two. When it comes to security I never rely on the OS to be the protection, I use two or more layers and never expose the OS, even Linux, directly.

If you adopt this method and make it your standard you'll have customers that come to you and say "Wow, did you see how all those companies got hit by that worm/virus/attack, how come things like that never happen to us?". I've never had a customer hacked in all my years and we handle clients as small as 10 node doctor offices and as large as government agencies with several hundred nodes to medical centers with hundreds of nodes across multiple locations with multiple external business partner connections.

Then you could use an ssh tunnel, for example.

Yours, VB.

Better don't trust in it. And what should "128bit" or "256bit" tell us about security?

Yes. With no problems at all, at least no problems you did realize.

Yours, VB.

No problems, full stop, Volker. I see ports probes at times, but no logon or logon attempts to my DC.

Wayne

There's more things, Horatio, than port probes and logon attempts.

Like Volker said: no problems you realized.

cu