The Myth of RDP Insecurity
-
@coliver said in The Myth of RDP Insecurity:
@carnival-boy said in The Myth of RDP Insecurity:
Scott, in a previous thread you wrote "the general thinking in many cases is that you put a VPN aggregator at the edge and expose nothing else, only that. I'm not saying that's some magic answer, but it is the "LAN Security Model" that is why VPNs were really created."
Does that thinking apply here at all, or am I missing the point? Exposing an RDP port of a Windows Server directly to the internet - so there's no authentication at the perimeter? Why is that a good idea here? I accept that RDP is essentially the same as a VPN, but isn't the difference in where the authentication takes place rather than the model itself?
Mostly because that's the LAN security model. He's advocating, here at least, for a LAN-less model in which you harden the endpoint and have zero trust to anything on the network.
Correct. Just secure RDP properly, and then the secondary VPN is really pointless.
-
OK. I was only thinking in terms of the LAN and VPN authentication on the firewall, rather than just opening ports up on the firewall to let all traffic on those RDP ports through to the LAN.
-
@carnival-boy said in The Myth of RDP Insecurity:
OK. I was only thinking in terms of the LAN and VPN authentication on the firewall, rather than just opening ports up on the firewall to let all traffic on those RDP ports through to the LAN.
That's what the RDP system is doing already, just with the port open to it. A VPN needs a port open for it, or the equivalent (not all are TCP.) Any technology like this has to have the ports open in order for the initial authentication. Whether it is the RDP port, the VPN port, something has to be open for you to connect.
-
Well I am convinced now VPN is not equal
https://www.bleepingcomputer.com/news/security/many-vpn-providers-leak-customers-ip-address-via-webrtc-bug/ -
@dbeato said in The Myth of RDP Insecurity:
Well I am convinced now VPN is not equal
https://www.bleepingcomputer.com/news/security/many-vpn-providers-leak-customers-ip-address-via-webrtc-bug/LOL, those are "VPN Providers" which is that weird "Consumer VPN" scam thing that everyone sells these days.
-
Personally, I always thought the OpenVPN certificate was good second factor to the RDP username and password access. Thinking this would reduce AD account lockouts in relation to AD accounts which also had RDP access.
Isn't there some value in using two separate authentication systems in a multi-factor arrangement?
-
@spiral said in The Myth of RDP Insecurity:
Personally, I always thought the OpenVPN certificate was good second factor to the RDP username and password access. Thinking this would reduce AD account lockouts in relation to AD accounts which also had RDP access.
Isn't there some value in using two separate authentication systems in a multi-factor arrangement?
Some value, certainly. But it there is specific value to that it seems that we must apply that universally and not tied to RDP in any way.
-
@spiral said in The Myth of RDP Insecurity:
Personally, I always thought the OpenVPN certificate was good second factor to the RDP username and password access. Thinking this would reduce AD account lockouts in relation to AD accounts which also had RDP access.
Isn't there some value in using two separate authentication systems in a multi-factor arrangement?
There is. But those are issues around the username and password being used for RDP. It has nothing to do with the security of the RDP session itself.
-
Here is the one thing that will shut the dumbasses up about RDP being "insecure".
Multi factor authentication.
Microsoft even supplies wonderful application for it.
https://azure.microsoft.com/en-us/services/multi-factor-authentication/
Eliminates all the shit password problems, even if its 'password', has a mobile app to just hit a button to approve login, and is pretty easy to set up to boot.
-
This was mentioned in another thread once, but I feel it needs to be here also.
-
@JaredBusch said in The Myth of RDP Insecurity:
This was mentioned in another thread once, but I feel it needs to be here also.
Anyone got a guide to working with that with RDS?
-
@scottalanmiller said in The Myth of RDP Insecurity:
@JaredBusch said in The Myth of RDP Insecurity:
This was mentioned in another thread once, but I feel it needs to be here also.
Anyone got a guide to working with that with RDS?
No that I know of, I can work on it maybe tomorrow or Friday.
-
@dbeato said in The Myth of RDP Insecurity:
@scottalanmiller said in The Myth of RDP Insecurity:
@JaredBusch said in The Myth of RDP Insecurity:
This was mentioned in another thread once, but I feel it needs to be here also.
Anyone got a guide to working with that with RDS?
No that I know of, I can work on it maybe tomorrow or Friday.
That would be awesome.
-
@scottalanmiller said in The Myth of RDP Insecurity:
@JaredBusch said in The Myth of RDP Insecurity:
This was mentioned in another thread once, but I feel it needs to be here also.
Anyone got a guide to working with that with RDS?
No, I was just trying to link solutions for someone and remembered it from another thread.
-
@JaredBusch said in The Myth of RDP Insecurity:
@scottalanmiller said in The Myth of RDP Insecurity:
@JaredBusch said in The Myth of RDP Insecurity:
This was mentioned in another thread once, but I feel it needs to be here also.
Anyone got a guide to working with that with RDS?
No, I was just trying to link solutions for someone and remembered it from another thread.
Cool, well it is a start. Good passwords, good RDP patching, wail2ban... should make RDP a lot more secure with relatively little effort, in theory.
-
Any concerns about the fact that there will be no further maintenance of wail2ban?
Hasn't seen any updates in over a year and doesn't look like there will be any to come. Am I misunderstanding what this means?
-
@NashBrydges Yeah seems like a dead project to me as well. All of the forks are also at least 10 months out of date as well.
-
Seems like RDPGuard is probably the best bet for that. If you want to prevent exposing port 3389 to the internet, then set up an RD Gateway (It can be run on any of the servers in your RDS setup). You can restrict what servers users have access to, so that johnny whose password is Wants2play! can only access his desktop, or a single server that he should have access to.
-
@NashBrydges said in The Myth of RDP Insecurity:
Any concerns about the fact that there will be no further maintenance of wail2ban?
Hasn't seen any updates in over a year and doesn't look like there will be any to come. Am I misunderstanding what this means?
It is a powershell script that looks at windows event logs. So the biggest concerns are Event logs changing or the method of banning an IP (uses the windows firewall) from RDP getting changed by Microsoft.
But no, you are not misunderstanding.
-
@dafyre RDPGurd is a paid solution and a good one. I used it a long time ago and it worked great.