Re: TS/3389 risk on Internet

["Neale Green" <neale.green () neale org>]

A good many claims are made in regard to how solid and secure the Microsoft 
protocols are, but it has been proven numerous times that undocumented 
"hooks" and associations have been added to make life "easier" by bypassing 
the restrictions that are supposedly in place to ensure that they are, in 
fact, secure.

My last position was working in network and network perimeter security for 
one of the "Big Three" Computer Services Suppliers, and I would NEVER allow 
3389 traffic over a Network perimeter, especially from the Internet ( I'm 
not too happy about any generic logons from the internet, but the only 
Terminal Server traffic I allowed was encrypted Citrix Terminal Server 
traffic, at least we can independently confirm what you can access with 
Citrix traffic ).

FWIW

Neale Green

----- Original Message ----- >
> > I have a peer that insists on allowing public access to his Domain
> > controller via TS/tcp 3389 over the internet.  I know there are some
> > documented cases of 'man-in-the-middle' attacks for this service but I 
> > was
> > hoping someone here could help me plead my case as to why this is a bad
> > idea.  Maybe you all disagree and regurlary allow this traffic.  It just
> > doesn't sit well with me.  Does anyone know if the login/password is sent
> in clear text for TS authentication?
> > Thanks in advance for any thoughts,
> > Nicole



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.788 / Virus Database: 533 - Release Date: 1/11/2004