• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 722
  • Last Modified:

Is remote desktop over the internet wise?

I would like to access my office Windows 2003 server from home. I can configure the router firewall to pass remote desktop requests through to the server. As far as I understand remote desktop is always available to the administrator user and the administrator user can not be disabled. Therefore a potential hacker will know that he can logon to remote desktop as administrator. If I set a strong password is this an undue security risk? (I.e. is it at all likely that a password such as "kl8&,;58kjuPB" could be broken?) .

Or is anyone aware of any other potential security problems with remote desktop?
0
BOIT
Asked:
BOIT
  • 7
  • 2
  • 2
  • +1
2 Solutions
 
TolomirAdministratorCommented:
you should change the port for a start

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/TerminalServer/WinStations/RDP-Tcp/PortNumber

Be sure to check the dacimal radio button, when changing the port...

You also should consider to rename the Administrator and Guest account
http://support.microsoft.com/kb/816109

Now apply a strong password and you have some good start!

Tolomir
0
 
CoccoBillCommented:
The encryption and authentication in remote desktop aren't the strongest there are, at a minimum I'd configure it to use stronger encryption, but preferably I'd configure a VPN tunnel to your office server and remote desktop through that.

Change the session encryption level
By default, the encryption level for Terminal Services sessions is set to Client Compatible to provide the highest encryption level that is supported by the client. Other available settings are: " High - This setting provides bidirectional security by using a 128-bit cipher.
" Low - This setting uses 56-bit encryption.
" FIPS Compliant - All data is encrypted by using Federal Information Processing Standard 140-1 validated methods.
All levels use the standard RSA RC4 encryption.

To change the encryption level, follow these steps: 1. Click Start, point to All Programs, point to Administrative Tools, and then click Terminal Services Configuration.
2. In the left pane, click Connections.
3. In the right pane, right-click RDP-tcp, and then click Properties.
4. Click the General tab, click the encryption level that you want in the Encryption list, and then click OK.

0
 
PowerITCommented:
Currently there are only two known vulnerabilities for remote desktop on Server 2003 and XP: a hard to pull off man in the middle attack (when over the internet) and a DDOS.
This means that a simple forwar can be used when you are not in a high security environment (no earth shaking secrets or severe downtime when the TS is down).
You can prevent the MITM attack by using TLS with RDP: http://technet2.microsoft.com/WindowsServer/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
Or you could use a VPN of course.
Changing the port is security by ubscurity. If someone wants to attack you, then it is no additional security at all.
BTW, Vista & Server 2008 are not vulnerable to these attacks.
A strong password policy is indeed a must!
I have implemented forwards or RDP in low security environments and never had one cracked. This is 10 years of RDP experience speaking ;-) So choose wisely depending on your environment and potential risks.

J.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
TolomirAdministratorCommented:
Changing a port is basically a way to keep scripts away from your server. Not for a user running nmap against your server.

On the Internet there is really no reason at all, to use standard ports allowing standard "hacking" tools to proceed.

Tolomir

0
 
TolomirAdministratorCommented:
Whenever possible create a rule in your router to allow just incoming traffic for the RDP from your office IPs.
0
 
BOITAuthor Commented:
Tolomir,
Thank you for your imput so far. How do I configure the remote desktop port for the client software (remote desktop) to use?
0
 
TolomirAdministratorCommented:
See my 1st comment.

Open regedit then "climb down the tree"
0
 
CoccoBillCommented:
Just add the port after the IP/hostname with a colon when connecting, such as "terminal.server.com:15000".
0
 
TolomirAdministratorCommented:
Alright, save this to a file rpd.reg - doubleclick on it you you should have port 19999 listening

<<<<cut here>>>>>

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00004e1f

<<<<cut here>>>>>
0
 
TolomirAdministratorCommented:
after a restart of cause...

The portnumber is hexadecimal so don't wonder about the letters in it.

Use http://www.physics.udel.edu/~watson/scen103/binary-to-hex.html to get a different port (just keep it within the Registered Ports Range from 1024 - 65535)

Tolomir
0
 
TolomirAdministratorCommented:
@CoccoBill: oh yes misunderstood the question, you are right.
0
 
BOITAuthor Commented:
okay,
 
What I have done is:-

1. Rename administrator and guest accounts
2. Reset server encryption level to High
3. Changed server port as instructed by Tolomir in first post
4. When connecting you have to add the (new) port to the ip address as suggested by Coccobill so when prompted for the machine to connect to I type 12.13.14.15:12345 instead of 12.13.14.15

I take the point raised by PowerIT that the port change is just ubscurity, that someone scanning open ports will still see it, but why not make it that little bit harder!

Thank you all for your help, particularly the change of administrator name, it should be pretty difficult to hack now.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 7
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now