RDP security question

Posted on 2005-04-21
Last Modified: 2011-08-18
We are setting up remote desktop web connection. My question is how secure is remote dsktop? Is the data that passes between the client and the server encrypted in any way? Can it be? I am fowarding port 3389 through my corp fire wall to my ts server and it makes me a little leary to do so. Is there any thing aside from not doing that to make it a more secure connection? is there a 3rd party app that will sit between the firewalla nnd the server that will provide another level of security. Thanks.
Question by:uyht
    LVL 95

    Expert Comment

    by:Lee W, MVP
    Yes, it is encrypted.  It's not the best encryption, but it is encrypted.  The safest thing to do is setup a VPN, connect to the VPN, then connect to the system you want to connect to.  No poking holes in firewalls.
    LVL 29

    Expert Comment

    If you are press for money you can use Putty (SSH) to handle the VPN.  Not the most user friendly product but good security.

    LVL 2

    Author Comment

    we have a vpn, but i do not want home PC's cnnecting to our network. My laptop users use the VPN but we also use a firewall and av on those indivdual machines when outside the network. This provides my end users wih the ability to just go to a web browser and work remotley with no hassels and it doesn't pen my network up to what ever crap thier machines might have on it.
    LVL 9

    Expert Comment

    I like the SSH tunnel solution for added measure when a VPN is not desired for everyone needing RDP access.

    At one of my clients with no Server OS, I set them up with TightVNC through an SSH tunnel, same could easily be done for RDP.  The employees that connect from home aren't very computer-literate, so when I set it up for them I placed Putty on the desktop and called it "Step One" then put the vnc client (in your case it'd be the mstsc executable shortcut) renamed to "Step Two".  Only problem I had a few months later was that one employee's spouse has deleted them from the desktop...easily fixed by emailing them replacement files already renamed for them.

    If you need advice on setting up OpenSSH on the server or how to configure the putty and terminal service clients to tunnel, just ask.  Not sure if this has been changed, but as of XP-SP1, the mstsc executable wouldn't allow connects to by using the win2k mstsc or possibly using (I carry the 2k mstc executable on a thumbdrive...never used myself but heard it works).

    FWIW, I've had my home play/expendable network segment configured with 3389 open to the world for about a year and haven't had any problems...but I hardly ever RDP into it (prolly once in the last 6 months just to jump on IRC to see if a bud was around to ask a question when I was at a client).  Not sure how difficult it would be to crack with a live session to sniff tho, so for "real" use I'd feel more comfy tunneling it through SSH.
    LVL 3

    Expert Comment

    Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

       1. In the left console pane, select Connections.
       2. In the right details pane, right click RDP-TCP and select Properties.
       3. Click the General tab.
       4. Under Encryption level, select the desired level in the drop down box and click OK.  // Group Policy Object Editor (gpedit.msc), double click Administrative Templates > Windows Components > Terminal Services and then choose Encryption and Security.

    From here you can set the encryption level for the TS session.
    LVL 3

    Assisted Solution

    LVL 38

    Accepted Solution

    I've commented on RD/TS sessions a few times before, here is a quick run down
    1) The only unencrypted information you can obtain from the rd/ts session is a Username, and that's only at the begining of the session.
    2) the encryption is very good by default, as well as compressed, and the encryption can be turned up to make brute-forcing near impossible- the encryption level is determined by the server, not the client. Encryption can be disabled btw.
    3) I've never found a program to attack an RD/TS session that may have been captured, I look quite often actually.
    4) To further secure the connection, you should do a few things, change the listening port, and change the local administrator account's name to something else. The local admin account is the main weakness of RD/TS, since this account cannot be locked out, your free to try to guess the local admin password. A program like TSGrinder will help to automate this task, since you will be disconnected after a few failed attempts. And actually with XP-sp2 and 2003-sp1 the local admin account can be locked out from TS/RD access, but local access(terminal) is still allowed. The lockout last's 90 minutes, and I think the lockout threshold is 6 failed attempts.
    5) Even with the listening port changed, it's easy to spot an RemoteDesktop/TerminalService port if you look at the returned headers from the scan packets. So a VPN solution is probably the best idea overall to secure RD/TS or any remote control software such as vnc or timbuktu.
    LVL 29

    Expert Comment

    >but as of XP-SP1, the mstsc executable wouldn't allow connects to

    Copy mstsc.exe and its dll to a separate folder.
    Make a shortcut to mstsc.
    Set compatability mode to W2K.
    Problem solved....
    LVL 38

    Expert Comment

    by:Rich Rumble
    Rdp just got less secure...
    Cain & Abel v2.7.3 released
    New features:
    - RDPv4 session sniffer for APR
    Cain can now perform man-in-the-middle attacks against the heavy encrypted Remote Desktop Protocol (RDP), the one used to connect to the Terminal Server service of a remote Windows computer. The entire session from/to the client/server is decrypted and saved to a text file. Client-side key strokes are also decoded to provide some kind of password interception. The attack can be completely invisible because of the use of APR (Arp Poison Routing) and other protocol weakness.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now