Security of pinholed 3389 (RDP)

[terrywilson]

Gidday,
We have just inherited a site from another provider who rather than configure a VPN for their remote administration have opted instead to pinhole 3389 through to their SBS server.

How I don't believe this is the right way to do this and I am looking for anyone that can give me definite examples of why this isn't a good practice. I am aware I can wrap the traffic in SSH if I wanted to or establish a VPN first, what I really want to know is that dangers does this expose you to and what problems come with it?

 

[TechyMcSe2k]

http://msmvps.com/blogs/bradley/archive/2008/06/23/unfettered-access-to-port-3389.aspx

 

[Zelandakh]

For remote admin of an SBS domain, I'd allow remote web workplace which would allow TS access.

In fact, I pinhole 3389 myself so perhaps I should just sit quietly?

 

[TechyMcSe2k]

In my corporate environment, we would never be allowed to pin hole 3389. It violates my Hippa and SOX compliance and is always checked during our audits.

In the reading I have found, and if you must use RDP, I recommend your Administrator account be renamed. Also, check in to a firewall, like ISA to help control your Internet/Public footprint. But most companies are running SBS because they are small enough and it keeps costs down.

Use RDP if needed, but if there is sensative data on your network, please make sure that it is encrypted or has other safeguards in place.