Best way to protect RDP

Posted on 2011-09-17
Last Modified: 2012-05-12
I just noticed that our companies RDP computer had been remotely breached.  The hacker had created his own profile on the Windows machine and installed various tool for doing harm.  I have remote users that use the RDP and so I have to leave it ported and open for use.  Changing the stratic IP would not solve the issue, so how do I protect the connection?  When you think about it, normal RDP is just like allowing a hacker to walk into your office, sit down at your computer and attempt to hack into your login account.
Question by:murryc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 94

Accepted Solution

John Hurst earned 125 total points
ID: 36555248
This most certainly does not have to be!  Put it behind a secure Firewall and a secure VPN and (at the 99.99% level), no one will walk in. I have had setups like this for multiple clients and they have never been breached.

... Thinkpads_User

Expert Comment

ID: 36555314
Easiest way is to change the RDP port and Change the firewall settings to only only only the minimum amount in as possible.

LVL 23

Expert Comment

by:Brian Gee
ID: 36555476
Implementing VPN (as mentioned earlier) or SSH connections would increase security immensely with regard to RDP sessions.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 36555595
Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords.  If someone gets a user account with password, they can log in and do whatever they want, VPN, RDP, FTP, HTTP, OWA, whatever mechanism you have in place.  It's VERY unlikely that anyone actually snooped the traffic and found a way in and almost as unlikely they found an exploit in RDP or some other service to get in without such information.  PASSWORDS.  Bottom line.  Plus, optionally and for added security, a two-factor authentication system for a VPN or other remote connection method.

Expert Comment

ID: 36556040
Win2003 encrypts RDP traffic by default, though not very well.  You could increase this.  I would go with the other suggestions here.  Make sure the default admin account is not active, enforce strong passwords that are changed regularly, etc.  If you are using RDP for proper Terminal Services and not just a one-to-one remote desktop then you should probably use a gateway server outside of your firewall that is the only thing allowed in to your network.  If this is for individuals to get to desktops you may be better off with some form of VPN.  There is always the method of using LogMeIn or the like too.
LVL 94

Expert Comment

by:John Hurst
ID: 36556155
>>> Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords  <-- I have my client IPSec VPN's set up so that only authorized people have access. The VPN Pre-Shared Key is, of course, very secure. But as I noted, there have been no breaches at all and the first one went in nearly 10 years ago. ... Thinkpads_User

Author Comment

ID: 36564819
No implementing VPN would keep the RDP port from being probed, is this correct?  That seems to be the biggest issue is that I can see a ton of probes on the RDP port.  It does not seem to matter if I change the default port because they will just probe all port numbers until they find an RDP, then they move to cracking the login.  So does VPN shield the port from probing and just show itself when a remote user first establishes the VPN connection?

Assisted Solution

duffme earned 125 total points
ID: 36565029
A VPN would keep the RDP port from being probed, because you would then block the RDP from the firewall and users would connect to the VPN instead.  There are different types of VPNs and different ways to implement them.  They essentially create an encrypted tunnel (using SSL is common) between the user's computer and your network; the computer may then act as if it were in your network.  The user uses a software client to connect to your VPN (server/firewall/appliance) and can then map drives, directly connect to server applications like email or databases, or connect directly to the RDP computers if desired.  An SSH tunnel is similar, but works with different protocols and mechanisms.  You can also restrict what resources a VPN user is allowed to connect to, and often (and is recommended) require that the user has anti-virus and patching up-to-date before allowing the user to connect; this can protect your network from unsafe user's computers to it.

Please first tell us if you are using a firewall and what kind.  It may already have, or allow you to enable, a decent VPN solution more easily than starting fresh.  If you are just using a consumer grade wifi router to protect your business it is probably worthwhile to upgrade to something that offers more robust protection and remote access.

Also, make sure to change passwords, perform a review, and such if you really think you have been compromised.

Assisted Solution

raghav_lal earned 125 total points
ID: 36565055
Well, to protect your servers from accessing via RDP there are few options

1. Install a Firewall (L3 Device) between Inside and Outside network. Insert this firewall device on a VLAN where machines are sitting and RDP connectivity takes place. Allowing only port # 3389 for a specific host IPs / subnets and deny all other IP subnets.
2. RDP has its own encryption feature. Enable that feature as well
3. Another option could be change the port number of RDP to some other port number. Since RDP port number is standard IANA port number, everyone can easily hack into the system using this port number.

To change the port you will need to start Windows Registry Editor.

Start -> Run… type ”regedit” and press OK
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp
Then locate the following registry subkey : PortNumber
On the Edit menu, click Modify, and then on the Edit DWORD Value click Decimal which will show us the exact port number.
Type the new port number, and then click OK button.
Quit Registry Editor and restart your computer.
IMPORTANT!!! - Make sure the firewall has the new port opened! If you do not set access enabled for that specific new port, you wont be able to have access via remote computer

4. Well some companies have implemented 802.1X authentication for access control mechanism. But this feature may not be available in many devices. You need to check those.


Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question