Is remote desktop over the internet wise?
I would like to access my office Windows 2003 server from home. I can configure the router firewall to pass remote desktop requests through to the server. As far as I understand remote desktop is always available to the administrator user and the administrator user can not be disabled. Therefore a potential hacker will know that he can logon to remote desktop as administrator. If I set a strong password is this an undue security risk? (I.e. is it at all likely that a password such as "kl8&,;58kjuPB" could be broken?) .
Or is anyone aware of any other potential security problems with remote desktop?
Or is anyone aware of any other potential security problems with remote desktop?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Changing a port is basically a way to keep scripts away from your server. Not for a user running nmap against your server.
On the Internet there is really no reason at all, to use standard ports allowing standard "hacking" tools to proceed.
Tolomir
On the Internet there is really no reason at all, to use standard ports allowing standard "hacking" tools to proceed.
Tolomir
Whenever possible create a rule in your router to allow just incoming traffic for the RDP from your office IPs.
ASKER
Tolomir,
Thank you for your imput so far. How do I configure the remote desktop port for the client software (remote desktop) to use?
Thank you for your imput so far. How do I configure the remote desktop port for the client software (remote desktop) to use?
See my 1st comment.
Open regedit then "climb down the tree"
Open regedit then "climb down the tree"
Just add the port after the IP/hostname with a colon when connecting, such as "terminal.server.com:15000
Alright, save this to a file rpd.reg - doubleclick on it you you should have port 19999 listening
<<<<cut here>>>>>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"PortNumber"=dword:00004e1
<<<<cut here>>>>>
<<<<cut here>>>>>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"PortNumber"=dword:00004e1
<<<<cut here>>>>>
after a restart of cause...
The portnumber is hexadecimal so don't wonder about the letters in it.
Use http://www.physics.udel.edu/~watson/scen103/binary-to-hex.html to get a different port (just keep it within the Registered Ports Range from 1024 - 65535)
Tolomir
The portnumber is hexadecimal so don't wonder about the letters in it.
Use http://www.physics.udel.edu/~watson/scen103/binary-to-hex.html to get a different port (just keep it within the Registered Ports Range from 1024 - 65535)
Tolomir
@CoccoBill: oh yes misunderstood the question, you are right.
ASKER
okay,
What I have done is:-
1. Rename administrator and guest accounts
2. Reset server encryption level to High
3. Changed server port as instructed by Tolomir in first post
4. When connecting you have to add the (new) port to the ip address as suggested by Coccobill so when prompted for the machine to connect to I type 12.13.14.15:12345 instead of 12.13.14.15
I take the point raised by PowerIT that the port change is just ubscurity, that someone scanning open ports will still see it, but why not make it that little bit harder!
Thank you all for your help, particularly the change of administrator name, it should be pretty difficult to hack now.
What I have done is:-
1. Rename administrator and guest accounts
2. Reset server encryption level to High
3. Changed server port as instructed by Tolomir in first post
4. When connecting you have to add the (new) port to the ip address as suggested by Coccobill so when prompted for the machine to connect to I type 12.13.14.15:12345 instead of 12.13.14.15
I take the point raised by PowerIT that the port change is just ubscurity, that someone scanning open ports will still see it, but why not make it that little bit harder!
Thank you all for your help, particularly the change of administrator name, it should be pretty difficult to hack now.
This means that a simple forwar can be used when you are not in a high security environment (no earth shaking secrets or severe downtime when the TS is down).
You can prevent the MITM attack by using TLS with RDP: http://technet2.microsoft.com/WindowsServer/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
Or you could use a VPN of course.
Changing the port is security by ubscurity. If someone wants to attack you, then it is no additional security at all.
BTW, Vista & Server 2008 are not vulnerable to these attacks.
A strong password policy is indeed a must!
I have implemented forwards or RDP in low security environments and never had one cracked. This is 10 years of RDP experience speaking ;-) So choose wisely depending on your environment and potential risks.
J.