Remote administration: security weak link? (Windows)

The ability to remotely administer your servers isn't just a convenience; in some cases, it's essential. But, when a system can be accessed remotely - especially a domain controller or other critical server - there's a chance that it will be accessed by the wrong person, for the wrong reasons.

You can control access in a number of ways. For example, you can restrict access to specific ports (such as 3389, used by terminal services) so that the ports can be access only from specific computers. You can also configure User Rights to control who can and can't log on through terminal services. Create a group and place those users in it who should be able to access the server's desktop through terminal services/Remote Desktop, then add the group to the Log On Through Terminal Services user right.

It's also a good idea to ensure that solicited remote assistance is disabled through the Computer Configuration | Administrative Templates | System | Remote Assistance | Solicited Remote Assistance entry in Group Policy.