Solved

Best way to protect RDP

Posted on 2011-09-17
9
672 Views
Last Modified: 2012-05-12
I just noticed that our companies RDP computer had been remotely breached.  The hacker had created his own profile on the Windows machine and installed various tool for doing harm.  I have remote users that use the RDP and so I have to leave it ported and open for use.  Changing the stratic IP would not solve the issue, so how do I protect the connection?  When you think about it, normal RDP is just like allowing a hacker to walk into your office, sit down at your computer and attempt to hack into your login account.
0
Comment
Question by:murryc
9 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 125 total points
ID: 36555248
This most certainly does not have to be!  Put it behind a secure Firewall and a secure VPN and (at the 99.99% level), no one will walk in. I have had setups like this for multiple clients and they have never been breached.

... Thinkpads_User
0
 
LVL 1

Expert Comment

by:WhatWhyIT
ID: 36555314
Easiest way is to change the RDP port and Change the firewall settings to only only only the minimum amount in as possible.

http://support.microsoft.com/kb/306759

0
 
LVL 23

Expert Comment

by:Brian Gee
ID: 36555476
Implementing VPN (as mentioned earlier) or SSH connections would increase security immensely with regard to RDP sessions.
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 36555595
Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords.  If someone gets a user account with password, they can log in and do whatever they want, VPN, RDP, FTP, HTTP, OWA, whatever mechanism you have in place.  It's VERY unlikely that anyone actually snooped the traffic and found a way in and almost as unlikely they found an exploit in RDP or some other service to get in without such information.  PASSWORDS.  Bottom line.  Plus, optionally and for added security, a two-factor authentication system for a VPN or other remote connection method.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:duffme
ID: 36556040
Win2003 encrypts RDP traffic by default, though not very well.  You could increase this.  I would go with the other suggestions here.  Make sure the default admin account is not active, enforce strong passwords that are changed regularly, etc.  If you are using RDP for proper Terminal Services and not just a one-to-one remote desktop then you should probably use a gateway server outside of your firewall that is the only thing allowed in to your network.  If this is for individuals to get to desktops you may be better off with some form of VPN.  There is always the method of using LogMeIn or the like too.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 36556155
>>> Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords  <-- I have my client IPSec VPN's set up so that only authorized people have access. The VPN Pre-Shared Key is, of course, very secure. But as I noted, there have been no breaches at all and the first one went in nearly 10 years ago. ... Thinkpads_User
0
 

Author Comment

by:murryc
ID: 36564819
No implementing VPN would keep the RDP port from being probed, is this correct?  That seems to be the biggest issue is that I can see a ton of probes on the RDP port.  It does not seem to matter if I change the default port because they will just probe all port numbers until they find an RDP, then they move to cracking the login.  So does VPN shield the port from probing and just show itself when a remote user first establishes the VPN connection?
0
 
LVL 4

Assisted Solution

by:duffme
duffme earned 125 total points
ID: 36565029
A VPN would keep the RDP port from being probed, because you would then block the RDP from the firewall and users would connect to the VPN instead.  There are different types of VPNs and different ways to implement them.  They essentially create an encrypted tunnel (using SSL is common) between the user's computer and your network; the computer may then act as if it were in your network.  The user uses a software client to connect to your VPN (server/firewall/appliance) and can then map drives, directly connect to server applications like email or databases, or connect directly to the RDP computers if desired.  An SSH tunnel is similar, but works with different protocols and mechanisms.  You can also restrict what resources a VPN user is allowed to connect to, and often (and is recommended) require that the user has anti-virus and patching up-to-date before allowing the user to connect; this can protect your network from unsafe user's computers to it.

Please first tell us if you are using a firewall and what kind.  It may already have, or allow you to enable, a decent VPN solution more easily than starting fresh.  If you are just using a consumer grade wifi router to protect your business it is probably worthwhile to upgrade to something that offers more robust protection and remote access.

Also, make sure to change passwords, perform a review, and such if you really think you have been compromised.
0
 
LVL 1

Assisted Solution

by:raghav_lal
raghav_lal earned 125 total points
ID: 36565055
Well, to protect your servers from accessing via RDP there are few options

1. Install a Firewall (L3 Device) between Inside and Outside network. Insert this firewall device on a VLAN where machines are sitting and RDP connectivity takes place. Allowing only port # 3389 for a specific host IPs / subnets and deny all other IP subnets.
2. RDP has its own encryption feature. Enable that feature as well
3. Another option could be change the port number of RDP to some other port number. Since RDP port number is standard IANA port number, everyone can easily hack into the system using this port number.

To change the port you will need to start Windows Registry Editor.

Start -> Run… type ”regedit” and press OK
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp
Then locate the following registry subkey : PortNumber
On the Edit menu, click Modify, and then on the Edit DWORD Value click Decimal which will show us the exact port number.
Type the new port number, and then click OK button.
Quit Registry Editor and restart your computer.
IMPORTANT!!! - Make sure the firewall has the new port opened! If you do not set access enabled for that specific new port, you wont be able to have access via remote computer

4. Well some companies have implemented 802.1X authentication for access control mechanism. But this feature may not be available in many devices. You need to check those.






0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Learn about cloud computing and its benefits for small business owners.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now