[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Is Remote Desktop secure for the clients network?

Posted on 2006-06-01
17
Medium Priority
?
808 Views
Last Modified: 2010-03-05
Hi All,


I want to use remote desktop from my work network to access my home network.

Before i ask work i want to know if there are any risks for them?


many thanks
D
0
Comment
Question by:detox1978
  • 4
  • 3
  • 3
  • +7
17 Comments
 
LVL 1

Expert Comment

by:fnbgppl
ID: 16809720
The biggest problem I can see is your works security policy.  If they do not have a problem with this you might want to consider gotomypc.  They are currently offering a 30 day trial and it is built secure.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 16809821
Hello there,

You can also use logmein.com there is a completely free version. It is secure and don't have to open any ports. Its just a software vpn tunnel.

https://secure.logmein.com/go.asp?page=home

Hope this helps
0
 
LVL 2

Author Comment

by:detox1978
ID: 16810553
thanks for the suggestions guys.  I will be using Remote Desktop.

My question is "what security issue are their to consider for my works LAN"


0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 32

Expert Comment

by:jhance
ID: 16810856
No significant security issues.  The RDP protocol that Remote Desktop uses is encrypted and so it relatively safe from prying eyes.  If you are really paranoid, you can run RDP over a VPN tunnel which will double-encrypt everything but I think that's overkill...
0
 
LVL 6

Expert Comment

by:LindyMoff
ID: 16810981
Just to back up other comments here, the main issues in tech news about RDP have been articles like the following:

RDP denial of service risk
http://techrepublic.com.com/5100-1009_11-5800439.html?tag=nl.e101

Protocol weaknesses
http://secunia.com/advisories/7118/

In general, the protocol is pretty safe.  I would be comfortable with using this connection without wrapping it in VPN or other such tunnels for most purposes.  Personally I tunnel everything over SSH for sheer convenience of port forwarding other services, but it's certainly not necessary.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16811058
RDP should not be accessible from internet.

RDP  has many published vulnerabilities.

Just create a IPSEC policy for port 3389 on your windows machine.

This way you can still user RDP and not one else can even try to break into your pc, since it is secured using ipsec.

It can be done easily and provide maximum security.

here is the link. Please go thru it.

http://www.securityfocus.com/infocus/1526
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16815931
Hi D

If your business does permit this connection, I would recommend using the higher encryption settings available for RDP - these can be configured under the connection properties via the terminal services configuration window.

Are you using windows 2000 or windows 2003?

If you are using 2003 with an XP client you can use considerably more secure encryption settings (FIPS compliant) or even require certificates - but this option is probably overkill unless you already have a certificate server set up.

There are published man it the middle attacks for RDP, but these are in reality non trivial to pull off (this kind of attack is considerably easier within your office LAN than it is in the wild), but using the higher security options will help mitigate this risk.

As far as the risk to your office LAN is concerned this is relatively low as the connection is only going out, there is no need to allow proactive connections into your work network.  There are unlikely to be allowing rdp connections out be default though - certainly here we do not allow any desktops to connect out to the internet other than via the proxy servers (which additionally block access to most remote management sites among other things).

The main risks would be that you were connecting to un-trusted machines - there is always the chance that if your home machines were hijacked or infected with trojans / key loggers etc that this would lead to the attacker gaining access to your work machine or work data once the connection to your home machine was initiated.

Many companies do not allow connections to any external remote management software for these reasons, indeed here it is against policy to do any work on non corp owned machines as their safety and configuration cannot be confirmed.

cheers

Kevin


0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 16817429
RDP is as safe as anything else for the most part. The only attacks I know of, are man-in-the-middle (and this also applies to ssh/ipsec/other tunnels), and the fact that the local admin account of your box cannot be locked out. However, in M$ 2003, and XP Pro, 9 failed connections (reguarldess of account) will effectively lock-out the computer trying to connect, unless the netbios name of that PC and SID are changed. RD logs the failed attempts from "netbios_name" and reguarldess local or global policy, will lock out that netbios name for 1 hour. The local account it's actually locked, you can try from another pc and see that if the pass is correct, you can log-in just fine. This was the case when SP2 for XP was just released, and before the SP1 for 2003 was released.

www.oxid.it/downloads/rdp-gbu.pdf This is possible for someone in your office network to do to you.

Connecting TO your home machine FROM work, there isn't much of a risk of your home PC "attacking" your office. However there are far more risks connecting TO work FROM home. When going to home, from work, your taking over the Home machine, and it cannot route traffic back to your work over that connection, unless it was VPN'ing into your work lan. From home, connnecting to work, over vpn your pc has more access to your work network, but if you were connecting to work, without a vpn (like using a publicly accessably server) and conencting into the lan, there are no Viri that propigate over a RD connection, and your only remote-controlling the pc at work, so unless you run a virus on the pc your remote-controlling, or execute some other malware on that work pc, your safe as far as we know.

in summary, RDP since win2k sp4, is by default 56-bit encrypted RC4 stream cipher, very secure by even todays standards, but you can up that to 128, or even add a tunnel to the mix for the extra paranoid, and safely remote-Control a pc at home. The only access the pc at home will have to your work network is the clipboard... so unless you yourself copy and paste a file from home to work and run it, your good to go, unless as mentionedyour company policy prohibits the actions.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16817631
correction
The local account it's actually locked
should of read
the local account ISN'T actually locked...

Also here are the policies on the RD/TS local admin account lock-out
http://technet2.microsoft.com/WindowsServer/en/Library/6d1cf160-25c8-4b0f-90b5-428bf5c24eae1033.mspx
-rich
0
 
LVL 2

Expert Comment

by:tonyjester
ID: 16831428
You can use RDP, but I would wrap it in a VPN.  Several of these are readily available (and free) and many will work from the company network.

Take a look at Hamachi....you can run a private LAN between your home and work PC, should your company let you install the software.

Tony
0
 
LVL 2

Author Comment

by:detox1978
ID: 16831450
thanks for the feedback, lots of things to think about.


The reason i asked this question is i have just changed companies and my new companies IT policy doesnt allow remote desktop to unsecure networks (i.e. my home LAN).  I personally dont understand why it is a security risk, and wanted to know what other people thought.


My argument is, when i work from home, which is twice a week, I am connected to my home LAN.  So in my opinion there is no greater risk by allowing RDP outbound from my work LAN.


Moreover, as far as i'm aware RDP uses RPC to send commands to client and recieves only KVM back to the host - so this combined with the fact only the outbound port is open - should mean the host LAN is secure.  I can only guess my company are paraniod that RDP will become exploited and leave them vunerable.  - is this a reasonable consern?


0
 
LVL 2

Expert Comment

by:tonyjester
ID: 16831795
Yes, they are actually trying to protect you and potential computers you are connecting to.

RDP is highly suseptable to man-in-the-middle attacks and there are several free programs that can show you the keyboard entries you make over RDP.

Passwords....credit card details....

These attacks are reletvely difficult to affect but do happen.

If you can get a VPN to home working then the RDP is encrypted within the VPN and therefore secure.

Tony
0
 
LVL 2

Author Comment

by:detox1978
ID: 16831829
i'm not concerned about my home network being comprimised.  My only concern is my works network, and the implcations allowing me RDP has.


I'm not going to use a VPN as if that got comprimised it would expose my works PC.

0
 
LVL 2

Expert Comment

by:tonyjester
ID: 16831838
Ok, point taken.

Then is your work blocking RDP via the port 3389?

Is so, you can change the port that Windows Terminal Services uses at both ends to get through the firewall.

Tony
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 16832256
The exposure is limited, and as you said, only KVM are being used in either situation. Typically employeers discourage RD/TS or VNC'ing to an "untrusted/unsecured" network, because there should be no buiness need for you to do that. There is a business need for you to be able to work from home and get into work's lan... but there is no need for you to access home from work (typically) There is not glaring security or compromise situation, but rather your current company is trying to mitigate risks, not only from a security perspective, but also from a liabiliity persepctive. They can't trust that your connecting to home from work for legit purposes, you could be surfing porn, gambling on-line, bypassing their proxy settings by doing so. It's really more likely a trust issue than a security/exploit one.
-rich
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16843317
If you are the only user who is going to use remote desktop to get in....then I wouldn't worry too much about password policies/hackers...But do make sure your home computer that will be accessing it is clean and free of any kind of viruses/keyloggers, and has adequate protection.

I personally would use Hamachi.cc  and remote desktop using the hamachi IP.  This would allow you to leave port 3389 on the work router closed...keeping you safe from dictionary attacking or account enumeration.  You would be the only one with access to the remote desktop from the outside in this scenario.

tonyjester is the expert I would agree with in your situation.

Now if you decide down the road that need all sorts of users to have remote access and now you need a static map for port 3389 to some server for them......then I would definitely implement a password policy and other group policies.

0
 
LVL 2

Author Comment

by:detox1978
ID: 16859735
thanks for all the feedback.

My company orginally said i couldn't user RDP to connect to my home network because of the security risks to them, which was why i posted the question here.  They now say that its 'really' because they cant control what i 'access / do' on my home network. - which is a fair point.


I guess its more of a legal issue than a technical one.



thanks again.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question