To the Moon, Alice! Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Tuesday, July 19, 2005 9:35 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Now would be a good time to disable > inbound RDP (or change your port) > > http://www.ISAserver.org > > Ah- I see. Of course, you could make them happy by changing > your RDP port > to 443! yuk yuk yuk > > t > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, July 19, 2005 7:25 AM > Subject: [isalist] RE: Now would be a good time to disable > inbound RDP (or > change your port) > > > http://www.ISAserver.org > > Exactly! But when the typical admin dude hears "you can RDP with SSL" > they think "Oh boy! Now I can get through those "restrictive" > firewalls!" > > I've encountered this response dozens of times since SP1 was released. > Then I explain to them the real deal, and they end up crestfallen > > :) > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Tuesday, July 19, 2005 9:26 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Now would be a good time to disable > > inbound RDP (or change your port) > > > > http://www.ISAserver.org > > > > That doesn't make it tunnell through 443- it just changes the > > encryption > > method within RDP. > > > > ----- Original Message ----- > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Tuesday, July 19, 2005 6:45 AM > > Subject: [isalist] RE: Now would be a good time to disable > > inbound RDP (or > > change your port) > > > > > > http://www.ISAserver.org > > > > From most of the conversations I have around this subject, > most admins > > don't give a hoot about whether TLS auth/encrption is used -- > > they just > > want to "open a port" and tunnel it through TCP 443. > > > > Tom > > www.isaserver.org/shinder > > Tom and Deb Shinder's Configuring ISA Server 2004 > > http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > > > Sent: Tuesday, July 19, 2005 8:36 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Now would be a good time to disable > > > inbound RDP (or change your port) > > > > > > http://www.ISAserver.org > > > > > > Hi Jim, > > > > > > Yes I know that SSL has nothing to do with HTTP. The way I > > > understand the kb > > > article is that you are able to use SSL for authetication > > > _and_ encryption of > > > a RDP session instead of the 'normal' encryption. Is it just > > > me or is the kb > > > article confusing? > > > > > > Han. > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Monday, July 18, 2005 7:12 PM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Now would be a good time to disable > > > > inbound RDP (or change your port) > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi Han, > > > > > > > > Actually, I won't be getting that fixed. > > > > The article discusses how to change RDP services to use > > > > certificate-based SSL encryption and server > > authentication. It says > > > > nothing about changing how the RDP protocol itself operates. > > > > > > > > You're making the common, but mistaken assumption that > > SSL == HTTP. > > > > > > > > ------------------------------------------------------- > > > > Jim Harrison > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > http://isaserver.org/Jim_Harrison/ > > > > http://isatools.org > > > > Read the help / books / articles! > > > > ------------------------------------------------------- > > > > > > > > > > > > -----Original Message----- > > > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > > > > Sent: Sunday, July 17, 2005 23:32 > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Now would be a good time to disable > > > inbound RDP > > > > (or change your port) > > > > > > > > http://www.ISAserver.org > > > > > > > > Ok ..... But why does kb895433 say 'to use Transport > > Layer Security > > > > (TLS) to > > > > authenticate the terminal server and to encrypt the data > > > that is sent > > > > between > > > > the terminal server and the client computer' and 'You can use > > > > Microsoft > > > > Windows Server 2003 Service Pack 1 (SP1) together with > > > Transport Layer > > > > Security (TLS) version 1.0 to help increase terminal server > > > > security by > > > > using > > > > TLS for server authentication and to encrypt terminal server > > > > communications.' > > > > and 'This article describes how to configure Windows Server > > > > 2003 SP1 to > > > > use > > > > TLS 1.0 for server authentication to encrypt terminal server > > > > communications.', etc.??? > > > > > > > > > -----Original Message----- > > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > > Sent: Monday, July 18, 2005 00:15 > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: Now would be a good time to disable > > > > > inbound RDP (or change your port) > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > Sorry; this is not true. > > > > > The SP1 addition only provides for SSL authentication. > > > > > The remote desktop protocol is still happening over RDP. > > > > > > > > > > Even if you could tunnel RDP over HTTP, you'd still have to > > > > deal with > > > > > the RDP encryption within the HTTP traffic (just like > RPC/HTTP). > > > > > > > > > > ISA still can't see it. > > > > > > > > > > -----Original Message----- > > > > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > > > > > Sent: Sunday, July 17, 2005 8:51 AM > > > > > To: [ISAserver.org Discussion List] > > > > > Subject: [isalist] RE: Now would be a good time to disable > > > > inbound RDP > > > > > (or change your port) > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > In W2K3 SP1 it actually can be SSL. But can't we have > > RDP over SSL > > > > > bridging? > > > > > So to add to my ISA wish list: RDP over SSL bridging and > > > RDP layer 7 > > > > > filter. > > > > > > > > > > > -----Original Message----- > > > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > > > Sent: Sunday, July 17, 2005 17:09 > > > > > > To: [ISAserver.org Discussion List] > > > > > > Subject: [isalist] RE: Now would be a good time to disable > > > > > > inbound RDP (or change your port) > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > Problem: > > > > > > - RDP is encrypted, just like SSL. > > > > > > Without getting into the actual underpinnings of EDP (I'd > > > > > have to kill > > > > > > you), you'd have to remember that an application filter > > > > > would have to > > > > > > act in much the same way as an actual server/client pair > > > > (thing MMS, > > > > > > RTSP). > > > > > > > > > > > > This is also why FTPS isn't very functional across an ISA. > > > > > > > > > > > > -----Original Message----- > > > > > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > > > > > > Sent: Sunday, July 17, 2005 7:43 AM > > > > > > To: [ISAserver.org Discussion List] > > > > > > Subject: [isalist] RE: Now would be a good time to disable > > > > > inbound RDP > > > > > > (or change your port) > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > And wouldn't it be great if we had a layer 7 RDP filter > > > for ISA?! > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > > > > Sent: Sunday, July 17, 2005 07:38 > > > > > > > To: [ISAserver.org Discussion List] > > > > > > > Subject: [isalist] Now would be a good time to disable > > > > > > > inbound RDP (or change your port) > > > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > > > > > > > Timmy can gloat now... > > > > > > > :-) > > > > > > > > > > > > > > Now is a good time to make use of ISA 2004's ability to > > > > > perform PAT. > > > > > > > http://go.microsoft.com/fwlink/?LinkId=50422 > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > > List Archives: > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > > > ISA Server Newsletter: > > > > > http://www.isaserver.org/pages/newsletter.asp > > > > > > > ISA Server FAQ: > > > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > > > > ------------------------------------------------------ > > > > > > > Other Internet Software Marketing Sites: > > > > > > > World of Windows Networking: > > http://www.windowsnetworking.com > > > > > > > Leading Network Software Directory: > > http://www.serverfiles.com > > > > > > > No.1 Exchange Server Resource Site: > > http://www.msexchange.org > > > > > > > Windows Security Resource Site: > > http://www.windowsecurity.com/ > > > > > > > Network Security Library: http://www.secinf.net/ > > > > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > > > > ------------------------------------------------------ > > > > > > > You are currently subscribed to this ISAserver.org > > Discussion > > > > > > > List as: han.valk@xxxxxxxxxxxxxxx > > > > > > > To unsubscribe visit > > > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > List Archives: > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > > ISA Server Newsletter: > > > > http://www.isaserver.org/pages/newsletter.asp > > > > > > ISA Server FAQ: > > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > > > ------------------------------------------------------ > > > > > > Other Internet Software Marketing Sites: > > > > > > World of Windows Networking: > http://www.windowsnetworking.com > > > > > > Leading Network Software Directory: > http://www.serverfiles.com > > > > > > No.1 Exchange Server Resource Site: > http://www.msexchange.org > > > > > > Windows Security Resource Site: > http://www.windowsecurity.com/ > > > > > > Network Security Library: http://www.secinf.net/ > > > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > > > ------------------------------------------------------ > > > > > > You are currently subscribed to this ISAserver.org > > > > > Discussion List as: > > > > > > jim@xxxxxxxxxxxx > > > > > > To unsubscribe visit > > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > > List Archives: > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > > ISA Server Newsletter: > > > > http://www.isaserver.org/pages/newsletter.asp > > > > > > ISA Server FAQ: > > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > > > ------------------------------------------------------ > > > > > > Other Internet Software Marketing Sites: > > > > > > World of Windows Networking: > http://www.windowsnetworking.com > > > > > > Leading Network Software Directory: > http://www.serverfiles.com > > > > > > No.1 Exchange Server Resource Site: > http://www.msexchange.org > > > > > > Windows Security Resource Site: > http://www.windowsecurity.com/ > > > > > > Network Security Library: http://www.secinf.net/ > > > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > > > ------------------------------------------------------ > > > > > > You are currently subscribed to this ISAserver.org > Discussion > > > > > > List as: han.valk@xxxxxxxxxxxxxxx > > > > > > To unsubscribe visit > > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > List Archives: > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > > > ISA Server FAQ: > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > > ------------------------------------------------------ > > > > > Other Internet Software Marketing Sites: > > > > > World of Windows Networking: http://www.windowsnetworking.com > > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > > Network Security Library: http://www.secinf.net/ > > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > > ------------------------------------------------------ > > > > > You are currently subscribed to this ISAserver.org > > > > Discussion List as: > > > > > jim@xxxxxxxxxxxx > > > > > To unsubscribe visit > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > > > ------------------------------------------------------ > > > > > List Archives: > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > > > ISA Server FAQ: > > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > > ------------------------------------------------------ > > > > > Other Internet Software Marketing Sites: > > > > > World of Windows Networking: http://www.windowsnetworking.com > > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > > Network Security Library: http://www.secinf.net/ > > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > > ------------------------------------------------------ > > > > > You are currently subscribed to this ISAserver.org Discussion > > > > > List as: han.valk@xxxxxxxxxxxxxxx > > > > > To unsubscribe visit > > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > World of Windows Networking: http://www.windowsnetworking.com > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > Network Security Library: http://www.secinf.net/ > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org > > > Discussion List as: > > > > jim@xxxxxxxxxxxx > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > World of Windows Networking: http://www.windowsnetworking.com > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > Network Security Library: http://www.secinf.net/ > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List as: han.valk@xxxxxxxxxxxxxxx > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >