Wednesday 8 October 2008

The one and ONLY reason to never have TS port 3389 open!

Ever hear of this: TSGrinder? If not, look into it because it could spell the end of the world as you know it if you have 3389 exposed ... or even RDP via an alternate port.

A TSGrinder like tool put the kybosh on a huge project we were working on years back due to the risk factor and the number of sniffs and subsequent attempts against the TS box.

If Terminal Services is needed, then the Remote Web Workplace is the cat's meow. A direct link in RWW to the "Application Server" means users will pick up quickly where they need to click.

SSL security, with the ability to provide another tier of security in AuthAnvil tokens means that Terminal Services will be that much more secure.

And, with the advent of SBS 2008 and TSApps, the RWW integration scenarios just keep growing!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


Anonymous said...

Great post Philip! If you absolutely must use RDP at least doit over SSL. You've been able to implement this since Server 2003 SP1.

As far as TSGrinder goes, a good password policy with lockouts will go a long way at stopping that.

Rodney Buike
IT Pro Advisor

Philip Elder Cluster MVP said...


As I understand it, and you can correct me if I am wrong, TS does not subscribe to the lockout on the logon attempts. That is, anyone can hammer, or Grind in this case, and not get a lockout at all.

I will look into the SSL setup ... though I am not sure it will mitigate TSGrinder?

Thanks for the comment,