The Myth of RDP Insecurity

Spiral

Personally, I always thought the OpenVPN certificate was good second factor to the RDP username and password access. Thinking this would reduce AD account lockouts in relation to AD accounts which also had RDP access.

Isn't there some value in using two separate authentication systems in a multi-factor arrangement?

scottalanmiller

@spiral said in The Myth of RDP Insecurity:

Personally, I always thought the OpenVPN certificate was good second factor to the RDP username and password access. Thinking this would reduce AD account lockouts in relation to AD accounts which also had RDP access.

Isn't there some value in using two separate authentication systems in a multi-factor arrangement?

Some value, certainly. But it there is specific value to that it seems that we must apply that universally and not tied to RDP in any way.

JaredBusch

@spiral said in The Myth of RDP Insecurity:

Personally, I always thought the OpenVPN certificate was good second factor to the RDP username and password access. Thinking this would reduce AD account lockouts in relation to AD accounts which also had RDP access.

Isn't there some value in using two separate authentication systems in a multi-factor arrangement?

There is. But those are issues around the username and password being used for RDP. It has nothing to do with the security of the RDP session itself.

PSX_Defector

Here is the one thing that will shut the dumbasses up about RDP being "insecure".

Multi factor authentication.

Microsoft even supplies wonderful application for it.

https://azure.microsoft.com/en-us/services/multi-factor-authentication/

Eliminates all the shit password problems, even if its 'password', has a mobile app to just hit a button to approve login, and is pretty easy to set up to boot.

JaredBusch

This was mentioned in another thread once, but I feel it needs to be here also.

https://github.com/glasnt/wail2ban

scottalanmiller

@JaredBusch said in The Myth of RDP Insecurity:

This was mentioned in another thread once, but I feel it needs to be here also.

https://github.com/glasnt/wail2ban

Anyone got a guide to working with that with RDS?

dbeato

@scottalanmiller said in The Myth of RDP Insecurity:

@JaredBusch said in The Myth of RDP Insecurity:

This was mentioned in another thread once, but I feel it needs to be here also.

https://github.com/glasnt/wail2ban

Anyone got a guide to working with that with RDS?

No that I know of, I can work on it maybe tomorrow or Friday.

scottalanmiller

@dbeato said in The Myth of RDP Insecurity:

@scottalanmiller said in The Myth of RDP Insecurity:

@JaredBusch said in The Myth of RDP Insecurity:

This was mentioned in another thread once, but I feel it needs to be here also.

https://github.com/glasnt/wail2ban

Anyone got a guide to working with that with RDS?

No that I know of, I can work on it maybe tomorrow or Friday.

That would be awesome.

JaredBusch

@scottalanmiller said in The Myth of RDP Insecurity:

@JaredBusch said in The Myth of RDP Insecurity:

This was mentioned in another thread once, but I feel it needs to be here also.

https://github.com/glasnt/wail2ban

Anyone got a guide to working with that with RDS?

No, I was just trying to link solutions for someone and remembered it from another thread.

scottalanmiller

@JaredBusch said in The Myth of RDP Insecurity:

@scottalanmiller said in The Myth of RDP Insecurity:

@JaredBusch said in The Myth of RDP Insecurity:

This was mentioned in another thread once, but I feel it needs to be here also.

https://github.com/glasnt/wail2ban

Anyone got a guide to working with that with RDS?

No, I was just trying to link solutions for someone and remembered it from another thread.

Cool, well it is a start. Good passwords, good RDP patching, wail2ban... should make RDP a lot more secure with relatively little effort, in theory.

NashBrydges

Any concerns about the fact that there will be no further maintenance of wail2ban?

Hasn't seen any updates in over a year and doesn't look like there will be any to come. Am I misunderstanding what this means?

DustinB3403

@NashBrydges Yeah seems like a dead project to me as well. All of the forks are also at least 10 months out of date as well.

dafyre

Seems like RDPGuard is probably the best bet for that. If you want to prevent exposing port 3389 to the internet, then set up an RD Gateway (It can be run on any of the servers in your RDS setup). You can restrict what servers users have access to, so that johnny whose password is Wants2play! can only access his desktop, or a single server that he should have access to.

JaredBusch

@NashBrydges said in The Myth of RDP Insecurity:

Any concerns about the fact that there will be no further maintenance of wail2ban?

Hasn't seen any updates in over a year and doesn't look like there will be any to come. Am I misunderstanding what this means?

It is a powershell script that looks at windows event logs. So the biggest concerns are Event logs changing or the method of banning an IP (uses the windows firewall) from RDP getting changed by Microsoft.

But no, you are not misunderstanding.

JaredBusch

@dafyre RDPGurd is a paid solution and a good one. I used it a long time ago and it worked great.

scottalanmiller

@JaredBusch said in The Myth of RDP Insecurity:

@dafyre RDPGurd is a paid solution and a good one. I used it a long time ago and it worked great.

We use it, too.

scottalanmiller

@JaredBusch said in The Myth of RDP Insecurity:

@NashBrydges said in The Myth of RDP Insecurity:

Any concerns about the fact that there will be no further maintenance of wail2ban?

Hasn't seen any updates in over a year and doesn't look like there will be any to come. Am I misunderstanding what this means?

It is a powershell script that looks at windows event logs. So the biggest concerns are Event logs changing or the method of banning an IP (uses the windows firewall) from RDP getting changed by Microsoft.

But no, you are not misunderstanding.

Definitely needs someone to pick it up and care for it. It is a great idea.

JaredBusch

@scottalanmiller said in The Myth of RDP Insecurity:

@JaredBusch said in The Myth of RDP Insecurity:

@NashBrydges said in The Myth of RDP Insecurity:

Any concerns about the fact that there will be no further maintenance of wail2ban?

Hasn't seen any updates in over a year and doesn't look like there will be any to come. Am I misunderstanding what this means?

It is a powershell script that looks at windows event logs. So the biggest concerns are Event logs changing or the method of banning an IP (uses the windows firewall) from RDP getting changed by Microsoft.

But no, you are not misunderstanding.

Definitely needs someone to pick it up and care for it. It is a great idea.

There are a bunch of forks, but I wasn't going to go through them looking for updates.

wrx7m

@JaredBusch said in The Myth of RDP Insecurity:

@dafyre RDPGurd is a paid solution and a good one. I used it a long time ago and it worked great.

I have been using it for almost a year. The only time it has blocked someone is the same dummy that always typos his password. Probably blocked him 5 times.

wrx7m

@dafyre said in The Myth of RDP Insecurity:

Seems like RDPGuard is probably the best bet for that. If you want to prevent exposing port 3389 to the internet, then set up an RD Gateway (It can be run on any of the servers in your RDS setup). You can restrict what servers users have access to, so that johnny whose password is Wants2play! can only access his desktop, or a single server that he should have access to.

I use an RDGateway and RDPGuard