The Myth of RDP Insecurity
-
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical.Oh, you are using a VPN to make port mapping more easy, not for security?
You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.
-
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
In the case where you are mapping many ports to many internal end points, that would be correct. But those are trivial firewall entries that you only need once. Few minutes of setup there is no big deal.
Consider the alternative is to have to deploy a VPN infrastructure and maintain it and deploy and configure for every end point, that's way more work per machine than firewall rules are.
-
@scottalanmiller said in The Myth of RDP Insecurity:
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical.Oh, you are using a VPN to make port mapping more easy, not for security?
You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.
You can also use an RDP Gateway for this.
-
@dbeato said in The Myth of RDP Insecurity:
@scottalanmiller said in The Myth of RDP Insecurity:
@momurda said in The Myth of RDP Insecurity:
You have to make a separate firewall policy for each computer using RDP.
I have 40 users. Some of them refuse to use vpn so i have setup RDP this way for awhile.
It certainly isnt practical.Oh, you are using a VPN to make port mapping more easy, not for security?
You don't use RDP config files for the end users? Even for hundreds of users, it's pretty trivial to have them click on the icon to log in.
You can also use an RDP Gateway for this.
Yes, at scale that can work well.
-
@nashbrydges said in The Myth of RDP Insecurity:
RDPGuard is the only solution that allows some kind of rate limiting functionality on RDP that I'm aware of. Any other solutions?
There are two alternatives that I use. Both are free and easy to setup.
Cyberarms - Used to be a pay product but now open source https://archive.codeplex.com/?p=idds
You can download the msi from https://cyberarms.net/LF Intrusion Detection - https://litfuse.io/lf-intrusion-detection
-
Cyberarms is also helpful if you have an Exchange server. You can ban IP addresses if a user has too many invalid attempts on the various Exchange services.
-
@syko24 said in The Myth of RDP Insecurity:
Cyberarms is also helpful if you have an Exchange server. You can ban IP addresses if a user has too many invalid attempts on the various Exchange services.
Nice, didn't know about that one.
-
So Scott, in my network we use RDP (obviously) but I'm an open to using other tools such as Chrome Remote Desktop, Team Viewer and even CloudBerry Remote Assistant. They all do a good / decent job imho.
-
Scott so let's use me for an example, I almost roasted my assistant for opening up a financial server to RDP (since Teamviewer changed over their licensing model) but that was only due to it not having a strong user/pass combo. Also it was due to wanting to move to RDS /w a Gateway so we wouldn't have to spending too many hours trying to poke holes in the firewall.
But with this all in mind Scott am I wrong in thinking that couldn't we build a script in power shell to help automate some of the changes at least for the client end? As far as the Edge Router, I assume some scripting can be done too vs using the GUI. Going through the GUI isn't an issue per se, until you do more than 20+ which I can under the point of wanting a easier way to automate this.
In my case I plan on having 2 RDS farms, one for the financial side and one for the staff side and eventually a 3rd for our students. In theory it's almost cheaper for me to work on handful of servers and add our proper licensing than to even consider doing VDI which by the way thank you for your advice early on, it's crazy expensive even with non profit provisions!
-
@krisleslie I would setup RDS at your scale. Way better to manage a single point than many.
-
@jaredbusch I totally agree. I would rather deal with 1 port vs potentially 50 to 100.
-
Actually scratch that, I forgot I'm suppose to be pushing to get off of Quickbooks (LAN based) and move to Quickbooks Online. I personally don't like either, but at least with the online they do spend more time developing it and keeping it semi-modern.
-
@krisleslie said in The Myth of RDP Insecurity:
So Scott, in my network we use RDP (obviously) but I'm an open to using other tools such as Chrome Remote Desktop, Team Viewer and even CloudBerry Remote Assistant. They all do a good / decent job imho.
Nothing wrong with RDP, it works very well.
-
@krisleslie said in The Myth of RDP Insecurity:
@jaredbusch I totally agree. I would rather deal with 1 port vs potentially 50 to 100.
If that was the sole factor, yes.
-
@krisleslie said in The Myth of RDP Insecurity:
In my case I plan on having 2 RDS farms, one for the financial side and one for the staff side and eventually a 3rd for our students. In theory it's almost cheaper for me to work on handful of servers and add our proper licensing than to even consider doing VDI which by the way thank you for your advice early on, it's crazy expensive even with non profit provisions!
So this is RDS, which makes things much easier. With a gateway, you can make this all appear as one. Without a gateway, this would only appear as two ports. Still not much to manage. The example of having loads of different ports is when dealing with things like direct RDP to every individual's physical desktops.
-
@scottalanmiller I could still see how if you didn't setup a RDS server, a Powershell and remote access to the registry can accomplish this. Of course it would be "fun" to write it, but after that one hard time automating it wouldn't be so hard.
Just pull a list of all computers in AD and focus on a group, then change their ports. If there is a way to automate the usage of #'s then you could setup a string to change a list of pc's ports similar how we use MDT with computer naming conventions.
-
@krisleslie said in The Myth of RDP Insecurity:
@scottalanmiller I could still see how if you didn't setup a RDS server, a Powershell and remote access to the registry can accomplish this. Of course it would be "fun" to write it, but after that one hard time automating it wouldn't be so hard.
Just pull a list of all computers in AD and focus on a group, then change their ports. If there is a way to automate the usage of #'s then you could setup a string to change a list of pc's ports similar how we use MDT with computer naming conventions.
Don't need to change anything in Windows. Only need to change the port mapping on the firewall. So a simple script that talks to SSH on the Ubiquiti and you'd be good. You'd only need a trivial script and a simple list to maintain.
-
One thing to think about is that this might change who has access to create accounts that can access the system externally. i.e. now every local admin has that power, when with a VPN that power might be a bit more naturally contained. Also, depending on the VPN setup, IT will create VPN user passwords themselves and thus have direct control of their complexity. Although users tend to prefer a SSO VPN method.
However, there is often a disconnect in the VPN strategy. The LAN is trusted, but then unmanaged, untrusted systems are allowed full access to the LAN via the VPN. It doesn't make sense.
The bottom line is that any method used need to be thoroughly thought out and planned. Personally, I think would like to have at least 2 step authentication.
-
@flaxking said in The Myth of RDP Insecurity:
One thing to think about is that this might change who has access to create accounts that can access the system externally. i.e. now every local admin has that power, when with a VPN that power might be a bit more naturally contained.
Not really. Local admins can't open the outside firewall ports. And who is creating local admins? Any anyone that can create an RDP session because of their admin rights, can also create a VPN through those same rights.
-
@flaxking said in The Myth of RDP Insecurity:
Also, depending on the VPN setup, IT will create VPN user passwords themselves and thus have direct control of their complexity.
But that power exists with RDP, as well. Remember RDP has a VPN built in, so anything you can do with a VPN, RDP natively can do.
