WiFi Hotspots and Remote Desktop

Posted on 2006-03-29
Last Modified: 2012-05-05
I'd like an assesment of just how "safe" it is to use Remote Desktop at free public hotspots. (i.e., any "unsecured" wiFi network.)

I would assume that if you are using a standard WindowsXP notebook that is properly up-to-date with security patches, the act of connecting to the WiFi hotspot is, in and of itself, no more or less risky than simply connecting to some "unknown network" with an ethernet cable. From a security standpoint, this would be much like walking into any random office building and finding that their receptionist in the lobby hands you the end of a CAT-5 cable saying "feel free to connect to the internet while you are waiting." You'd be concerned that you have no idea what other workstations you are now visible to, or what infections they might have, or if they have a sniffer on the network, etc. but if your notebook was patched, just connecting is arguably not going to get you infected/compromised. (Feel free to correct me if you think my first assumption here is incorrect.)

The next question, of course, is that if the network is really (in the worst case scenario) a "poisoned hotspot" with a sniffer on it, how does thst impact the saftey of using Remote Desktop? I'm not asking anyone to answer a really broad question about the many different types of traffic that might be "sniffed" on a compromised WiFi network, just Remote Desktop.
Question by:mcj
    LVL 18

    Expert Comment

    Well, you don't know when you're dealing with poisoned hotspots or not. If you want to be as safe as possible, you could do something like use a VPN or some sort of proxy. Then your RDP traffic will flow over that. RDP in and of itself is an encrypted protocol (within TCP), but in order to keep yourself as safe as possible, use another layer of protection as already mentioned.

    Now if you haven't patched your server running terminal services or Remote Desktop with a patch like this one (, you could have your traffic sniffed and it's big trouble.

    This is under the assumption you're connecting to a desktop from outside of the entwork it resides on.

    Your comment on the safety of connecting to a Wi-Fi network vs. a wired network is somewhat correct. I get the idea of what you're saying, but Wi-Fi's a lot more open since the signal goes in any given direction, whereas a wired network, the signal is pretty much only going over the wire itself. Pretending we don't know the infrastructure of the network itself (so we can leave the possibility of hubs being in place rather than switches), the security risks are just as large.

    But RDP, like SSH, is a safer protocol across unprotected networks than most protocols. Pretty much it's as strong as its known weaknesses (and people's willingness to take the time to try to exploit them).
    LVL 32

    Expert Comment

    In general RDP is pretty secure.  Since the link is encrypted even if someone is "sniffing" (which is quite possible and easy to do) they will only see the encrypted traffic once RDP is established.  Your password is not sent in the clear.

    If you are still worried, and depending on what's at stake you might want to be, you can choose to run your RDP over a VPN connection.  This will provide two levels of encryption, and different encryption at that so that even if one scheme is compromised the other one will stand up.
    LVL 3

    Expert Comment

    Here are some good examples of how to protect yourself!
    Packets that are transmitted are basically safe due the extremely high levels of encryption. RDP is connected via 128-bit encryption.  Even if your running a sophisticated router, decryping packets are basically not gonna happen.  There is more risk of hackers getting to your system than having any issues with your system in a Wi-Fi spot.
    LVL 58

    Accepted Solution

    It depends what you are doing over Remote Desktop. If you are viewing some private or confidential documents then I wouldn't recommend that you do it from a public Wi-Fi hotspot, because anyone could have a look at what data you are transmitting. You should either use an encrypted connection or a VPN which goes direct to the server where remote desktop is running.

    The machine you are using to connect to the hot spot should also be protected with firewall, anti-virus etc. because otherwise other machines connect to the public network could access your computer as freely as they like, modifying and deleting files, viewing confidential information etc.

    Make sure you also use a secure (if possible randomly generated) password on the user account(s) that have permission to connect from outside the network via remote desktop, so that anyone unauthorised who may try to access the Remote system will have a hard job to get in.
    LVL 1

    Expert Comment

    Hi mcj,

    RDP is actually fairly secure once the connection is established – the encryption is fairly good & secure and your data should not be sniffed. RDP suffered from an RC4 vulnerability back in 2002 but that was patched so unless you are using a very old, un-patched machine you should be fine (if that’s the case you got more to worry ‘bout than this! ).

    The safest way would be to set up a VPN connection of some sort then connect your RDP over that. Presumably the machine you are connecting to has 'full' internet connectivity (you are after all connecting to it from the net..) so you then have the added bonus of being able to use the remote machine for the ‘weaker’ protocols (POP etc) without fear of someone sniffing the local wifi network.

    One issue to bear in mind is recent versions of Cain & Able have the ability to carry out Man-In-The-Middle attacks on RDP. This is dependent on a successful ARP poisoning attack to have been carried out. That said if someone has successfully ARP’d you then SSH, HTTPS etc are also at risk!

    Making sure you use a good VPN solution using certificates and verifying them on connection should protect you from these types of attacks.

    All the best & good luck,

    LVL 4

    Expert Comment


    Connected RDP (from patched - to - patched) is as secure as SSL in terms of packet sniffing. No problemo - seriously. Hotspots present pre-connection-to-secure packet visibility problems that are well documented above.

    If you are really concerned then look at a gateway SSL VPN solution with 2-factor-auth connections. They can help to minimise a lot of the concerns raised above but are (a rapidly reducing) spend.

    A missing laptop with through authentication via the 'net to WTS is a big scary thing.

    If still requiring client-to-site VPN from untrusted networks then cert based VPNs are the best option - preferably with two-factor on the client VPN connection app.

    Not sure if this helps...
    LVL 2

    Assisted Solution

    RDP IS prone to MITM (man-in-the-middle) attacks

    Reference -

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now