RE: Now would be a good time to disable inbound RDP (or change your port)

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 18 Jul 2005 10:12:01 -0700

Hi Han,

Actually, I won't be getting that fixed.
The article discusses how to change RDP services to use
certificate-based SSL encryption and server authentication.  It says
nothing about changing how the RDP protocol itself operates.

You're making the common, but mistaken assumption that SSL == HTTP.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
Sent: Sunday, July 17, 2005 23:32
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Now would be a good time to disable inbound RDP
(or change your port)

http://www.ISAserver.org

Ok ..... But why does kb895433 say 'to use Transport Layer Security
(TLS) to
authenticate the terminal server and to encrypt the data that is sent
between
the terminal server and the client computer' and 'You can use Microsoft
Windows Server 2003 Service Pack 1 (SP1) together with Transport Layer
Security (TLS) version 1.0 to help increase terminal server security by
using
TLS for server authentication and to encrypt terminal server
communications.'
and 'This article describes how to configure Windows Server 2003 SP1 to
use
TLS 1.0 for server authentication to encrypt terminal server
communications.', etc.??? 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Monday, July 18, 2005 00:15
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Now would be a good time to disable 
> inbound RDP (or change your port)
> 
> http://www.ISAserver.org
> 
> Sorry; this is not true.
> The SP1 addition only provides for SSL authentication.
> The remote desktop protocol is still happening over RDP.
> 
> Even if you could tunnel RDP over HTTP, you'd still have to deal with
> the RDP encryption within the HTTP traffic (just like RPC/HTTP).
> 
> ISA still can't see it.
> 
> -----Original Message-----
> From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> Sent: Sunday, July 17, 2005 8:51 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Now would be a good time to disable inbound RDP
> (or change your port)
> 
> http://www.ISAserver.org
> 
> In W2K3 SP1 it actually can be SSL. But can't we have RDP over SSL
> bridging?
> So to add to my ISA wish list: RDP over SSL bridging and RDP layer 7
> filter.
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Sunday, July 17, 2005 17:09
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Now would be a good time to disable 
> > inbound RDP (or change your port)
> > 
> > http://www.ISAserver.org
> > 
> > Problem:
> > - RDP is encrypted, just like SSL.
> > Without getting into the actual underpinnings of EDP (I'd 
> have to kill
> > you), you'd have to remember that an application filter 
> would have to
> > act in much the same way as an actual server/client pair (thing MMS,
> > RTSP).
> > 
> > This is also why FTPS isn't very functional across an ISA.
> > 
> > -----Original Message-----
> > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> > Sent: Sunday, July 17, 2005 7:43 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Now would be a good time to disable 
> inbound RDP
> > (or change your port)
> > 
> > http://www.ISAserver.org
> > 
> > And wouldn't it be great if we had a layer 7 RDP filter for ISA?!
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Sunday, July 17, 2005 07:38
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Now would be a good time to disable 
> > > inbound RDP (or change your port)
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Timmy can gloat now...
> > > :-)
> > > 
> > > Now is a good time to make use of ISA 2004's ability to 
> perform PAT.
> > > http://go.microsoft.com/fwlink/?LinkId=50422 
> > > 
> > > Jim
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion 
> > > List as: han.valk@xxxxxxxxxxxxxxx
> > > To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: han.valk@xxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: han.valk@xxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Now would be a good time to disable inbound RDP (or change your port)
• » Re: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » Re: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---