Securing Terminal Services over the Internet

In my presentation on remote access at TechEd, I gave three scenarios:

  • web-based access to internal resources, published with ISA Server
  • "desktop over the Internet" using Terminal Services and the remote desktop web connection
  • full IP-based virtual private networks with L2TP+IPsec

In the discussion on TS over the Internet, I failed to mention a very important bit. There is no mechanism built into RDP to authenticate the server to the client. This creates an opportunity to conduct a man-in-the-middle attack. Tools now exist to do exactly this.

In Windows Server 2003, you can configure TS to use TLS for server authentication and data encryption. This is extremely important for anyone running TS over the Internet. See KB 895433 for the step-by-step details.

Published 28 June 05 09:54 by Steve Riley

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# BufferOverrun said on June 29, 2005 4:51 AM:
Steve Riley has posted a link to some information about RDP security over the Internet. Check it out...
# Kieran Jacobsen's Blog said on July 2, 2005 1:53 AM:
# Clare Dillon's Blog said on July 11, 2005 11:59 AM:
Just back from a hectic Tech Ed Europe in Amsterdam last week and thought I would drop in a note about...

Leave a Comment

(required) 
(optional)
(required) 

Search

Go

This Blog

Syndication

Page view tracker