I got a few responses to my post on why allowing remote access RDP servers on the corpnet is one of the best ways to make sure your network will be comprehensively attacked by Internet intruders. If you missed that discussion, you can check it out at: http://blogs.isaserver.org/shinder/2007/04/10/allo...ealth/

A couple of people came back and said that while the basic premise was true, there were things that you could do to help mitigate the gaping hole that remote access to RDP servers creates. For example, you could do the following:

• Enforce two (or more) factor authentication on the incoming RDP connection
• Change the RDP listener port to some other port
• Require that the RDP client connect from a specific source port
• Use an RDP application that enables access only to a specific application, instead of the entire desktop
• Enable remote access to only user accounts, and block access to Administrator accounts
• Use an application that monitors users’ actions during RDP sessions, so that these can be replayed after the fact if required

On one hand, I would say that none of this mitigations change the basic premise that RDP sessions to a full desktop provides an attacker an almost unlimited opportunity to attack virtually any asset on your network. However, on the other hand, if you make it so difficult for the intruder to even get to an RDP session, then the theoretical risk is almost set to null, assuming that your users will never become malicious users.

So, if we make the following assumptions:

• You make it almost impossible for an unauthorized user to establish an RDP session
• You limit access to only approved applications that do not run in admin mode
• You can know that trusted employees will never become future disgruntled employees

Then I’ll accept remote access to RDP an acceptable solution

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)