• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 714
  • Last Modified:

Best way to protect RDP

I just noticed that our companies RDP computer had been remotely breached.  The hacker had created his own profile on the Windows machine and installed various tool for doing harm.  I have remote users that use the RDP and so I have to leave it ported and open for use.  Changing the stratic IP would not solve the issue, so how do I protect the connection?  When you think about it, normal RDP is just like allowing a hacker to walk into your office, sit down at your computer and attempt to hack into your login account.
0
murryc
Asked:
murryc
4 Solutions
 
JohnBusiness Consultant (Owner)Commented:
This most certainly does not have to be!  Put it behind a secure Firewall and a secure VPN and (at the 99.99% level), no one will walk in. I have had setups like this for multiple clients and they have never been breached.

... Thinkpads_User
0
 
WhatWhyITCommented:
Easiest way is to change the RDP port and Change the firewall settings to only only only the minimum amount in as possible.

http://support.microsoft.com/kb/306759

0
 
Brian GeeCommented:
Implementing VPN (as mentioned earlier) or SSH connections would increase security immensely with regard to RDP sessions.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords.  If someone gets a user account with password, they can log in and do whatever they want, VPN, RDP, FTP, HTTP, OWA, whatever mechanism you have in place.  It's VERY unlikely that anyone actually snooped the traffic and found a way in and almost as unlikely they found an exploit in RDP or some other service to get in without such information.  PASSWORDS.  Bottom line.  Plus, optionally and for added security, a two-factor authentication system for a VPN or other remote connection method.
0
 
duffmeCommented:
Win2003 encrypts RDP traffic by default, though not very well.  You could increase this.  I would go with the other suggestions here.  Make sure the default admin account is not active, enforce strong passwords that are changed regularly, etc.  If you are using RDP for proper Terminal Services and not just a one-to-one remote desktop then you should probably use a gateway server outside of your firewall that is the only thing allowed in to your network.  If this is for individuals to get to desktops you may be better off with some form of VPN.  There is always the method of using LogMeIn or the like too.
0
 
JohnBusiness Consultant (Owner)Commented:
>>> Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords  <-- I have my client IPSec VPN's set up so that only authorized people have access. The VPN Pre-Shared Key is, of course, very secure. But as I noted, there have been no breaches at all and the first one went in nearly 10 years ago. ... Thinkpads_User
0
 
murrycAuthor Commented:
No implementing VPN would keep the RDP port from being probed, is this correct?  That seems to be the biggest issue is that I can see a ton of probes on the RDP port.  It does not seem to matter if I change the default port because they will just probe all port numbers until they find an RDP, then they move to cracking the login.  So does VPN shield the port from probing and just show itself when a remote user first establishes the VPN connection?
0
 
duffmeCommented:
A VPN would keep the RDP port from being probed, because you would then block the RDP from the firewall and users would connect to the VPN instead.  There are different types of VPNs and different ways to implement them.  They essentially create an encrypted tunnel (using SSL is common) between the user's computer and your network; the computer may then act as if it were in your network.  The user uses a software client to connect to your VPN (server/firewall/appliance) and can then map drives, directly connect to server applications like email or databases, or connect directly to the RDP computers if desired.  An SSH tunnel is similar, but works with different protocols and mechanisms.  You can also restrict what resources a VPN user is allowed to connect to, and often (and is recommended) require that the user has anti-virus and patching up-to-date before allowing the user to connect; this can protect your network from unsafe user's computers to it.

Please first tell us if you are using a firewall and what kind.  It may already have, or allow you to enable, a decent VPN solution more easily than starting fresh.  If you are just using a consumer grade wifi router to protect your business it is probably worthwhile to upgrade to something that offers more robust protection and remote access.

Also, make sure to change passwords, perform a review, and such if you really think you have been compromised.
0
 
raghav_lalCommented:
Well, to protect your servers from accessing via RDP there are few options

1. Install a Firewall (L3 Device) between Inside and Outside network. Insert this firewall device on a VLAN where machines are sitting and RDP connectivity takes place. Allowing only port # 3389 for a specific host IPs / subnets and deny all other IP subnets.
2. RDP has its own encryption feature. Enable that feature as well
3. Another option could be change the port number of RDP to some other port number. Since RDP port number is standard IANA port number, everyone can easily hack into the system using this port number.

To change the port you will need to start Windows Registry Editor.

Start -> Run… type ”regedit” and press OK
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp
Then locate the following registry subkey : PortNumber
On the Edit menu, click Modify, and then on the Edit DWORD Value click Decimal which will show us the exact port number.
Type the new port number, and then click OK button.
Quit Registry Editor and restart your computer.
IMPORTANT!!! - Make sure the firewall has the new port opened! If you do not set access enabled for that specific new port, you wont be able to have access via remote computer

4. Well some companies have implemented 802.1X authentication for access control mechanism. But this feature may not be available in many devices. You need to check those.






0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now