What do you think of this?

I work for a small IT support company in the UK. We recently took on a new client and during the audit I saw that the previous IT support provider (a very large well known company in the UK) had allowed 3389 through the firewall onto the SBS server on the LAN. Not good. I disabled this and continued my work.

Part way though the audit I needed to access the SBS server (internally) and fired up Remote Desktop client on one of the office PC's as the server was in another part of the building. Pre-populated in the cache of old RDP connections were a number of public IP addresses. Being curious I decided to check these to see what they were. One of these took me to another SBS server for another company. I can only assume that the previous IT support provider needed to do some work for another client whilst on this site so just RDP's though. To me this is very, very bad practice.

I've googled the domain name that was provided at the RDP logon page and found the company that have their server available to all and sundry over 3389.

Should I contact this company and tell them what their current provider has done? If I do would it be bad form to try and sell them support from us given that the current provider is clearly not interested in security at all?

Thanks

That's what I was thinking as well, I know a lot of companies that use Terminal Services for employees.
Is there a default username/password or something?

There are tons of Terminal Services boxes on the Internet.   Remember, Citrix runs on top of TS.  Neither is particularly hack proof.   TS has come a long way especially if you run it with TLS.   

You are pretty much asking for trouble every time your boot your computer.   The only safe computer is the one powered off.

Heya Novo,

It's not terribly uncommon in my experience to come upon internet facing RDP.  With RDP's checkered security history, and MITM-prone past, it is cringeworthy, but not necessarily a hangin crime like... say, and SQL server listening out there with a blank SA password.  LOL.    RDP can be configured with FIPS compliant encryption at least, these days, but as another points out, making it so easy for unsecured computers to connect to these servers without strong firewall and policy enforcement in place, there's a lot to think about there.  Share out some drives over the RDP session, and suddenly there's an inbound malware propagation vector.

The general recommendation I like to make upon findings like this focuses on verifying the encryption level they're providing, and recommending that it like any other proprietary protocol be accessible only inside a fully configurable and monitored VPN. 

With SSL VPNs now available, the argument that VPNs are too complex for users to employ on a variety of platforms becomes lighter and lighter.

Personal opinion on this one.
I would advise the client of what you have found relating to their environment, and told them you have provisionally disabled the service.
They may have decided they want this enabled for various reasons, and are aware and accept associated risks, as no one has the full picture its difficult to really make a clear informed decision.

As for the other clients possible issue, I would walk away in this instance as I dont think its a huge issue, and would probably cause you more pain than benefit trying to define how you found things, etc etc.