Securing Windows server 2003 Remote Desktop access for access through the internet

[GrumbleDook]

I will no longer authorise RDP into Northants schools and over the next 12 months will be asking schools to move to a more secure remote setup.

It is open to attack as previously mentioned and it is scary the number of people that have set it up on their MIS to allow for SLT to access the MIS at home in *clear* breach of the DPA!

Seriously folks ... it is not secure, go for a decent VPN solution or other alternatives such as Sun Secure Global Desktop or Citrix ... both over HTTPS with a valid certificate.

[albertwt]

aaaahhhhhh... >_< that is soo scary...

anyway using OpenVPN or anything with two factor authentication such as RSA SecurID is the secure way to do it but yes we will have to invest anyway ;-|

[SYNACK]

Or use TSGateway over HTTPS which comes built in to Server 2008 which also gives added security.

[PiqueABoo]

Do any of the RDP MITMs people have in mind actually work if you turn on server TLS authentication (something you've had an opportunity to do for years now)?

The problem for RBCs/whatever is that you can't rely on people to configure these features, or have genuinely strong passwords etc. , so they're pretty much forced to mandate VPNs.

I expect the 2K8 [2k8R2]+ TS[RD] stuff over TLS will get people more in the security groove though... and I'm definitely prepared to argue the case for that vs. splashing out what can often be a *lot* of money on commercial VPNs.

[albertwt]

Yes, I agree with using the existing Windows features (2003/2008) ratherthan getting additional VPN connection with 3rd party.

So in this case I shall try to deploy Windows Essential Business Server 2008 Standard Security server as they are equipped with FireFront Threat management and also this edition of Windows Server does not need to be member of Active Directory.

[PiqueABoo]

I agree with using the existing Windows features (2003/2008) ratherthan getting additional VPN connection with 3rd party.

That's the spirit.

No one's answered the question yet, so after a very quick google I found this Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks. Not necessarily the last word, but it's recent-ish and item 2b (pointing to KB895433) is the 2K3 update I had in mind.

And again with 2K8 you just run RDP over TLS with all that security stuff to play with. The only downside, as ever, is the client boxes: If they're "yours", locked down and configured nicely before they get home it's not too bad, otherwise..