Steve Riley on RDP and Authentication

Steve Riley has posted a link to some information about RDP security over the Internet. Check it out here:

Securing Terminal Services over the Internet

In the discussion on TS over the Internet, I failed to mention a very important bit. There is no mechanism built into RDP to authenticate the server to the client. This creates an opportunity to conduct a man-in-the-middle attack. Tools now exist to do exactly this.

In Windows Server 2003, you can configure TS to use TLS for server authentication and data encryption. This is extremely important for anyone running TS over the Internet.

If you haven't looked before, TechNet now has some really good Microsoft blogs you should check out. The main page is here, and this is the RSS feed.