Opening an RDP connection to the internet.

[foxymoxy]

Greetings.

I have a server opened to one client using a RDP connection.

At the moment a firewall ( fortinet ) is making a NAT to this server just allowing the connection from their IP public 1.1.1.1/32 and rejecting the rest

The NAT is being applied by a policy and this policy is opened during X hour to Y hour.

- Default rdp port
- Server outside of my domain ( but inside my network )

I'm wondering about how can i add more security into this connection, like a RDS ?¿

PD: Imagine that this is the only way. Do not suggest VPN connection.

 

[Fardringle]

Is there a reason why you refuse to use VPN? A properly configured VPN connection really is one of the best (and easiest) ways to secure what you are doing. Having RDP open to the Internet, even if it's restricted to certain IP addresses, just isn't a good idea.

edit: As others have said, RDP can be set up fairly securely if done right. What I meant to say (but didn't) is that when VPN is EXTREMELY easy to set up and use, why would you not want to include that extra layer of protection for something that has the potential to give outside access to your entire network. You don't really need to as much now as in the past, but why wouldn't you?

 

[razel]

RDP can be very secure. Luckily is it by default. Depending on how nerdy the person is who is using RDP, my only suggestion would be to change the default port.

 

[mxnerd]

Yeah, RDP is secure by default long time ago. Use a strong password and change default port and I don't see a problem.

https://blogs.technet.microsoft.com...13/top-10-rdp-protocol-misconceptions-part-2/

 

[dave_the_nerd]

IMHO, it's not that RDP over WAN isn't secure, it's that a VPN setup is easier to do, more flexible, and makes your router and firewall configuration a LOT easier too.

Management overhead is bad.

 

[PliotronX]

What about RDP over a SSH tunnel? (Shh its not just a poor mans VPN I swear ). Beyond whitelisting and requiring NLA authentication to connect, you can ensure that it's using TLSv1.2 with IIS Crypto and a local group policy change:

Run IISCrypto and disable TLS 1.0, TLS 1.1 and all bad ciphers.

On the Remote Desktop Services server running the gateway role, open the Local Security Policy and navigate to Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Change the security setting to Enabled. Reboot for the changes to take effect.

Note that in some cases (especially if using self signed certificates on Server 2012 R2), the Security Policy option Network Security: LAN Manager authentication level may need to be set to Send NTLMv2 responses only.

 

[ch33zw1z]

I RDP'd and VNC'd over SSH for a while. It worked fine. Not really much different than being at home if I was on a good connection. I opened some port >10,000 for it.

 

[dave_the_nerd]

What about RDP over a SSH tunnel? (Shh its not just a poor mans VPN I swear ). Beyond whitelisting and requiring NLA authentication to connect, you can ensure that it's using TLSv1.2 with IIS Crypto and a local group policy change:

Client configuration is a bit more complex. Most OpenVPN clients, all you have to tell the user is "Click on the thing that looks like a- no, it's a tunnel, not a penis. I swear. It's a tunnel. Look, whatever. Just click on it and select "connect." No, I didn't make the icon. Yes, really. Then when you're done, click the disconnect button."

Telling somebody how to create an SSH redirect/tunnel in PuTTY would be a little more complicated and a lot less humorous.

 

[PliotronX]

Haha! I was just trying to flout the rejection of VPN for suggestions "to disconnect, you stay away from the penis. Very far away." I am all about OpenVPN but my coworkers keep setting up SonicWalls and Cisco ASAs with their garbage clients.

 

[dave_the_nerd]

Somebody recently made that comment about the icon for Tunnelblick.

So when the condom is fully lit up, you're connected!