Solved

How safe is RDP?

Posted on 2010-08-13
10
961 Views
Last Modified: 2013-12-04
Is RDP-connections (Remote desktop) by default encrypted in any way?

To connect to a terminal server from home I use to install a VPN connection for my customers, but sometimes it would be great just to open port 3389 in the firewall and go right there.

But is the traffic encrypted in any way, or is password e.t.c. sent in clear text then?

The point is to be able to log in from anywhere without having to install some expensive software or similar.
Or what is your suggestions?
0
Comment
Question by:Martin_Radbo
10 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 33427613
RDP is encrypted.  How good that encryption is is debatable.  

The more holes and methods of access to your network, the weaker your security.  I don't know what you use for VPN - I use Microsoft's Routing and Remote Access VPN server.  The client is built in for virtually all Windows clients so setting up a VPN connection is neither time consuming nor difficult nor expensive.  And I only need to open one port on my network for remote access.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 125 total points
ID: 33427634
A good previous answer about the exact same subject is here explaining to to turn up security etc.

http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21410301.html
0
 
LVL 17

Expert Comment

by:sgsm81
ID: 33427859
VPN all the way - we use a SonicWall SSL-VPN 2000 box also as this provides an easy solution to remote use of the system and has lots of useful functions to boot.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 33427991
IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use.
0
 

Author Comment

by:Martin_Radbo
ID: 33428076
"IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use."

It is win server 2008 (and sometimes 2003) so that sounds great.

Where exactly do I configure that? And what is the need at the client side to get it to work? Latest version (7.0) of RDP client?
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 5

Expert Comment

by:sosinc3
ID: 33428077
If you decide to open the port direct, don't do it on port 3389 as that is a commonly known one. Use some obsucre port and change the server to listen on that port. Very easy to do but I must agree with all those who have already said, run all your traffic across your VPN whenever you can.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33430041
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 125 total points
ID: 33430169
Well my take on this is this. RDP is encrypted and without using certificates, all the way to 128-bit.
The main concern people usually have with RDP is MITM attacks.
In 15 years working exclusively deploying TS/RDS/Citrix for customers worldwide I am still to see one single case where RDP was hacked when exposed to the internet on port 3389 (of course if you use blank passwords even a VPN will not matter).
So how much should you do really depends how paranoid you are. It is up to you to decide.
As mentioned you can indeed enable certificates for the RDP connection to prevent the MITM attack and even change the RDP port. As you are on 2008 you can even setup RDS Gateway what will give you only port 443 access to the TSs. Very secure.
Again, up to you.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 

Author Comment

by:Martin_Radbo
ID: 33430403
I'm really NOT paranoid, that's the whole point. I think you must choose the level of security depending on how threatened you are (i.e, stronger excryption for the White house compared to the little single-person-company selling bread....

But it is nice to know that there indeed are at lest some (and for me enough) encryption with standard RDP. Customers sometimes ask me and I think they will be pleased with this info.

And also, if possible, I do it with a VPN tunnel, it also gives me the opportunity to be able to ping the whole remote LAN from my PC which is very useful in many ways.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33431026
Certificates are good against MitM, but on the whole its just that RDP crypto security isn't well documented, so hard to get past a security review - when everyone knows how to validate SSL.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now