Re: RDP in the open
A couple of points
We currently use Cisco VPN with RSA Keys which I would consider a "lot" harder to break than RDP.
The fact that RDP is encypted changes nothing because the initial authentication method is nothing more than a Name / Password ( 2 step method). Cisco requires Name/Password + RSA Key ( 3 step method) which greatly increases the difficulty.
>Twelve years for this vulnerability to be discovered
The same could be said for any and all protocols, HTML, IMAP, POP, SMTP , PowerShell etc.
>Doing so is no more unreasonable than exposing a web server
I must disagree, RDP can be turned of when it is not an essential application.
Is Root usage possible on your public RDP port ????.
>Am I supposed to keep my IIS sites with Outlook Web Access behind a VPN.
That depends on company policy, our OWA is behind a VPN.
If I remember correctly ActiveSync requires OWA to be present on the Exchange server but does not require OWA to be on a public interface, OWA could be restricted to 127.0.0.1 or internal LAN access ( Unless of course OWA is made available outside of the company LAN - again thats another set of problems.).
>There's a difference between best-practices and practical-for-this-application
If pratical = huge decrease in defense/security then it might be time to rethink policy.. If you get hacked, "practical" suddenly becomes a lot less "practical". The IT Guy should be explaining to the company manager that "exposure" = risk for mangers company..... Let the Manager decide and change company before you get the blame for his decisions........ .-)
I agree that Small companies can't afford complexity but at the same time they can't afford to get hacked either. I know the difficulty of this subject and this is where I believe Open Source can be a very viable solution ( cost is no longer a problem but knowledge is - always a dilema , I agree).
RDP on internal lans should be reduced to a minumum but again I agree that that is a pain. Educating user to use their laptops correctly/securely helps a long way to helping avoid all kinds of problems ( although that are not completely avoidable).
All in good faith