Should server be accessible through Remote Desktop from outside la

I just realized our server is accessible through Remote Desktop from Outside
of our local network! I realized it by chance when I forgot to connect to the
VPN before I started RDC to our server.

I suppose this is a severe security risk? How can I disabled this? Our
server uses the router Firewall.

I guess I need to know what port to block.

Regards,

Job Andersson <JobAndersson@discussions.microsoft.com> wrote:
> I just realized our server is accessible through Remote Desktop from
> Outside of our local network!

Yes, if you set it up that way, but only to administrators. End users don't
see the server option.

> I realized it by chance when I forgot
> to connect to the VPN before I started RDC to our server.
>
> I suppose this is a severe security risk? How can I disabled this? Our
> server uses the router Firewall.

Require VPN for remote desktop via RWW.

>
> I guess I need to know what port to block.

You can leave HTTPS (443) open if you want to permit direct VPN-less access
to the main RWW menu for OWA, etc - but don't allow TCP 4125, and then no
remote desktop connections will work thru RWW.
>
> Regards,

Job Andersson wrote:
> I just realized our server is accessible through Remote Desktop from Outside
> of our local network! I realized it by chance when I forgot to connect to the
> VPN before I started RDC to our server.
>
> I suppose this is a severe security risk? How can I disabled this? Our
> server uses the router Firewall.
>
> I guess I need to know what port to block.
>

If you definitely mean RDC, then that's port 3389, which really
shouldn't be open. It's a popular target for password brute-force bots,
not a terribly serious problem if you have good passwords, but better
closed. The router will currently be forwarding it, and should be told
to stop.

As a long shot, if the router has uPnP enabled, turn that off also.
Whoever configured the system didn't have a really good reason to open
3389 (there are safer ways of reaching the server), and it's possible
the router was configured by the SBS CEICW wizard using uPnP (it does
offer to do that). This may be a more serious security hole, if it is
enabled, as allegedly if the router provides any web pages without
authentication which contain scripts, a cross-site scripting attack may
be possible against its uPnP features, which do *not* require
authentication.

Excerpt from a recent Full-Disclosure mailing list posting:

"The following is a non-malicious proof-of-concept exploit which sets
up a port-forwarding rule from port 1337 on the WAN interface to port
445 on the internal IP address 192.168.1.64. Such IP address is the
first usable IP address reserved for clients connected to Speedtouch
and BT Home Hub routers. The exploit has been tested on BT Home Hub -
Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled
by default on the BT Home Hub, just like most IGDs."

I would do one of the folowing. EIther re run the connect to internet wizard
and close the remote access. OR block port 3389 on the router. This is a
serious security risk that should only be opened up when you need assistance
from someone outside. Otherwise there are other ways to connect to the server
remotely.
--
MCSE Security
CompTIA Security+
CompTIA A+


"Joe" wrote:

> Job Andersson wrote:
> > I just realized our server is accessible through Remote Desktop from Outside
> > of our local network! I realized it by chance when I forgot to connect to the
> > VPN before I started RDC to our server.
> >
> > I suppose this is a severe security risk? How can I disabled this? Our
> > server uses the router Firewall.
> >
> > I guess I need to know what port to block.
> >
>
> If you definitely mean RDC, then that's port 3389, which really
> shouldn't be open. It's a popular target for password brute-force bots,
> not a terribly serious problem if you have good passwords, but better
> closed. The router will currently be forwarding it, and should be told
> to stop.
>
> As a long shot, if the router has uPnP enabled, turn that off also.
> Whoever configured the system didn't have a really good reason to open
> 3389 (there are safer ways of reaching the server), and it's possible
> the router was configured by the SBS CEICW wizard using uPnP (it does
> offer to do that). This may be a more serious security hole, if it is
> enabled, as allegedly if the router provides any web pages without
> authentication which contain scripts, a cross-site scripting attack may
> be possible against its uPnP features, which do *not* require
> authentication.
>
> Excerpt from a recent Full-Disclosure mailing list posting:
>
> "The following is a non-malicious proof-of-concept exploit which sets
> up a port-forwarding rule from port 1337 on the WAN interface to port
> 445 on the internal IP address 192.168.1.64. Such IP address is the
> first usable IP address reserved for clients connected to Speedtouch
> and BT Home Hub routers. The exploit has been tested on BT Home Hub -
> Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled
> by default on the BT Home Hub, just like most IGDs."
>