Security of Port 3389


G

Guest

How do you keep port 3389 from being seen as open to everyone on the internet
Both of my networks are behind linksys routers. I have to forward 3389 to a local IP on the Host network or I am unable to connect remotely. If I set ICF to allow the remote access I have an open port. If I dont forward 3389 and disable ICF I am unable to make remote connection. Is there a way to stealth or at least close 3389, or to specify what IPs it will allow a remote connection from
The other option was to set one machine as a DMZ on the router, which when used with ICF still left port 3389 open

Thanks in advance for your help

Joe
 
Ad

Advertisements

B

Bill Sanderson

Joel--unless the port is open, you can't connect to it.

So--for every open port--and there should be as few of them as possible--you
need to have some confidence in the vendor and product listening on that
port--that they've done a good job on security, and that if issues are found
with their code, they will fix them and report those issues to you in a
timely manner.

And-you need to take your own precautions to use strong passwords, enable
logging and lockouts, and actually look at the logs.

Open only 3389 on the router, and only 3389 in ICF. Log successful and
unsuccessful logins. Use a strong password, and change it periodically.
Set lockouts for successive unsuccessful login attempts. Make sure that the
number of accounts able to use RD is minimized, and, ideally, the names of
those accounts are non-obvious.
 
J

Jeffrey Randow (MVP)

There isn't an easy way to keep extra protection from these scans, BUT
some routers/firewalls will block all connections from a particular IP
address if it detects that the remote system is trying to do port scan
(I believe some of the Netgears do this, but it has been a while)...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
 
I

Ian

I suggest closing port 3389 in your case and calling the cleaning staff and
asking them to log in & do stuff on your behalf when you can't be at the
office personally.
 
M

Mike

In addition to Bill's excellent advice, you can change the port which ICF
uses from 3389 to some other port. As I understand it (having asked the
exact sequence of questions you are now asking, some time ago) most
evil-doers will be looking for ports associated with whatever exploit they
are attempting to achieve. By changing 3389 to some other non-used/seldomly
used/obscure port, you increase your security. To log in via RDP will
require no change to your present method. To log in via the net you'll need
to http://xxx.xxx.xxx.xxx:nnnn/tsweb where nnnn is the new port. In your
router, you'll have to open that port as well. This link has additional
details on how to change the port which the Remote Desktop Connection
"listens" on.

http://support.microsoft.com/default.aspx?scid=kb;en-us;304304




Joel said:
How do you keep port 3389 from being seen as open to everyone on the internet?
Both of my networks are behind linksys routers. I have to forward 3389 to
a local IP on the Host network or I am unable to connect remotely. If I set
ICF to allow the remote access I have an open port. If I dont forward 3389
and disable ICF I am unable to make remote connection. Is there a way to
stealth or at least close 3389, or to specify what IPs it will allow a
remote connection from?
The other option was to set one machine as a DMZ on the router, which when
used with ICF still left port 3389 open.
 
E

Eric Thompson

To log in via the net you'll need
to http://xxx.xxx.xxx.xxx:nnnn/tsweb where nnnn is the new port.

Mike,

Does xxx.xxx.xxx.xxx represent the IP of the machine (as set via DHCP or static, manually set, IP) or is it the IP of the router as given by the ISP? Since Linksys defaults to 192.168.1.100 as the IP of the first machine on the network, I would think there would be millions of 192.168.1.100 IP addressed machines out there..............

Does the server PC need to recognize the client machine when connecting? I could manually enter the name of my laptop into the authorized users, but it couldn't be resolved.

I am sure these are ignorant questions to those who know how to do this, but this seems much harder than it should be......

--
Eric Thompson
(e-mail address removed)
(e-mail address removed)
In addition to Bill's excellent advice, you can change the port which ICF
uses from 3389 to some other port. As I understand it (having asked the
exact sequence of questions you are now asking, some time ago) most
evil-doers will be looking for ports associated with whatever exploit they
are attempting to achieve. By changing 3389 to some other non-used/seldomly
used/obscure port, you increase your security. To log in via RDP will
require no change to your present method. To log in via the net you'll need
to http://xxx.xxx.xxx.xxx:nnnn/tsweb where nnnn is the new port. In your
router, you'll have to open that port as well. This link has additional
details on how to change the port which the Remote Desktop Connection
"listens" on.

http://support.microsoft.com/default.aspx?scid=kb;en-us;304304




Joel said:
How do you keep port 3389 from being seen as open to everyone on the internet?
Both of my networks are behind linksys routers. I have to forward 3389 to
a local IP on the Host network or I am unable to connect remotely. If I set
ICF to allow the remote access I have an open port. If I dont forward 3389
and disable ICF I am unable to make remote connection. Is there a way to
stealth or at least close 3389, or to specify what IPs it will allow a
remote connection from?
The other option was to set one machine as a DMZ on the router, which when
used with ICF still left port 3389 open.
 
Ad

Advertisements

E

Eric

Mike said:
In addition to Bill's excellent advice, you can change the port which ICF
uses from 3389 to some other port. As I understand it (having asked the
exact sequence of questions you are now asking, some time ago) most
evil-doers will be looking for ports associated with whatever exploit they
are attempting to achieve. By changing 3389 to some other
non-used/seldomly
used/obscure port, you increase your security. To log in via RDP will
require no change to your present method. To log in via the net you'll
need
to http://xxx.xxx.xxx.xxx:nnnn/tsweb where nnnn is the new port. In your
router, you'll have to open that port as well. This link has additional
details on how to change the port which the Remote Desktop Connection
"listens" on.

http://support.microsoft.com/default.aspx?scid=kb;en-us;304304





a local IP on the Host network or I am unable to connect remotely. If I
set ICF to allow the remote access I have an open port. If I dont forward
3389 and disable ICF I am unable to make remote connection. Is there a way
to stealth or at least close 3389, or to specify what IPs it will allow a
remote connection from?
used with ICF still left port 3389 open.

That is called "Security by obscurity" and isnt worth jack! Its like saying
"I'm secure if i dont tell anyone my IP" If you had a true firewall you
could do what the original poster says, only allow certain IP's to even
attempt to connect. Then those that are allowed need to know user names and
passwords. Put all this on encrypted links and you are quite secure. ICF in
windows XP is really only a NAT. ZoneAlarm may offer what you need, i dont
know. In Linux you have iptables where you can type in simple rules like
(and i paraphrase a couple of sample rules here)
if src IP is aa.bb.cc.dd and dst ip is ww.xx.yy.zz REJECT connection
if src IP is aa.bb.cc.dd and dst ip is ww.xx.yy.zz and src port is p REJECT
I'm not running windows down only showing what kind of thing is necessary to
get his security up to par. Again, maybe Zone Alarm or some other windows
product like it may provide similar capabilities to iptables. But you
really dont want to rely on "security by obscurity" it just wont make you
secure at all.
Eric
 
M

Mike

agreed security by obscurity isn't worth too much...(maybe deter script
kiddies)..but many port scanners do not scan all ports...so I imagine
(perhaps incorrectly?) that it is a modest increase in security...and does
no harm.

Firewall, & hard passwords are definately the primary lines of security...
 
E

Eric Thompson

I will read this article to help me answer one of my own questions posed to Mike earlier this evening. Thanks for the link!


--
Eric Thompson
(e-mail address removed)
(e-mail address removed)
In addition to Bill's excellent advice, you can change the port which ICF
uses from 3389 to some other port. As I understand it (having asked the
exact sequence of questions you are now asking, some time ago) most
evil-doers will be looking for ports associated with whatever exploit they
are attempting to achieve. By changing 3389 to some other
non-used/seldomly
used/obscure port, you increase your security. To log in via RDP will
require no change to your present method. To log in via the net you'll
need
to http://xxx.xxx.xxx.xxx:nnnn/tsweb where nnnn is the new port. In your
router, you'll have to open that port as well. This link has additional
details on how to change the port which the Remote Desktop Connection
"listens" on.

http://support.microsoft.com/default.aspx?scid=kb;en-us;304304





a local IP on the Host network or I am unable to connect remotely. If I
set ICF to allow the remote access I have an open port. If I dont forward
3389 and disable ICF I am unable to make remote connection. Is there a way
to stealth or at least close 3389, or to specify what IPs it will allow a
remote connection from?
used with ICF still left port 3389 open.

That is called "Security by obscurity" and isnt worth jack! Its like saying
"I'm secure if i dont tell anyone my IP" If you had a true firewall you
could do what the original poster says, only allow certain IP's to even
attempt to connect. Then those that are allowed need to know user names and
passwords. Put all this on encrypted links and you are quite secure. ICF in
windows XP is really only a NAT. ZoneAlarm may offer what you need, i dont
know. In Linux you have iptables where you can type in simple rules like
(and i paraphrase a couple of sample rules here)
if src IP is aa.bb.cc.dd and dst ip is ww.xx.yy.zz REJECT connection
if src IP is aa.bb.cc.dd and dst ip is ww.xx.yy.zz and src port is p REJECT
I'm not running windows down only showing what kind of thing is necessary to
get his security up to par. Again, maybe Zone Alarm or some other windows
product like it may provide similar capabilities to iptables. But you
really dont want to rely on "security by obscurity" it just wont make you
secure at all.
Eric
 
E

Eric

Mike said:
agreed security by obscurity isn't worth too much...(maybe deter script
kiddies)..but many port scanners do not scan all ports...so I imagine
(perhaps incorrectly?) that it is a modest increase in security...and does
no harm.

Firewall, & hard passwords are definately the primary lines of security...
I disagree. Most port scanners scan all ports just looking for this kind of
thing, after all, it takes almost no more effort than scanning a single
port and there is only 64k ports in total. A script can do it in a flash,
go to grc.com and try their public one for instance.

The danger here is that it makes a person feel secure when in fact he/she/it
has done nothing to improve his/her/its security at all.

When it comes to protecting your local network you really need to be
pro-active and put in place real security measures. At this point in time,
and to the best of my knowledge, the best setup IMHO (for broadband) is to
run your cable modem to a router, close every port at the router, only open
ports at the router you absolutely need, then run that connection from the
router to a linux based machine with IP masquerading (2 nic cards, 1 for
traffic to/from the router and one for traffic to/from the rest of your
lan), iptables, and possibly something like spamasassin, installed and set
up properly, this acts like a giant sludge filter that then feeds cleaned
up and semi-safe traffic to the rest of your local network. Next, all
windows systems NEED to have an updated and properly configured virus
scanner running on them. All windows systems need to have their virus
scanner doing automatic scans every night, checking for and if available
downloading engine and .dat file updates every night, The virus scanner
needs to be set up to scan all incoming and outgoing files and email. Also,
the router needs a lengthy unguessable password and remote management and
any WAN configuration access disabled. Every system on your local lan needs
to have regular password changes and the passwords and user names need to
be weird and unguessable. Never use your email address in Usenet, never
post your username, never post any of your internel (local lan) IPs. When
purchasing stuff online, create a yahoo or other web based email account
and use that. Next system and application software needs to be kept up to
date - ie: Windows Update once a week is good, Linux systems should be
checking for security updates once a week also. Finally, know where you go!
Be sceptical! Whats this free stuff? How do in know its not a trojan? Run
Adaware regularly, remove those tracking cookies, clean out temporary
internet files daily. Never! Ever! execute email attachments unless you
KNOW they are safe, did you expect them? Just because they came from "your
buddy" doesnt mean they are safe, a lot of trojans/worms/virus's etc send
email from infected systems, thats how they spread.
Lastly, EDUCATION! READ READ READ, know what is going on out there. What
tools are available, how they work, how good are they? Whats the latest
trojan/work/virus scorching the net? How can i keep it out, how can i
recognize it and kill it if it gets in my local netowrk. Of course if its
done that, you need to re-think the whole protective structure you've set
up and analyze what went wrong. How did i get it? How can i prevent things
like that from ever happening again etc etc
Hope this helps
Eric

While not perfect this will go a long way towards making your life easier.
If everyone followed this type of thing, there would be a LOT less virus's
on the net and a lot of people would breath easier knowing they have
dramaticly lessened the chances of someone hacking their systems.
Eric
 
Ad

Advertisements

B

Bill Sanderson

But are the cleaning staff secure?

In the city where I live, there was a bug discovered above the Mayor's desk
a few months ago. Turned out it was installed by the FBI, who passed
themselves off as the (contractual) cleaning staff.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top