• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2805
  • Last Modified:

How much of a security risk is opening port 3389 on a firewall?

How much of a security risk is opening port 3389 on a firewall for RDP?  
0
bmcconn
Asked:
bmcconn
1 Solution
 
Glen KnightCommented:
Its not overly, thousands of IT admins all ocer the world use it for remote access.

You obviously still need to have credentials to login.

With SBS2003 it was a requirement for RWW.

0
 
davorinCommented:
Agree with demazter.
As long as you have fully patched server...
0
 
Azhrei1Commented:
just make sure you set up your default domain policy correctly, with requirements for password changes every now and then, complex passwords (easy ones will be guessed...I see attempts on my server alll day long cuz I have 3389 open as well). Maybe a minimum length of 8 characters or so.

And if you want to make it really secure you could add some security, but it might be too much of a hassle...if you're interested read this:

http://www.petri.co.il/securing_rdp_communications.htm
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
AakronCommented:
Agree with the above.
Also if you are paranoid or just have multiple servers you need to RDC u can change the listening port to non default:

1. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\
RDP-Tcp\PortNumber
3. On the Edit menu, click Modify, and then click Decimal.
4. Type the new port number, and then click OK.
0
 
oztrodamusCommented:
The degree to which you decide to protect RDP 3389 should be based on the importance of the data you're accessing. If all you want is a desktop so you can do some basic work on the server from home.
Then it's not that big of a deal. If it's a system that contains confidential customer information. Then you're not being very smart about it.
0
 
SanthoshVKCommented:
Also if you dont want your attacker know that you have opened port for RDP protocol, then you can open a nonstandard port as Akron said and internally do a Port Address Translation (PAT) by adding firewall rules.

Hope this helps
0
 
Cláudio RodriguesCommented:
One thing no one is mentioning here is what is on the other side in terms of RDP listener. Is this a Windows 2000/2003/2008/2008 R2?
The reason for the question is simple. Depending on the version you CANNOT use certificates for the RDP connection what means it becomes susceptible to Man in the Middle Attacks.
If you are using certificates and have decent password policies (so no one can have a password like 'newyork', 'password', 'mom', etc you will be very safe. RDP itself, regarding on the version/certificates, is encrypted. And as Aakron mentioned, by changing the port you make things a little 'harder' for a possible attack.
Also keep in mind which market you are in as certain ones (healthcare, financial, etc) may have their own regulations regarding data safety like PCI/HIPAA etc. Make sure whatever you do meets these requirements for data being accessed remotely.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now