RE: Now would be a good time to disable inbound RDP (or change your port)

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 19 Jul 2005 07:03:12 -0700

Han,

You said:
> > In W2K3 SP1 it actually can be SSL. But can't we have RDP over SSL
> > bridging?
> > So to add to my ISA wish list: RDP over SSL bridging and RDP layer 7
> > filter.

"Bridging" with respect to ISA implies HTTP; the ONLY protocol that ISA
can "bridge".
"RDP over SSL bridging" is meaningless, since SSL is session-layer,
while HTTP and RDP are application-layer protocols.

In either case, none of the SSL additions in WS03 SP1 change the
fundamental aspects of the RDP protocol.

-----Original Message-----
From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
Sent: Tuesday, July 19, 2005 6:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Now would be a good time to disable inbound RDP
(or change your port)

http://www.ISAserver.org

Hi Jim,

Yes I know that SSL has nothing to do with HTTP. The way I understand
the kb
article is that you are able to use SSL for authetication _and_
encryption of
a RDP session instead of the 'normal' encryption. Is it just me or is
the kb
article confusing?

Han.

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Monday, July 18, 2005 7:12 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Now would be a good time to disable 
> inbound RDP (or change your port)
> 
> http://www.ISAserver.org
> 
> Hi Han,
> 
> Actually, I won't be getting that fixed.
> The article discusses how to change RDP services to use
> certificate-based SSL encryption and server authentication.  It says
> nothing about changing how the RDP protocol itself operates.
> 
> You're making the common, but mistaken assumption that SSL == HTTP.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> Sent: Sunday, July 17, 2005 23:32
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Now would be a good time to disable inbound RDP
> (or change your port)
> 
> http://www.ISAserver.org
> 
> Ok ..... But why does kb895433 say 'to use Transport Layer Security
> (TLS) to
> authenticate the terminal server and to encrypt the data that is sent
> between
> the terminal server and the client computer' and 'You can use 
> Microsoft
> Windows Server 2003 Service Pack 1 (SP1) together with Transport Layer
> Security (TLS) version 1.0 to help increase terminal server 
> security by
> using
> TLS for server authentication and to encrypt terminal server
> communications.'
> and 'This article describes how to configure Windows Server 
> 2003 SP1 to
> use
> TLS 1.0 for server authentication to encrypt terminal server
> communications.', etc.??? 
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Monday, July 18, 2005 00:15
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Now would be a good time to disable 
> > inbound RDP (or change your port)
> > 
> > http://www.ISAserver.org
> > 
> > Sorry; this is not true.
> > The SP1 addition only provides for SSL authentication.
> > The remote desktop protocol is still happening over RDP.
> > 
> > Even if you could tunnel RDP over HTTP, you'd still have to 
> deal with
> > the RDP encryption within the HTTP traffic (just like RPC/HTTP).
> > 
> > ISA still can't see it.
> > 
> > -----Original Message-----
> > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> > Sent: Sunday, July 17, 2005 8:51 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Now would be a good time to disable 
> inbound RDP
> > (or change your port)
> > 
> > http://www.ISAserver.org
> > 
> > In W2K3 SP1 it actually can be SSL. But can't we have RDP over SSL
> > bridging?
> > So to add to my ISA wish list: RDP over SSL bridging and RDP layer 7
> > filter.
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Sunday, July 17, 2005 17:09
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Now would be a good time to disable 
> > > inbound RDP (or change your port)
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Problem:
> > > - RDP is encrypted, just like SSL.
> > > Without getting into the actual underpinnings of EDP (I'd 
> > have to kill
> > > you), you'd have to remember that an application filter 
> > would have to
> > > act in much the same way as an actual server/client pair 
> (thing MMS,
> > > RTSP).
> > > 
> > > This is also why FTPS isn't very functional across an ISA.
> > > 
> > > -----Original Message-----
> > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] 
> > > Sent: Sunday, July 17, 2005 7:43 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Now would be a good time to disable 
> > inbound RDP
> > > (or change your port)
> > > 
> > > http://www.ISAserver.org
> > > 
> > > And wouldn't it be great if we had a layer 7 RDP filter for ISA?!
> > > 
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > > Sent: Sunday, July 17, 2005 07:38
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Now would be a good time to disable 
> > > > inbound RDP (or change your port)
> > > > 
> > > > http://www.ISAserver.org
> > > > 
> > > > Timmy can gloat now...
> > > > :-)
> > > > 
> > > > Now is a good time to make use of ISA 2004's ability to 
> > perform PAT.
> > > > http://go.microsoft.com/fwlink/?LinkId=50422 
> > > > 
> > > > Jim
> > > > 
> > > > All mail to and from this domain is GFI-scanned.
> > > > 
> > > > 
> > > > ------------------------------------------------------
> > > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Network Security Library: http://www.secinf.net/
> > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion 
> > > > List as: han.valk@xxxxxxxxxxxxxxx
> > > > To unsubscribe visit 
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion 
> > > List as: han.valk@xxxxxxxxxxxxxxx
> > > To unsubscribe visit 
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: han.valk@xxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: han.valk@xxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Now would be a good time to disable inbound RDP (or change your port)
• » Re: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » Re: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)
• » RE: Now would be a good time to disable inbound RDP (or change your port)

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---