Two of those are client side exploits, and not applicable to the
situation under discussion.

The other is for Server 2003. 2008 is *not* affected.

Running a third party client will not help you in any way and actually
increases your attack surface.

Running RDP inside a VPN isn't a bad implementation, but it takes away
your ability to access your server in an emergency on a non-VPNed
device.

It's a risk management call, obviously. Your biggest threat when
having RDP open from the outside is the problem of having someone
brute forcing your login. Lockouts aren't the answer, IMO, but a
fail2ban-like script goes a long way to mitigating the issue.

That would be my suggestion. Find a way to temporarily ban IPs that
exceed a certain number of failed login attempts and leave the port
open to the outside.

On Tue, Jan 10, 2012 at 10:43 AM, Ricardo Ferreira
<ricardo.ferreira (at) sotechdatacenter.com (dot) br [email concealed]> wrote:
> On 10-01-2012 16:00, Mike Hale wrote:
>>
>> "Don't leave port 3389 open on the Internet at all, the port is much
>> too vulnerable."
>>
>> Explain.  What unpatched vulnerabilities for RDP exist in Server 2008?
>>
>> Why is it more secure to provide your credentials to a third party and
>> to install a third party client on your machine?
>>
>> On Tue, Jan 10, 2012 at 9:47 AM, William Baltas
>> <bill.baltas (at) cleanwaterteam (dot) com [email concealed]>  wrote:
>>>
>>> Mario,  Don't leave port 3389 open on the Internet at all, the port is
>>> much too vulnerable.  If you need to perform remote administration, do this
>>> through a VPN tunnel or use a third party service such as gotomypc.
>>>
>>> Good Luck,
>>> Bill
>>>
>>> -----Original Message-----
>>> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>>> On Behalf Of mariofa88 (at) gmail (dot) com [email concealed]
>>> Sent: Tuesday, January 10, 2012 9:22 AM
>>> To: security-basics (at) securityfocus (dot) com [email concealed]
>>> Subject: RDP over the internet
>>>
>>> Hi all I would like to know what are your opinions of using RDP over the
>>> internet on a Windows 2008 R2 server? Are there any major known exploits or
>>> vulnerabilities? How safe is the server with having port 3389 open to the
>>> internet.
>>>
>>> Rgds,
>>> Mario
>>>
>>> ------------------------------------------------------------------------

>>> Securing Apache Web Server with thawte Digital Certificate
>>> In this guide we examine the importance of Apache-SSL and who needs an
>>> SSL certificate.  We look at how SSL works, how it benefits your company and
>>> how your customers can tell if a site is secure. You will find out how to
>>> test, purchase, install and use a thawte Digital Certificate on your Apache
>>> web server. Throughout, best practices for set-up are highlighted to help
>>> you ensure efficient ongoing management of your encryption keys and digital
>>> certificates.
>>>
>>>
>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>> ------------------------------------------------------------------------

>>>
>>>
>>> ------------------------------------------------------------------------

>>> Securing Apache Web Server with thawte Digital Certificate
>>> In this guide we examine the importance of Apache-SSL and who needs an
>>> SSL certificate.  We look at how SSL works, how it benefits your company and
>>> how your customers can tell if a site is secure. You will find out how to
>>> test, purchase, install and use a thawte Digital Certificate on your Apache
>>> web server. Throughout, best practices for set-up are highlighted to help
>>> you ensure efficient ongoing management of your encryption keys and digital
>>> certificates.
>>>
>>>
>>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>>> ------------------------------------------------------------------------

>>>
>>
>>
> Answers to your questions...
>
>
> http://technet.microsoft.com/en-us/security/bulletin/MS09-044
> http://technet.microsoft.com/en-us/security/bulletin/ms11-017
> http://technet.microsoft.com/en-us/security/bulletin/ms11-065
>
>
>
> --
> Cordialmente,
>
> Ricardo Ferreira
> Telecom, Tecnologia e Segurança da Informação
> CCDP, CCNP, CCDA, CCNA, MCSE, MCP
> -------------------------------------------------------------------
> Sotech Soluções Tecnologicas
> Rua da Alfazema, 761, 1o. andar - 102/103
> 41820-710 - Caminho das Árvores - Salvador-BA - Brasil
> Tel : 55 71 3472.9400 Cel : 55 71 9138 4630
>
> Email:ricardo.ferreira (at) sotechdatacenter.com (dot) br [email concealed]
> Site: www.sotechdatacenter.com.br
>
>
> Esta mensagem é dirigida apenas ao seu destinatário e pode conter
> informações confidenciais, não passíveis de divulgação nos termos da
> legislação em vigor. Caso tenha recebido esta mensagem por engano,
> solicitamos notificar a Sotech Soluções Tecnológicas e excluí-la de sua
> caixa postal.
>
> This message, including its attachments, may contain confidential
> information. If you have improperly received this message, please delete
> it from your system and notify immediately the sender. Any form of
> utilization, reproduction, forward, alteration, distribution and/or
> disclosure of this content in whole or in part, without the prior written
> authorization of the sender, is strictly prohibited. Thanks for your
> cooperation.
>
>
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]