Securtiy of forwarding RDP
in [Firewalls]
|
Prev: Firewall port 1105 (FTRANHC) & port 1239 (NMSD) ?
Next: Have a symantec firewall appliance that is giving me an error when trying to VPN
From: Mike Bailey on 11 Jan 2006 11:30 In my PIX, I have a rule set up to forward Remote Desktop (port 3389) through to one of my servers: static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 0 0 Another rule was created to allow RDP to another server. Since 3389 was already used, we used 3390, which is forward through to 3389 on the other server: static (inside,outside) tcp interface 3390 192.168.1.6 3389 netmask 255.255.255.255 0 0 My question is - is this safe? And would it be safe to do the same thing to allow RDP directly to my workstation - say forward 3391 to my ip address? Thanks, Mike
From: Somebody. on 11 Jan 2006 16:40 "Mike Bailey" <mbailey(a)beaumontproducts.com> wrote in message news:43c531e6$1_3(a)newsfeed.slurp.net... > In my PIX, I have a rule set up to forward Remote Desktop (port 3389) > through to one of my servers: > > static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask > 255.255.255.255 0 0 > > Another rule was created to allow RDP to another server. Since 3389 was > already used, we used 3390, which is forward through to 3389 on the other > server: > > static (inside,outside) tcp interface 3390 192.168.1.6 3389 netmask > 255.255.255.255 0 0 > > My question is - is this safe? And would it be safe to do the same thing > to allow RDP directly to my workstation - say forward 3391 to my ip > address? > > Thanks, > Mike Well, no it's not safe. Is it safe enough for you? I can't answer that. It's succeptible to man in the middle, you've made no mention of enryption, anyone can poke away at the password, you've made no mention of strong authentication. Were I to be tasked with hacking your network, this would be by far the easiest route, since simply getting your username and password (insert dozen different methods here) would yield me complete control of a workstation inside the LAN. -Russ.
From: Wayne on 11 Jan 2006 19:33 http://www.windowsecurity.com/articles/Windows_Terminal_Services.html Set the encryption level to high and you'll be fine. Wayne McGlinn Brisbane, Oz "Mike Bailey" <mbailey(a)beaumontproducts.com> wrote in message news:43c531e6$1_3(a)newsfeed.slurp.net... > In my PIX, I have a rule set up to forward Remote Desktop (port 3389) > through to one of my servers: > > static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask > 255.255.255.255 0 0 > > Another rule was created to allow RDP to another server. Since 3389 was > already used, we used 3390, which is forward through to 3389 on the other > server: > > static (inside,outside) tcp interface 3390 192.168.1.6 3389 netmask > 255.255.255.255 0 0 > > My question is - is this safe? And would it be safe to do the same thing > to allow RDP directly to my workstation - say forward 3391 to my ip > address? > > Thanks, > Mike
From: Volker Birk on 12 Jan 2006 00:41 Mike Bailey <mbailey(a)beaumontproducts.com> wrote: > In my PIX, I have a rule set up to forward Remote Desktop (port 3389) > through to one of my servers: http://www.google.com/search?q=rdp+vulnerability Maybe RDP is a good idea in a VPN or via SSH. Yours, VB. -- maximum inquementum tum biguttam egresso scribe. meo maximo vestibulo perlegamentum da. da duo tum maximum conscribementa meis listis. dum listis decapitamentum damentum nexto fac sic nextum tum novumversum scribe egresso. lista sic hoc recidementum nextum cis vannementa da listis. cis.
From: Dave English on 12 Jan 2006 05:16
In message <dq484s$ab2$1(a)domitilla.aioe.org>, Wayne <wayne(a)briz.oz> writes >http://www.windowsecurity.com/articles/Windows_Terminal_Services.html >Set the encryption level to high and you'll be fine. Hmm, interesting, the article says: In this article, we will focus on Windows 2000 terminal services, with some references to Server 2003 and Windows XP/2003?s Remote Desktop service. But then never mentions them again! Anyone know where control of encryption is in XP? -- Dave English Senior Software & Systems Engineer Internet Platform Development, Thus plc |