ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    The Myth of RDP Insecurity

    Scheduled Pinned Locked Moved IT Discussion
    rdpvpnsecurity
    103 Posts 18 Posters 18.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dbeatoD
      dbeato
      last edited by

      I have always open RDP to WAN externally through firewalls but only reducing to location that need access (whitelisting) instead of using VPN, VPN for anyone else has been recommended by me since I have no idea what type of security they will have.

      1 Reply Last reply Reply Quote 1
      • NashBrydgesN
        NashBrydges
        last edited by

        RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?

        https://rdpguard.com/

        dbeatoD scottalanmillerS syko24S 3 Replies Last reply Reply Quote 3
        • dbeatoD
          dbeato @NashBrydges
          last edited by

          @nashbrydges said in The Myth of RDP Insecurity:

          RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?

          https://rdpguard.com/

          It is same as what SSHguard, a lot of protocols get brute force attacks.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • momurdaM
            momurda
            last edited by

            How practical is this?
            Setting up a vpn and turning on rdp for user desktops = easy.
            Setting up policies in firewall for each Remote Desktop user = PITA.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @NashBrydges
              last edited by

              @nashbrydges said in The Myth of RDP Insecurity:

              @scottalanmiller said in The Myth of RDP Insecurity:

              port locking

              That's not always a viable solution though so, what else would you suggest can be done to reduce alerts in those cases?

              What makes it not always viable?

              I know Sodium is working on a solution specifically to make that "always viable" 😉

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @momurda
                last edited by

                @momurda said in The Myth of RDP Insecurity:

                @scottalanmiller What about directly exposing RDP for a user's desktop computer?
                Say for instance CEO or COO dont like using vpn, open rdp to their desktop on firewall?

                Absolutely. The VPN makes no difference. RDP already has a VPN, so if a VPN was good enough, RDP is good enough.

                momurdaM 1 Reply Last reply Reply Quote 0
                • momurdaM
                  momurda @scottalanmiller
                  last edited by

                  @scottalanmiller What about things like Chrome Remote Desktop which does this in a web browser?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @dbeato
                    last edited by

                    @dbeato said in The Myth of RDP Insecurity:

                    What would you describe as an actual hack of RDP? What does that mean, end users leaving it wide open?

                    An actual RDP hack would be one where RDP was hacked (broken in through a vulnerability or breaching the encryption), not one where the users used "password" as their password, didn't have account lockouts, or published the login info, for example.

                    1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @NashBrydges
                      last edited by

                      @nashbrydges said in The Myth of RDP Insecurity:

                      RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?

                      https://rdpguard.com/

                      Your firewall can potentially do that, too.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @dbeato
                        last edited by

                        @dbeato said in The Myth of RDP Insecurity:

                        @nashbrydges said in The Myth of RDP Insecurity:

                        RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?

                        https://rdpguard.com/

                        It is same as what SSHguard, a lot of protocols get brute force attacks.

                        And fail2ban.

                        1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @momurda
                          last edited by

                          @momurda said in The Myth of RDP Insecurity:

                          How practical is this?
                          Setting up a vpn and turning on rdp for user desktops = easy.

                          SO practical.

                          Just... don't set up the VPN. It's that easy. What is the VPN doing? You already have a VPN, the extra VPN just confuses users.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @momurda
                            last edited by

                            @momurda said in The Myth of RDP Insecurity:

                            @scottalanmiller What about things like Chrome Remote Desktop which does this in a web browser?

                            Totally different technology, but pretty secure from what I know. That it uses a web browser really isn't much of a factor as it is just using the browser for display purposes. You can do that with RDP, too.

                            1 Reply Last reply Reply Quote 0
                            • momurdaM
                              momurda
                              last edited by momurda

                              You have to make a separate firewall policy for each computer using RDP.
                              I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
                              It certainly isnt practical.

                              dbeatoD scottalanmillerS 3 Replies Last reply Reply Quote 0
                              • dbeatoD
                                dbeato @momurda
                                last edited by

                                @momurda said in The Myth of RDP Insecurity:

                                You have to make a separate firewall policy for each computer using RDP.
                                I have 40 users.
                                It certainly isnt practical.

                                Changing port translation makes it easy through the firewall.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @momurda
                                  last edited by

                                  @momurda said in The Myth of RDP Insecurity:

                                  You have to make a separate firewall policy for each computer using RDP.
                                  I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
                                  It certainly isnt practical.

                                  Oh, you are using a VPN to make port mapping more easy, not for security?

                                  You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.

                                  dbeatoD 1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller @momurda
                                    last edited by

                                    @momurda said in The Myth of RDP Insecurity:

                                    You have to make a separate firewall policy for each computer using RDP.

                                    In the case where you are mapping many ports to many internal end points, that would be correct. But those are trivial firewall entries that you only need once. Few minutes of setup there is no big deal.

                                    Consider the alternative is to have to deploy a VPN infrastructure and maintain it and deploy and configure for every end point, that's way more work per machine than firewall rules are.

                                    1 Reply Last reply Reply Quote 0
                                    • dbeatoD
                                      dbeato @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in The Myth of RDP Insecurity:

                                      @momurda said in The Myth of RDP Insecurity:

                                      You have to make a separate firewall policy for each computer using RDP.
                                      I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
                                      It certainly isnt practical.

                                      Oh, you are using a VPN to make port mapping more easy, not for security?

                                      You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.

                                      You can also use an RDP Gateway for this.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 2
                                      • scottalanmillerS
                                        scottalanmiller @dbeato
                                        last edited by

                                        @dbeato said in The Myth of RDP Insecurity:

                                        @scottalanmiller said in The Myth of RDP Insecurity:

                                        @momurda said in The Myth of RDP Insecurity:

                                        You have to make a separate firewall policy for each computer using RDP.
                                        I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
                                        It certainly isnt practical.

                                        Oh, you are using a VPN to make port mapping more easy, not for security?

                                        You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.

                                        You can also use an RDP Gateway for this.

                                        Yes, at scale that can work well.

                                        1 Reply Last reply Reply Quote 0
                                        • syko24S
                                          syko24 @NashBrydges
                                          last edited by

                                          @nashbrydges said in The Myth of RDP Insecurity:

                                          RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?

                                          https://rdpguard.com/

                                          There are two alternatives that I use. Both are free and easy to setup.

                                          Cyberarms - Used to be a pay product but now open source https://archive.codeplex.com/?p=idds
                                          You can download the msi from https://cyberarms.net/

                                          LF Intrusion Detection - https://litfuse.io/lf-intrusion-detection

                                          D 1 Reply Last reply Reply Quote 2
                                          • syko24S
                                            syko24
                                            last edited by

                                            Cyberarms is also helpful if you have an Exchange server. You can ban IP addresses if a user has too many invalid attempts on the various Exchange services.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 2
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 1 / 6
                                            • First post
                                              Last post