Recommended Posts

And do you tunnel this remote desktop connection thru a vpn or ssh? Or you just have remote desktop open to the public net, without only your username an password as to security?

Or did you enable cert auth to the remote desktop?

http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Configuring authentication and encryption

TLS authentication overview

Remote Desktop Protocol (RDP) provides data encryption, but it does not provide authentication to verify the identity of a terminal server. In Windows Server 2003 Service Pack 1 (SP1), you can enhance the security of Terminal Server by configuring Terminal Services connections to use Transport Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server communications. TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients.

The simple poor mans vpn is just a SSH tunnel -- I would suggest you setup public key auth only to the ssh server, to prevent brutefore attack attempts. Then just tunnel you remote desktop connection.

You wouldn't ;) Unless you have your border device/firewall locked down to only allow access on 3389 only from trusted sources. Your remote desktop is open to anyone that could guess/bruteforce a username an password.

2k3 server allows for TLS auth, which can prevent bruteforce attack, etc.

On XP the most you can do is limit which accounts, change the account names.. Setup lockout policy, change the port away from the default 3389, etc..

I would never suggest anyone present a service like remotedesktop to the public net.. Unless it is locked down to only trusted outside IPs. Or the auth method is secure -- sorry but usename an password is not a secure method ;)

Which is why you would tunnel this connnection thru a vpn or ssh. Where you can use valid methods of authing the users, ie a digital certificate, etc.

Something like OpenVPN or any SSH server can all you to do this quite simple for only the cost of your time to set it up.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.