How safe is RDP?

Is RDP-connections (Remote desktop) by default encrypted in any way?

To connect to a terminal server from home I use to install a VPN connection for my customers, but sometimes it would be great just to open port 3389 in the firewall and go right there.

But is the traffic encrypted in any way, or is password e.t.c. sent in clear text then?

The point is to be able to log in from anywhere without having to install some expensive software or similar.
Or what is your suggestions?
Martin_RadboAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
RDP is encrypted.  How good that encryption is is debatable.  

The more holes and methods of access to your network, the weaker your security.  I don't know what you use for VPN - I use Microsoft's Routing and Remote Access VPN server.  The client is built in for virtually all Windows clients so setting up a VPN connection is neither time consuming nor difficult nor expensive.  And I only need to open one port on my network for remote access.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Coast-ITCommented:
A good previous answer about the exact same subject is here explaining to to turn up security etc.

http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21410301.html
0
SteveIT ManagerCommented:
VPN all the way - we use a SonicWall SSL-VPN 2000 box also as this provides an easy solution to remote use of the system and has lots of useful functions to boot.
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

Dave HoweSoftware and Hardware EngineerCommented:
IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use.
0
Martin_RadboAuthor Commented:
"IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use."

It is win server 2008 (and sometimes 2003) so that sounds great.

Where exactly do I configure that? And what is the need at the client side to get it to work? Latest version (7.0) of RDP client?
0
sosinc3Commented:
If you decide to open the port direct, don't do it on port 3389 as that is a commonly known one. Use some obsucre port and change the server to listen on that port. Very easy to do but I must agree with all those who have already said, run all your traffic across your VPN whenever you can.
0
Dave HoweSoftware and Hardware EngineerCommented:
0
Cláudio RodriguesFounder and CEOCommented:
Well my take on this is this. RDP is encrypted and without using certificates, all the way to 128-bit.
The main concern people usually have with RDP is MITM attacks.
In 15 years working exclusively deploying TS/RDS/Citrix for customers worldwide I am still to see one single case where RDP was hacked when exposed to the internet on port 3389 (of course if you use blank passwords even a VPN will not matter).
So how much should you do really depends how paranoid you are. It is up to you to decide.
As mentioned you can indeed enable certificates for the RDP connection to prevent the MITM attack and even change the RDP port. As you are on 2008 you can even setup RDS Gateway what will give you only port 443 access to the TSs. Very secure.
Again, up to you.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
Martin_RadboAuthor Commented:
I'm really NOT paranoid, that's the whole point. I think you must choose the level of security depending on how threatened you are (i.e, stronger excryption for the White house compared to the little single-person-company selling bread....

But it is nice to know that there indeed are at lest some (and for me enough) encryption with standard RDP. Customers sometimes ask me and I think they will be pleased with this info.

And also, if possible, I do it with a VPN tunnel, it also gives me the opportunity to be able to ping the whole remote LAN from my PC which is very useful in many ways.
0
Dave HoweSoftware and Hardware EngineerCommented:
Certificates are good against MitM, but on the whole its just that RDP crypto security isn't well documented, so hard to get past a security review - when everyone knows how to validate SSL.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.