The Myth of RDP Insecurity
-
@momurda said in The Myth of RDP Insecurity:
@scottalanmiller What about directly exposing RDP for a user's desktop computer?
Say for instance CEO or COO dont like using vpn, open rdp to their desktop on firewall?Absolutely. The VPN makes no difference. RDP already has a VPN, so if a VPN was good enough, RDP is good enough.
-
@scottalanmiller What about things like Chrome Remote Desktop which does this in a web browser?
-
@dbeato said in The Myth of RDP Insecurity:
What would you describe as an actual hack of RDP? What does that mean, end users leaving it wide open?
An actual RDP hack would be one where RDP was hacked (broken in through a vulnerability or breaching the encryption), not one where the users used "password" as their password, didn't have account lockouts, or published the login info, for example.
-
@nashbrydges said in The Myth of RDP Insecurity:
RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?
Your firewall can potentially do that, too.
-
@dbeato said in The Myth of RDP Insecurity:
@nashbrydges said in The Myth of RDP Insecurity:
RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?
It is same as what SSHguard, a lot of protocols get brute force attacks.
And fail2ban.
-
@momurda said in The Myth of RDP Insecurity:
How practical is this?
Setting up a vpn and turning on rdp for user desktops = easy.SO practical.
Just... don't set up the VPN. It's that easy. What is the VPN doing? You already have a VPN, the extra VPN just confuses users.
-
@momurda said in The Myth of RDP Insecurity:
@scottalanmiller What about things like Chrome Remote Desktop which does this in a web browser?
Totally different technology, but pretty secure from what I know. That it uses a web browser really isn't much of a factor as it is just using the browser for display purposes. You can do that with RDP, too.
-
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical. -
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users.
It certainly isnt practical.Changing port translation makes it easy through the firewall.
-
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical.Oh, you are using a VPN to make port mapping more easy, not for security?
You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.
-
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
In the case where you are mapping many ports to many internal end points, that would be correct. But those are trivial firewall entries that you only need once. Few minutes of setup there is no big deal.
Consider the alternative is to have to deploy a VPN infrastructure and maintain it and deploy and configure for every end point, that's way more work per machine than firewall rules are.
-
@scottalanmiller said in The Myth of RDP Insecurity:
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical.Oh, you are using a VPN to make port mapping more easy, not for security?
You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.
You can also use an RDP Gateway for this.
-
@dbeato said in The Myth of RDP Insecurity:
@scottalanmiller said in The Myth of RDP Insecurity:
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical.Oh, you are using a VPN to make port mapping more easy, not for security?
You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.
You can also use an RDP Gateway for this.
Yes, at scale that can work well.
-
@nashbrydges said in The Myth of RDP Insecurity:
RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?
There are two alternatives that I use. Both are free and easy to setup.
Cyberarms - Used to be a pay product but now open source https://archive.codeplex.com/?p=idds
You can download the msi from https://cyberarms.net/LF Intrusion Detection - https://litfuse.io/lf-intrusion-detection
-
Cyberarms is also helpful if you have an Exchange server. You can ban IP addresses if a user has too many invalid attempts on the various Exchange services.
-
@syko24 said in The Myth of RDP Insecurity:
Cyberarms is also helpful if you have an Exchange server. You can ban IP addresses if a user has too many invalid attempts on the various Exchange services.
Nice, didn't know about that one.
-
So Scott, in my network we use RDP (obviously) but I'm an open to using other tools such as Chrome Remote Desktop, Team Viewer and even CloudBerry Remote Assistant. They all do a good / decent job imho.
-
Scott so let's use me for an example, I almost roasted my assistant for opening up a financial server to RDP (since Teamviewer changed over their licensing model) but that was only due to it not having a strong user/pass combo. Also it was due to wanting to move to RDS /w a Gateway so we wouldn't have to spending too many hours trying to poke holes in the firewall.
But with this all in mind Scott am I wrong in thinking that couldn't we build a script in power shell to help automate some of the changes at least for the client end? As far as the Edge Router, I assume some scripting can be done too vs using the GUI. Going through the GUI isn't an issue per se, until you do more than 20+ which I can under the point of wanting a easier way to automate this.
In my case I plan on having 2 RDS farms, one for the financial side and one for the staff side and eventually a 3rd for our students. In theory it's almost cheaper for me to work on handful of servers and add our proper licensing than to even consider doing VDI which by the way thank you for your advice early on, it's crazy expensive even with non profit provisions!
-
@krisleslie I would setup RDS at your scale. Way better to manage a single point than many.
-
@jaredbusch I totally agree. I would rather deal with 1 port vs potentially 50 to 100.