Safe/Secure way to operate Remote Desktop

[dawks]

We have Windows Server 2003 installed and need to share it out on the internet so a few locations can access a particular application. I'm looking for ways to make sure the server remains secure.

Currently we have our router/firewall forwarding the default port of 3389 to our server. Our server uses Active Directory for authentication and has a lockout policy of 5 attempts per 15 seconds.

How secure, relatively speaking is this, and what else can we do to make it more secure? We installed a new firmware in our router that allows us to do VPN. How much security will that provide? Considering its really just another password that needs to be cracked. Once the VPN passwork is cracked, they would have full access to the network, almost as much as if they hacked the Remote Desktop password..

How good is Remote Desktops encryption?

Danke!

 

[nweaver]

I would start by changing the port you listen on to a non standard port, high enough to get by most port scans. Moving SSH from 22 changed my linux box from hundreds of attempts a week to zero.

VPN is usually considered more secure depending on the solution.

 

[TonyRic]

easy, install cygwin and enable sshd as a service, log on with port forwarding 'ssh -R -N 4000:<remote system ip>:3398 user@<remote system ip>'
then run rdesktop and connect to 'localhost:4000' I do this all the time to hit my windows system at home. Although I have a Linux system in the middle which handles my ssh connection.


Remote Desktop has NO encryption. If you want to use an integrated product, try out TightVNC as it includes the ability to encrypt traffic built in.

 

[SoulAssassin]

Originally posted by: TonyRic

Remote Desktop has NO encryption. If you want to use an integrated product, try out TightVNC as it includes the ability to encrypt traffic built in.

Incorrect.

To change the encryption level, you must be an administrator. In Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

1. In the left console pane, select Connections.
2. In the right details pane, right click RDP-TCP and select Properties.
3. Click the General tab.
4. Under Encryption level, select the desired level in the drop down box and click OK.

Also, read this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;275727&FR=1&PA=1&SD=HSCH

 

[nweaver]

I tunnel it through ssh too, /shrug. SSH is gods gift to remote users imho. I have been known to tunnel stuff through it without even needing too.

 

[TonyRic]

Originally posted by: SoulAssassin

Originally posted by: TonyRic

Remote Desktop has NO encryption. If you want to use an integrated product, try out TightVNC as it includes the ability to encrypt traffic built in.

Incorrect.

To change the encryption level, you must be an administrator. In Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

1. In the left console pane, select Connections.
2. In the right details pane, right click RDP-TCP and select Properties.
3. Click the General tab.
4. Under Encryption level, select the desired level in the drop down box and click OK.

Also, read this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;275727&FR=1&PA=1&SD=HSCH

This KB actually strengthens my argument. Even with the High Encryption pack, not all information is encrypted. This (imo) is a huge security risk. ANY remote console application that traverses any public network should always be encrypted. All data and information should not pass until a valid encrypted channel of communications is established. This (I would assume) is why the note of VPN/IPSec is noted at the bottom of the KB. If MS didn't feel there was any concern, why make that note?

In regards to my previous comment of "NO" encryption, I do stand corrected, but it does not change the crux of my comment.

 

[NogginBoink]

Remote Desktop is reasonably secure by itself.

Running RDP over a VPN connection would make it more so.

The biggest issue, however, is to ensure all of your user accounts have strong passwords. If your password is 'password' then I don't need to hack RDP to compromise your machine; I just establish an RDP connection and log on as you.

You might also want to configure firewall rules to only allow RDP connections to come in from specified IP addresses.

 

[stash]

his KB actually strengthens my argument. Even with the High Encryption pack, not all information is encrypted. This (imo) is a huge security risk

The KB doesn't support your argument at all. Most of things in that list are encrypted if you are running 2000 SP2 or higher. If you are running running Windows 2000 pre SP2, you have bigger problems. The other information is used to negotiate the encryption that will be used, which is exactly what happens when you visit a web page that is encrypted with SSL.

The one thing that RDP doesn't do by default is authenticate the server to the client. With 2003 SP1, you can configure RDP to use TLS, which will perform both client and server authentication.

http://www.microsoft.com/technet/prodte...d8eb9-f53d-4e86-ac9b-29fd6146977b.mspx

 

[VirtualLarry]

Is there any way to completely DISABLE encryption while using RDP? I occasionally use a museum-grade B&W laptop to RDP to my XP desktop, and it would be nice to disable all encryption, as I'm sure it takes up a non-negligible amount of CPU time on the laptop. (486sx-something?).