Solved

How much of a security risk is opening port 3389 on a firewall?

Posted on 2010-09-19
7
2,435 Views
Last Modified: 2013-11-21
How much of a security risk is opening port 3389 on a firewall for RDP?  
0
Comment
Question by:bmcconn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33711531
Its not overly, thousands of IT admins all ocer the world use it for remote access.

You obviously still need to have credentials to login.

With SBS2003 it was a requirement for RWW.

0
 
LVL 27

Expert Comment

by:davorin
ID: 33711617
Agree with demazter.
As long as you have fully patched server...
0
 
LVL 6

Accepted Solution

by:
Azhrei1 earned 500 total points
ID: 33711644
just make sure you set up your default domain policy correctly, with requirements for password changes every now and then, complex passwords (easy ones will be guessed...I see attempts on my server alll day long cuz I have 3389 open as well). Maybe a minimum length of 8 characters or so.

And if you want to make it really secure you could add some security, but it might be too much of a hassle...if you're interested read this:

http://www.petri.co.il/securing_rdp_communications.htm
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Expert Comment

by:Aakron
ID: 33711662
Agree with the above.
Also if you are paranoid or just have multiple servers you need to RDC u can change the listening port to non default:

1. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\
RDP-Tcp\PortNumber
3. On the Edit menu, click Modify, and then click Decimal.
4. Type the new port number, and then click OK.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33714050
The degree to which you decide to protect RDP 3389 should be based on the importance of the data you're accessing. If all you want is a desktop so you can do some basic work on the server from home.
Then it's not that big of a deal. If it's a system that contains confidential customer information. Then you're not being very smart about it.
0
 

Expert Comment

by:SanthoshVK
ID: 33714693
Also if you dont want your attacker know that you have opened port for RDP protocol, then you can open a nonstandard port as Akron said and internally do a Port Address Translation (PAT) by adding firewall rules.

Hope this helps
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 33716475
One thing no one is mentioning here is what is on the other side in terms of RDP listener. Is this a Windows 2000/2003/2008/2008 R2?
The reason for the question is simple. Depending on the version you CANNOT use certificates for the RDP connection what means it becomes susceptible to Man in the Middle Attacks.
If you are using certificates and have decent password policies (so no one can have a password like 'newyork', 'password', 'mom', etc you will be very safe. RDP itself, regarding on the version/certificates, is encrypted. And as Aakron mentioned, by changing the port you make things a little 'harder' for a possible attack.
Also keep in mind which market you are in as certain ones (healthcare, financial, etc) may have their own regulations regarding data safety like PCI/HIPAA etc. Make sure whatever you do meets these requirements for data being accessed remotely.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2008 R2 File Share 8 51
Copy delete file if connection drops. 2 34
McAfee ePO 5.3.1 failure to install 2 40
Cannot join domain and UNC paths 9 52
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question