Is Remote Desktop secure for the clients network?

Hi All,


I want to use remote desktop from my work network to access my home network.

Before i ask work i want to know if there are any risks for them?


many thanks
D
LVL 2
detox1978Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fnbgpplCommented:
The biggest problem I can see is your works security policy.  If they do not have a problem with this you might want to consider gotomypc.  They are currently offering a 30 day trial and it is built secure.
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

You can also use logmein.com there is a completely free version. It is secure and don't have to open any ports. Its just a software vpn tunnel.

https://secure.logmein.com/go.asp?page=home

Hope this helps
detox1978Author Commented:
thanks for the suggestions guys.  I will be using Remote Desktop.

My question is "what security issue are their to consider for my works LAN"


SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

jhanceCommented:
No significant security issues.  The RDP protocol that Remote Desktop uses is encrypted and so it relatively safe from prying eyes.  If you are really paranoid, you can run RDP over a VPN tunnel which will double-encrypt everything but I think that's overkill...
LindyMoffCommented:
Just to back up other comments here, the main issues in tech news about RDP have been articles like the following:

RDP denial of service risk
http://techrepublic.com.com/5100-1009_11-5800439.html?tag=nl.e101

Protocol weaknesses
http://secunia.com/advisories/7118/

In general, the protocol is pretty safe.  I would be comfortable with using this connection without wrapping it in VPN or other such tunnels for most purposes.  Personally I tunnel everything over SSH for sheer convenience of port forwarding other services, but it's certainly not necessary.
prashsaxCommented:
RDP should not be accessible from internet.

RDP  has many published vulnerabilities.

Just create a IPSEC policy for port 3389 on your windows machine.

This way you can still user RDP and not one else can even try to break into your pc, since it is secured using ipsec.

It can be done easily and provide maximum security.

here is the link. Please go thru it.

http://www.securityfocus.com/infocus/1526
kevinf40Commented:
Hi D

If your business does permit this connection, I would recommend using the higher encryption settings available for RDP - these can be configured under the connection properties via the terminal services configuration window.

Are you using windows 2000 or windows 2003?

If you are using 2003 with an XP client you can use considerably more secure encryption settings (FIPS compliant) or even require certificates - but this option is probably overkill unless you already have a certificate server set up.

There are published man it the middle attacks for RDP, but these are in reality non trivial to pull off (this kind of attack is considerably easier within your office LAN than it is in the wild), but using the higher security options will help mitigate this risk.

As far as the risk to your office LAN is concerned this is relatively low as the connection is only going out, there is no need to allow proactive connections into your work network.  There are unlikely to be allowing rdp connections out be default though - certainly here we do not allow any desktops to connect out to the internet other than via the proxy servers (which additionally block access to most remote management sites among other things).

The main risks would be that you were connecting to un-trusted machines - there is always the chance that if your home machines were hijacked or infected with trojans / key loggers etc that this would lead to the attacker gaining access to your work machine or work data once the connection to your home machine was initiated.

Many companies do not allow connections to any external remote management software for these reasons, indeed here it is against policy to do any work on non corp owned machines as their safety and configuration cannot be confirmed.

cheers

Kevin


Rich RumbleSecurity SamuraiCommented:
RDP is as safe as anything else for the most part. The only attacks I know of, are man-in-the-middle (and this also applies to ssh/ipsec/other tunnels), and the fact that the local admin account of your box cannot be locked out. However, in M$ 2003, and XP Pro, 9 failed connections (reguarldess of account) will effectively lock-out the computer trying to connect, unless the netbios name of that PC and SID are changed. RD logs the failed attempts from "netbios_name" and reguarldess local or global policy, will lock out that netbios name for 1 hour. The local account it's actually locked, you can try from another pc and see that if the pass is correct, you can log-in just fine. This was the case when SP2 for XP was just released, and before the SP1 for 2003 was released.

www.oxid.it/downloads/rdp-gbu.pdf This is possible for someone in your office network to do to you.

Connecting TO your home machine FROM work, there isn't much of a risk of your home PC "attacking" your office. However there are far more risks connecting TO work FROM home. When going to home, from work, your taking over the Home machine, and it cannot route traffic back to your work over that connection, unless it was VPN'ing into your work lan. From home, connnecting to work, over vpn your pc has more access to your work network, but if you were connecting to work, without a vpn (like using a publicly accessably server) and conencting into the lan, there are no Viri that propigate over a RD connection, and your only remote-controlling the pc at work, so unless you run a virus on the pc your remote-controlling, or execute some other malware on that work pc, your safe as far as we know.

in summary, RDP since win2k sp4, is by default 56-bit encrypted RC4 stream cipher, very secure by even todays standards, but you can up that to 128, or even add a tunnel to the mix for the extra paranoid, and safely remote-Control a pc at home. The only access the pc at home will have to your work network is the clipboard... so unless you yourself copy and paste a file from home to work and run it, your good to go, unless as mentionedyour company policy prohibits the actions.
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
correction
The local account it's actually locked
should of read
the local account ISN'T actually locked...

Also here are the policies on the RD/TS local admin account lock-out
http://technet2.microsoft.com/WindowsServer/en/Library/6d1cf160-25c8-4b0f-90b5-428bf5c24eae1033.mspx
-rich
tonyjesterCommented:
You can use RDP, but I would wrap it in a VPN.  Several of these are readily available (and free) and many will work from the company network.

Take a look at Hamachi....you can run a private LAN between your home and work PC, should your company let you install the software.

Tony
detox1978Author Commented:
thanks for the feedback, lots of things to think about.


The reason i asked this question is i have just changed companies and my new companies IT policy doesnt allow remote desktop to unsecure networks (i.e. my home LAN).  I personally dont understand why it is a security risk, and wanted to know what other people thought.


My argument is, when i work from home, which is twice a week, I am connected to my home LAN.  So in my opinion there is no greater risk by allowing RDP outbound from my work LAN.


Moreover, as far as i'm aware RDP uses RPC to send commands to client and recieves only KVM back to the host - so this combined with the fact only the outbound port is open - should mean the host LAN is secure.  I can only guess my company are paraniod that RDP will become exploited and leave them vunerable.  - is this a reasonable consern?


tonyjesterCommented:
Yes, they are actually trying to protect you and potential computers you are connecting to.

RDP is highly suseptable to man-in-the-middle attacks and there are several free programs that can show you the keyboard entries you make over RDP.

Passwords....credit card details....

These attacks are reletvely difficult to affect but do happen.

If you can get a VPN to home working then the RDP is encrypted within the VPN and therefore secure.

Tony
detox1978Author Commented:
i'm not concerned about my home network being comprimised.  My only concern is my works network, and the implcations allowing me RDP has.


I'm not going to use a VPN as if that got comprimised it would expose my works PC.

tonyjesterCommented:
Ok, point taken.

Then is your work blocking RDP via the port 3389?

Is so, you can change the port that Windows Terminal Services uses at both ends to get through the firewall.

Tony
Rich RumbleSecurity SamuraiCommented:
The exposure is limited, and as you said, only KVM are being used in either situation. Typically employeers discourage RD/TS or VNC'ing to an "untrusted/unsecured" network, because there should be no buiness need for you to do that. There is a business need for you to be able to work from home and get into work's lan... but there is no need for you to access home from work (typically) There is not glaring security or compromise situation, but rather your current company is trying to mitigate risks, not only from a security perspective, but also from a liabiliity persepctive. They can't trust that your connecting to home from work for legit purposes, you could be surfing porn, gambling on-line, bypassing their proxy settings by doing so. It's really more likely a trust issue than a security/exploit one.
-rich
Ron MalmsteadInformation Services ManagerCommented:
If you are the only user who is going to use remote desktop to get in....then I wouldn't worry too much about password policies/hackers...But do make sure your home computer that will be accessing it is clean and free of any kind of viruses/keyloggers, and has adequate protection.

I personally would use Hamachi.cc  and remote desktop using the hamachi IP.  This would allow you to leave port 3389 on the work router closed...keeping you safe from dictionary attacking or account enumeration.  You would be the only one with access to the remote desktop from the outside in this scenario.

tonyjester is the expert I would agree with in your situation.

Now if you decide down the road that need all sorts of users to have remote access and now you need a static map for port 3389 to some server for them......then I would definitely implement a password policy and other group policies.

detox1978Author Commented:
thanks for all the feedback.

My company orginally said i couldn't user RDP to connect to my home network because of the security risks to them, which was why i posted the question here.  They now say that its 'really' because they cant control what i 'access / do' on my home network. - which is a fair point.


I guess its more of a legal issue than a technical one.



thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.