Sign in to follow this  
Followers 0
UTS_HOST

Reasons to not RDP

6 posts in this topic

Well this guy in our company wants to RDP with out connecting to VPN I told him I don't want to open RDP on the fire wall, one because its a MS proto, 2 I don't want people trying to guess a admin password once they notice that port is open. Can you guys think of any other good reasons? thanks.

0

Share this post


Link to post
Share on other sites

Well this guy in our company wants to RDP with out connecting to VPN I told him I don't want to open RDP on the fire wall, one because its a MS proto, 2 I don't want people trying to guess a admin password once they notice that port is open. Can you guys think of any other good reasons? thanks.

Anytime I have this request I say :

1. Connecting through vpn adds a second layer of encryption and a second layer of authentication. (First connect to VPN then connect to RDP).

2. Our network policy only allows required ports to be open from outside in. RDP does not fall under this category. It can be accessed through vpn so there is no reason to open the port. If you don't like it, talk to my boss :-)

Btw, why does he want rdp open? Do y'all have split tunneling turned off? It's safer to turn off split tunneling but a real pain for end users (and even worse for people like us that have to support them.)

0

Share this post


Link to post
Share on other sites

Well this guy in our company wants to RDP with out connecting to VPN I told him I don't want to open RDP on the fire wall, one because its a MS proto, 2 I don't want people trying to guess a admin password once they notice that port is open. Can you guys think of any other good reasons? thanks.

Anytime I have this request I say :

1. Connecting through vpn adds a second layer of encryption and a second layer of authentication. (First connect to VPN then connect to RDP).

2. Our network policy only allows required ports to be open from outside in. RDP does not fall under this category. It can be accessed through vpn so there is no reason to open the port. If you don't like it, talk to my boss :-)

Btw, why does he want rdp open? Do y'all have split tunneling turned off? It's safer to turn off split tunneling but a real pain for end users (and even worse for people like us that have to support them.)

He wants it open because he is lazy(and because he is high on the food chain thinks he gets what ever he wants).... I caved in and already let them split tunnel :(

guess i could be a dick and open some random port for RDP and make him use a 15 char password that must use a cap, number, and special char and can't match the last 20 passwords....

Edited by UTS_HOST
0

Share this post


Link to post
Share on other sites

1) Do you intend on using the Microsoft RDP client or rdesktop / FreeRDP?

RDP has many security features. It even supports smart card authentication. I think it wouldn't allow brute forcing as a certain number of unsuccessful trials automatically lock the account. Versions of RDP prior to 5.0 were vulnerable to a man in the middle attack but it is no more possible in later versions (5.0 is old anyway, you're probably using 6.0 or 7.0). You should look into NLA (network level authentication) but this can only be used with the official Microsoft RDP client as rdesktop does not support it yet. I am pretty sure that you can configure the RDP server to accept incoming connections only from a certain range of IPs. RDP also supports different encryption algorithms but they are only all supported with the official RDP client (rdesktop only supports one, and it isn't the strongest).

I would not worry about the RDP server itself. However, if there is something else hosted on the same computer that enables an attacker to get the SAM file, he can then crack it and RDP just makes it convient for him to get in.

The only problem is if some of the users want to use rdesktop from Linux, as rdesktop does not support all of the security features of RDP. With the official client I wouldn't worry.

0

Share this post


Link to post
Share on other sites

Well this guy in our company wants to RDP with out connecting to VPN I told him I don't want to open RDP on the fire wall, one because its a MS proto, 2 I don't want people trying to guess a admin password once they notice that port is open. Can you guys think of any other good reasons? thanks.

Anytime I have this request I say :

1. Connecting through vpn adds a second layer of encryption and a second layer of authentication. (First connect to VPN then connect to RDP).

2. Our network policy only allows required ports to be open from outside in. RDP does not fall under this category. It can be accessed through vpn so there is no reason to open the port. If you don't like it, talk to my boss :-)

Btw, why does he want rdp open? Do y'all have split tunneling turned off? It's safer to turn off split tunneling but a real pain for end users (and even worse for people like us that have to support them.)

I agree with point 2, does your network have any sort of networking policy in place? If not start working on one, you never know when that will come in handy ;)

0

Share this post


Link to post
Share on other sites

With using a VPN you have two layers to get through until 'the goods are out'. You (presumely) have different user/passwd pairs for VPN access and RDP/Domain access.

You can also use the VPN identity to limit which machines that this person can RDP into, rather than exposing all of the internal network to RDP.

Some company policies dictate that all traffic from a corporate owned machines *MUST* travel through a VPN/company network and will not allow associatation with a 3rd party network except to bring up a VPN tunnel.

Munge.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0