Born in A Barn?

All too often it’s the case that IT support companies set up clumsy, insecure remote support solutions for the systems they need access to.  One of the most common means of achieving remote access to a server is by implementing a port forwarding rule on the firewall/router over port 3389 and accessing the server directly over the Internet using RDP.  This is really bad practice and presents a serious security risk, particularly for Windows machines which are frequent targets of hacking attempts.  It is best practice to keep ports on local servers locked down from access over the Internet wherever possible (i.e. keep NAT rules to a minimum).  If at all possible use a DMZ for essential services like SMTP, but certainly there is no need to expose services such as RDP.  It is far better to set up a VPN, either on the firewall hardware if it is supported or using the Windows VPN functionality and enabling VPN pass-through on the firewall.  If a NAT rule for port 3389 really is the only option then it should at least be locked down so that access is only possible from certain public IP addresses.

In short, network ports are like doors, and should be kept closed wherever possible.

« Backup Reliability | Home | Recovering From Cheap RAID Syndrome »

• IT Support Blog

  • Hardware (5)
  • Network (2)
  • Operating System (2)
  • Software (7)
  • Uncategorized (3)

• IT Support News

  • Washington Supremes deliver death sentence to betting site
  • Google faces antitrust investigation in Texas
  • It's alive! Duke Nukem Forever breaks out of vapour trail
  • Ubuntu 'Maverick Meerkat' erects own App Store
  • Doctor Who goes to the Proms
  • Unity – iPhone code swap approved by Jobs (for now)
  • Nigerian man gets 12 years for $1.3m 419 scam
  • Oz school in homosexual kookaburra rumpus
  • All the week's Reg Hardware reviews
  • Gordon Brown joins World Wide Web Foundation