Re: Should server be accessible through Remote Desktop from outside la

Tech-Archive recommends: Fix windows errors by optimizing your registry

Job Andersson wrote:
I just realized our server is accessible through Remote Desktop from Outside of our local network! I realized it by chance when I forgot to connect to the VPN before I started RDC to our server.

I suppose this is a severe security risk? How can I disabled this? Our server uses the router Firewall.

I guess I need to know what port to block.


If you definitely mean RDC, then that's port 3389, which really shouldn't be open. It's a popular target for password brute-force bots, not a terribly serious problem if you have good passwords, but better closed. The router will currently be forwarding it, and should be told to stop.

As a long shot, if the router has uPnP enabled, turn that off also. Whoever configured the system didn't have a really good reason to open 3389 (there are safer ways of reaching the server), and it's possible the router was configured by the SBS CEICW wizard using uPnP (it does offer to do that). This may be a more serious security hole, if it is enabled, as allegedly if the router provides any web pages without authentication which contain scripts, a cross-site scripting attack may be possible against its uPnP features, which do *not* require authentication.

Excerpt from a recent Full-Disclosure mailing list posting:

"The following is a non-malicious proof-of-concept exploit which sets
up a port-forwarding rule from port 1337 on the WAN interface to port
445 on the internal IP address 192.168.1.64. Such IP address is the
first usable IP address reserved for clients connected to Speedtouch
and BT Home Hub routers. The exploit has been tested on BT Home Hub -
Firmware version 6.2.6.B. Just to make things clear, UPnP is enabled
by default on the BT Home Hub, just like most IGDs."
.

Relevant Pages

  • Re: Cost of setting up a network
    ... A router capable of acting as a VPN endpoint for more than one user simultaneously with four Ethernet ports or a switch to suit. ... The rationale for using a server here is basically that the router doesn't need to be able to decide which PC to route the connection to. ... If you are using a router which supports it, you can set up a port-forwarding inbound rule which also _translates_ the port supplied to the receiving port. ... You can use several of these connections to different machines simultaneously. ...
    (uk.comp.homebuilt)
  • Re: Still cant connect to RWW or OWA remotely
    ... No Phantom NICs as far as I can see. ... that it can not find the server. ... Configure your Router as an Eithernet Bridge. ... Once you have this then configure the Routers Firewall and Port ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... No Phantom NICs as far as I can see. ... that it can not find the server. ... Configure your Router as an Eithernet Bridge. ... Once you have this then configure the Routers Firewall and Port ...
    (microsoft.public.windows.server.sbs)
  • Re: changed IP address: cant receive email & need to make domain name match IP address
    ... Port Forwarding for 2Wire 1701HG ... SBS CDs, but it's always a good idea to keep them handy. ... As you are set up now, your SBS server is "bare to the Internet" (not ... need to buy at least another inexpensive router to put between the SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant connect to Mailserver
    ... domain's zone files on the dyndns server, ... I'm presuming it's a simple port forward from WAN to LAN on ... When I telnet to port 25 I should get a response from your ... Are the correct ports open in the router? ...
    (microsoft.public.windows.server.sbs)