Solved

How safe is RDP?

Posted on 2010-08-13
10
979 Views
Last Modified: 2013-12-04
Is RDP-connections (Remote desktop) by default encrypted in any way?

To connect to a terminal server from home I use to install a VPN connection for my customers, but sometimes it would be great just to open port 3389 in the firewall and go right there.

But is the traffic encrypted in any way, or is password e.t.c. sent in clear text then?

The point is to be able to log in from anywhere without having to install some expensive software or similar.
Or what is your suggestions?
0
Comment
Question by:Martin_Radbo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 33427613
RDP is encrypted.  How good that encryption is is debatable.  

The more holes and methods of access to your network, the weaker your security.  I don't know what you use for VPN - I use Microsoft's Routing and Remote Access VPN server.  The client is built in for virtually all Windows clients so setting up a VPN connection is neither time consuming nor difficult nor expensive.  And I only need to open one port on my network for remote access.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 125 total points
ID: 33427634
A good previous answer about the exact same subject is here explaining to to turn up security etc.

http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21410301.html
0
 
LVL 17

Expert Comment

by:sgsm81
ID: 33427859
VPN all the way - we use a SonicWall SSL-VPN 2000 box also as this provides an easy solution to remote use of the system and has lots of useful functions to boot.
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 33427991
IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use.
0
 

Author Comment

by:Martin_Radbo
ID: 33428076
"IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use."

It is win server 2008 (and sometimes 2003) so that sounds great.

Where exactly do I configure that? And what is the need at the client side to get it to work? Latest version (7.0) of RDP client?
0
 
LVL 5

Expert Comment

by:sosinc3
ID: 33428077
If you decide to open the port direct, don't do it on port 3389 as that is a commonly known one. Use some obsucre port and change the server to listen on that port. Very easy to do but I must agree with all those who have already said, run all your traffic across your VPN whenever you can.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33430041
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 125 total points
ID: 33430169
Well my take on this is this. RDP is encrypted and without using certificates, all the way to 128-bit.
The main concern people usually have with RDP is MITM attacks.
In 15 years working exclusively deploying TS/RDS/Citrix for customers worldwide I am still to see one single case where RDP was hacked when exposed to the internet on port 3389 (of course if you use blank passwords even a VPN will not matter).
So how much should you do really depends how paranoid you are. It is up to you to decide.
As mentioned you can indeed enable certificates for the RDP connection to prevent the MITM attack and even change the RDP port. As you are on 2008 you can even setup RDS Gateway what will give you only port 443 access to the TSs. Very secure.
Again, up to you.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 

Author Comment

by:Martin_Radbo
ID: 33430403
I'm really NOT paranoid, that's the whole point. I think you must choose the level of security depending on how threatened you are (i.e, stronger excryption for the White house compared to the little single-person-company selling bread....

But it is nice to know that there indeed are at lest some (and for me enough) encryption with standard RDP. Customers sometimes ask me and I think they will be pleased with this info.

And also, if possible, I do it with a VPN tunnel, it also gives me the opportunity to be able to ping the whole remote LAN from my PC which is very useful in many ways.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33431026
Certificates are good against MitM, but on the whole its just that RDP crypto security isn't well documented, so hard to get past a security review - when everyone knows how to validate SSL.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Know what services you can and cannot, should and should not combine on your server.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question