Home
Join

9 Replies

  • Never allow RDP over the Internet.

    Have people connect to your firewall / router via VPN.  Then they are on the local network and can RPD as needed.

    Or, don't use RDP at all.  What are you trying to do here?  Allow remote access to work machines?  There are dozens of programs out there that do this and wouldn't require VPN because they have their own secure connection methods.

    But, whatever you do, don't open ports and allow RDP.

    Spice (4) flagReport
    2 found this helpful thumb_up thumb_down
  • I personally access RDP over the Internet and I used to find people accessing it online. I came up with simple solutions which are as follows;
    1. I created an IP range, then I specified that only that IP range can connect over RDP.
    2. There was a tutorial online I read that changed the RDP port to any port that you wish (I didn’t do this though, much as it’s a good alternative as well).
    3. I created a logon notification that lets me know the last time there was a sign in on the machine and if there were any failed sign in attempts, they are counted and displayed before the desktop is shown. The same script sends an email when a login is detected.

    0 of 2 found this helpful thumb_up thumb_down
  • The proper method to secure RDP is to funnel its traffic via a secure tunnel. The most straightforward and fastest way to implement it at your scale is to use Zerotier IMO. There are extra rules in Zerotier Central that you can use to narrow the remote access down to RDP protocol.

    Was this post helpful? thumb_up thumb_down
  • RWKSHJ wrote:

    I personally access RDP over the Internet and I used to find people accessing it online. I came up with simple solutions which are as follows;
    1. I created an IP range, then I specified that only that IP range can connect over RDP.
    2. There was a tutorial online I read that changed the RDP port to any port that you wish (I didn’t do this though, much as it’s a good alternative as well).
    3. I created a logon notification that lets me know the last time there was a sign in on the machine and if there were any failed sign in attempts, they are counted and displayed before the desktop is shown. The same script sends an email when a login is detected.

    1) Helpful, but IPs can be spoofed if someone really wants to get in.  Not all that likely to happen for a single machine, though.

    2) Pretty much useless, because people can scan port ranges in a matter of seconds.

    3) Not a bad idea, but really only tells you about something after it's already happened.

    For single machines there are many free remote access programs out there that take care of security for you.  Why try workarounds like this that only sort of secure things when there are so many other options available?

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Nobody mentioning MS Remote Desktop Gateway ?

    It's our current method. Although I also use VPN connection as an alternative.

    I removed the direct remote desktop access from specific IPs years ago. 

    Was this post helpful? thumb_up thumb_down
  • RWKSHJ wrote:

    I personally access RDP over the Internet and I used to find people accessing it online. I came up with simple solutions which are as follows;
    1. I created an IP range, then I specified that only that IP range can connect over RDP.
    2. There was a tutorial online I read that changed the RDP port to any port that you wish (I didn’t do this though, much as it’s a good alternative as well).
    3. I created a logon notification that lets me know the last time there was a sign in on the machine and if there were any failed sign in attempts, they are counted and displayed before the desktop is shown. The same script sends an email when a login is detected.

    As others have and will say, this is to be avoided if at all possible.

    Until you can avoid it, there are a few other things I would recommend doing ASAP:

    1. Disable remote desktop for the administrator account
    2. Enable account lockout after n failed attempts.  I would suggest 10 attempts or less and a lockout period of 30 minutes or more.
    3. Require NLA
    4. Use very strong passwords
    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • robertlee9 wrote:

    I would like to setup RDP for a small office of 7 users, I can easily set them up with the usual setup and opening ports on router, but I am pretty sure this is not the most secure method,  I read that if I put all the machines behind a proper firewall this would make it more secured but I am not finding a lot of info on how much more secure it is and also how best to set one up.

    What do you define as 'best' - only then can the queisotn be answered. It is subjective.

    Are you actually looking for advice on how to securely permit RDP for remote users to the office?
    Many answers above but VPN is a must if you need RDP directly. Remote desktop gateway may be expensive for a small environment. Other screen sharing remote apps such as splashtop may be better for your needs.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Consider that if you want to connect via RDP directly you have two options:

    1) use NAT rules on your firewall to "mask" the ports which you are exposing to the internet, a very unsafe solution and also not so scalable / comfortable because you'll have to create a rule for each RDP server and keep the list of allowed IPs always up to date.

    2) Remote Desktop Gateway, a better solution, but I wouldn't choose it for a small environment.

    In my opinion, the best solution which gives you both security and scalability is to connect via VPN to your office LAN and then simply start a local RDP connection.

    1 of 2 found this helpful thumb_up thumb_down
  • Indeed, never use RDP over Internet... in fact, many people would even say to simply turn off RDP completely as it's simply not a protocol designed with security in mind as  RDP has had a long history of being attacked. Here are just some of the RDP exploits published, and you can simple Google to find many more RDP issues:

    ·      April 2, 2021, Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities  https://arstechnica.com/gadgets/2021/04/feds-say-hackers-are-likely-exploiting-critical-fortinet-vpn-vulnerabilities/?amp=1

    Yet, if you are using RDP over VPN, please make sure you do constantly monitor and patch your VPNs, and ensure you have MFA... Gartner, Zscaler, Palo Alto Networks, Fortinets, etc. are all pitching Zero Trust (& SASE / SSE) to bypass VPN nowadays... it's also because VPN was never designed to support remote workforce and proliferation of SAAS apps (O365, Teams, Zoom, Salesforce, etc.).   VPN is also constantly under attack:  

    Gartner’s analysis predicts that by 2023, 60% of enterprises will phase out their remote access VPN in favor of Zero Trust Network Access solutions.  Zero trust is about "trust no one, and verify everyone."  Corporate perimeter is already broken as most of the apps we use are in the cloud (Office365, Teams / Slack, Zoom, Salesforce, RingCentral, Google Workspace, Freshdesk, ServiceNow, NetSuite, etc.). SSO / Password vault (adding latest passwordless FIDO2 trend) should play a critical role in securing user access across various resources.

    IMO, VPN gives excessive trust (unless you segment the networks, and also monitor device security posture, etc.).  We believe it would be much better for MSP/IT to rely on a zero trust, secure remote access solution like Splashtop to provide a scalable, reliable remote access cloud-based solution that's constantly monitored and automatically updated.  No more manual updating and patching of VPN and RDP.  

    Splashtop invests millions on security yearly and invests in regular penetration testing. Has built-in device auth & 2FA. SSO option available. Our infrastructure includes 24x7 security monitoring/alerts... Furthermore, VPN with backhauling of traffic (unless doing split tunneling) introduce lots of performance challenges.  It's faster, safer, and cost effective to leverage Splashtop.   




    1 found this helpful thumb_up thumb_down

Read these next...

  • Spark! Pro Series - 16 August 2022

    Spark! Pro Series - 16 August 2022

    Spiceworks Originals

    Today in History: 16 August 1501 – Michelangelo awarded contract to create his statue of David at Florence Cathedral by the Overseers of the Office of Works (The Operai) of the Duomo 1691 – Yorktown, Virginia f...

  • Weather proof box to house a 5 port ethernet switch

    Weather proof box to house a 5 port ethernet switch

    Networking

    I am doing a project for a non-profit museum and part of that is finding a way to mount 2 5 port ethernet POE switches (2 different locations) on a pole. This will have to be done in a small weather proof lockable box/cabinet. Basically, I am going to be ...

  • Snap! UK water supply, Android 13, Zoom for Mac, Artemis I, cable closet story

    Snap! UK water supply, Android 13, Zoom for Mac, Artemis I, cable closet story

    Spiceworks Originals

    Your daily dose of tech news, in brief. Welcome to Tuesday, August 16th, which is also Tell A Joke Day. I imagine most of you know the common UDP joke so I'll go with another one. What wedding gift should you buy for a Windows administrator? I don'...

  • Patch cabinet spaghetti

    Patch cabinet spaghetti

    Networking

    I’m awaiting the arrival of new switches. I’ve got a patch panel full of a tangled mess some 3-5m cables some to short etc…. our engineersmonskte have added some cables directly From rooms to the patch panel and they are just ends to go directly into swit...

  • Never set up AD, where to start learning?

    Never set up AD, where to start learning?

    Windows

    I have ZERO experience on setting up AD, but I'm thinking on upgrading a network from customer to AD. Actually, they have just the server there with all folders shared to everyone, not even passwords on the shares.I'm assigned to fix it. They have 25 user...