Solved

How safe is RDP?

Posted on 2010-08-13
10
971 Views
Last Modified: 2013-12-04
Is RDP-connections (Remote desktop) by default encrypted in any way?

To connect to a terminal server from home I use to install a VPN connection for my customers, but sometimes it would be great just to open port 3389 in the firewall and go right there.

But is the traffic encrypted in any way, or is password e.t.c. sent in clear text then?

The point is to be able to log in from anywhere without having to install some expensive software or similar.
Or what is your suggestions?
0
Comment
Question by:Martin_Radbo
10 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 33427613
RDP is encrypted.  How good that encryption is is debatable.  

The more holes and methods of access to your network, the weaker your security.  I don't know what you use for VPN - I use Microsoft's Routing and Remote Access VPN server.  The client is built in for virtually all Windows clients so setting up a VPN connection is neither time consuming nor difficult nor expensive.  And I only need to open one port on my network for remote access.
0
 
LVL 11

Assisted Solution

by:Coast-IT
Coast-IT earned 125 total points
ID: 33427634
A good previous answer about the exact same subject is here explaining to to turn up security etc.

http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21410301.html
0
 
LVL 17

Expert Comment

by:sgsm81
ID: 33427859
VPN all the way - we use a SonicWall SSL-VPN 2000 box also as this provides an easy solution to remote use of the system and has lots of useful functions to boot.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 33427991
IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use.
0
 

Author Comment

by:Martin_Radbo
ID: 33428076
"IF your windows TS is 2003 or better, you can enable and require SSL on the rdp session - same port, but encrypted with the same technology https websites use."

It is win server 2008 (and sometimes 2003) so that sounds great.

Where exactly do I configure that? And what is the need at the client side to get it to work? Latest version (7.0) of RDP client?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 5

Expert Comment

by:sosinc3
ID: 33428077
If you decide to open the port direct, don't do it on port 3389 as that is a commonly known one. Use some obsucre port and change the server to listen on that port. Very easy to do but I must agree with all those who have already said, run all your traffic across your VPN whenever you can.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33430041
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 125 total points
ID: 33430169
Well my take on this is this. RDP is encrypted and without using certificates, all the way to 128-bit.
The main concern people usually have with RDP is MITM attacks.
In 15 years working exclusively deploying TS/RDS/Citrix for customers worldwide I am still to see one single case where RDP was hacked when exposed to the internet on port 3389 (of course if you use blank passwords even a VPN will not matter).
So how much should you do really depends how paranoid you are. It is up to you to decide.
As mentioned you can indeed enable certificates for the RDP connection to prevent the MITM attack and even change the RDP port. As you are on 2008 you can even setup RDS Gateway what will give you only port 443 access to the TSs. Very secure.
Again, up to you.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 

Author Comment

by:Martin_Radbo
ID: 33430403
I'm really NOT paranoid, that's the whole point. I think you must choose the level of security depending on how threatened you are (i.e, stronger excryption for the White house compared to the little single-person-company selling bread....

But it is nice to know that there indeed are at lest some (and for me enough) encryption with standard RDP. Customers sometimes ask me and I think they will be pleased with this info.

And also, if possible, I do it with a VPN tunnel, it also gives me the opportunity to be able to ping the whole remote LAN from my PC which is very useful in many ways.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 33431026
Certificates are good against MitM, but on the whole its just that RDP crypto security isn't well documented, so hard to get past a security review - when everyone knows how to validate SSL.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now