My client failed her PCI compliance audit. The server supports Remote Desktop (Terminal Service) but only provides encryption and not authentication. This exposes the server to Man-In-The-Middle attacks.
The supposed solution is to force SSL as the transport layer for RDP.
Anyone know how to do 开发者_如何学Gothis?
The server runs Windows 2003.
The 'old' RDP indeed does not perform authentication, but I'd be careful using SelfSSL proposed in the link sent by @ig0774 (the rest of the data in the link is correct!) If authentication is what you care about, then have your client get a real server authentication SSL/TLS certificate from VeriSign or Thawte or someone else listen in the list of Windows trusted CAs.
I somehow doubt PCI will allow self-signed certs. But I'm happy to stand corrected!
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论