WiFi Hotspots and Remote Desktop

I'd like an assesment of just how "safe" it is to use Remote Desktop at free public hotspots. (i.e., any "unsecured" wiFi network.)

I would assume that if you are using a standard WindowsXP notebook that is properly up-to-date with security patches, the act of connecting to the WiFi hotspot is, in and of itself, no more or less risky than simply connecting to some "unknown network" with an ethernet cable. From a security standpoint, this would be much like walking into any random office building and finding that their receptionist in the lobby hands you the end of a CAT-5 cable saying "feel free to connect to the internet while you are waiting." You'd be concerned that you have no idea what other workstations you are now visible to, or what infections they might have, or if they have a sniffer on the network, etc. but if your notebook was patched, just connecting is arguably not going to get you infected/compromised. (Feel free to correct me if you think my first assumption here is incorrect.)

The next question, of course, is that if the network is really (in the worst case scenario) a "poisoned hotspot" with a sniffer on it, how does thst impact the saftey of using Remote Desktop? I'm not asking anyone to answer a really broad question about the many different types of traffic that might be "sniffed" on a compromised WiFi network, just Remote Desktop.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, you don't know when you're dealing with poisoned hotspots or not. If you want to be as safe as possible, you could do something like use a VPN or some sort of proxy. Then your RDP traffic will flow over that. RDP in and of itself is an encrypted protocol (within TCP), but in order to keep yourself as safe as possible, use another layer of protection as already mentioned.

Now if you haven't patched your server running terminal services or Remote Desktop with a patch like this one (http://www.microsoft.com/technet/security/bulletin/MS02-051.mspx), you could have your traffic sniffed and it's big trouble.

This is under the assumption you're connecting to a desktop from outside of the entwork it resides on.

Your comment on the safety of connecting to a Wi-Fi network vs. a wired network is somewhat correct. I get the idea of what you're saying, but Wi-Fi's a lot more open since the signal goes in any given direction, whereas a wired network, the signal is pretty much only going over the wire itself. Pretending we don't know the infrastructure of the network itself (so we can leave the possibility of hubs being in place rather than switches), the security risks are just as large.

But RDP, like SSH, is a safer protocol across unprotected networks than most protocols. Pretty much it's as strong as its known weaknesses (and people's willingness to take the time to try to exploit them).
In general RDP is pretty secure.  Since the link is encrypted even if someone is "sniffing" (which is quite possible and easy to do) they will only see the encrypted traffic once RDP is established.  Your password is not sent in the clear.

If you are still worried, and depending on what's at stake you might want to be, you can choose to run your RDP over a VPN connection.  This will provide two levels of encryption, and different encryption at that so that even if one scheme is compromised the other one will stand up.
Here are some good examples of how to protect yourself!
Packets that are transmitted are basically safe due the extremely high levels of encryption. RDP is connected via 128-bit encryption.  Even if your running a sophisticated router, decryping packets are basically not gonna happen.  There is more risk of hackers getting to your system than having any issues with your system in a Wi-Fi spot.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

It depends what you are doing over Remote Desktop. If you are viewing some private or confidential documents then I wouldn't recommend that you do it from a public Wi-Fi hotspot, because anyone could have a look at what data you are transmitting. You should either use an encrypted connection or a VPN which goes direct to the server where remote desktop is running.

The machine you are using to connect to the hot spot should also be protected with firewall, anti-virus etc. because otherwise other machines connect to the public network could access your computer as freely as they like, modifying and deleting files, viewing confidential information etc.

Make sure you also use a secure (if possible randomly generated) password on the user account(s) that have permission to connect from outside the network via remote desktop, so that anyone unauthorised who may try to access the Remote system will have a hard job to get in.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hi mcj,

RDP is actually fairly secure once the connection is established – the encryption is fairly good & secure and your data should not be sniffed. RDP suffered from an RC4 vulnerability back in 2002 but that was patched so unless you are using a very old, un-patched machine you should be fine (if that’s the case you got more to worry ‘bout than this! ).

The safest way would be to set up a VPN connection of some sort then connect your RDP over that. Presumably the machine you are connecting to has 'full' internet connectivity (you are after all connecting to it from the net..) so you then have the added bonus of being able to use the remote machine for the ‘weaker’ protocols (POP etc) without fear of someone sniffing the local wifi network.

One issue to bear in mind is recent versions of Cain & Able have the ability to carry out Man-In-The-Middle attacks on RDP. This is dependent on a successful ARP poisoning attack to have been carried out. That said if someone has successfully ARP’d you then SSH, HTTPS etc are also at risk!

Making sure you use a good VPN solution using certificates and verifying them on connection should protect you from these types of attacks.

All the best & good luck,


Connected RDP (from patched - to - patched) is as secure as SSL in terms of packet sniffing. No problemo - seriously. Hotspots present pre-connection-to-secure packet visibility problems that are well documented above.

If you are really concerned then look at a gateway SSL VPN solution with 2-factor-auth connections. They can help to minimise a lot of the concerns raised above but are (a rapidly reducing) spend.

A missing laptop with through authentication via the 'net to WTS is a big scary thing.

If still requiring client-to-site VPN from untrusted networks then cert based VPNs are the best option - preferably with two-factor on the client VPN connection app.

Not sure if this helps...
RDP IS prone to MITM (man-in-the-middle) attacks

Reference - http://pauldotcom.com/oct-2005-oshean.pdf
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.