Penetration Testing mailing list archives
Re: TS/3389 risk on Internet
From: Adam Jones <ajones1 () gmail com>
Date: Thu, 28 Oct 2004 13:32:13 -0500
I see no reason to allow unrestricted access to a DC. IMO the only servers that should be completely publicly exposed are Web servers and any other systems that serve as a face to the masses. Your perimeter firewall should be blocking most traffic to a DC from the net. If you need TS on the DC that much it does not take much to allow connections from a specific IP address. If his address is dynamic look into a VPN. A quick search of microsoft.com/technet yielded that terminal services does in fact perform logon encryption, and is capable of encrypting all data at various levels. http://www.microsoft.com/technet/prodtechnol/win2kts/evaluate/featfunc/w2ktsrg.mspx#ECAA I didn't look enough to get the encryption types available, but i'm confident that the newer versions of TS are more than capable in that respect. -Adam
Current thread:
- Re: TS/3389 risk on Internet Lennart Sorth (Nov 01)
- <Possible follow-ups>
- Re: TS/3389 risk on Internet Adam Jones (Nov 01)
- Re: TS/3389 risk on Internet Jeffrey Clark (Nov 01)
- RE: TS/3389 risk on Internet Keith T. Morgan (Nov 01)
- RE: TS/3389 risk on Internet Peadro, Jeff (AIS) (Nov 01)
- Re: TS/3389 risk on Internet Tim (Nov 03)
- Re: TS/3389 risk on Internet Travis Potter (Nov 01)
- Re: TS/3389 risk on Internet Neale Green (Nov 03)
- Re: TS/3389 risk on Internet Davide Carnevali (Nov 01)
- RE: TS/3389 risk on Internet sk3tch (Nov 03)
- RE: TS/3389 risk on Internet Todd Towles (Nov 03)