Best way to protect RDP

Posted on 2011-09-17
Last Modified: 2012-05-12
I just noticed that our companies RDP computer had been remotely breached.  The hacker had created his own profile on the Windows machine and installed various tool for doing harm.  I have remote users that use the RDP and so I have to leave it ported and open for use.  Changing the stratic IP would not solve the issue, so how do I protect the connection?  When you think about it, normal RDP is just like allowing a hacker to walk into your office, sit down at your computer and attempt to hack into your login account.
Question by:murryc
LVL 92

Accepted Solution

John Hurst earned 125 total points
ID: 36555248
This most certainly does not have to be!  Put it behind a secure Firewall and a secure VPN and (at the 99.99% level), no one will walk in. I have had setups like this for multiple clients and they have never been breached.

... Thinkpads_User

Expert Comment

ID: 36555314
Easiest way is to change the RDP port and Change the firewall settings to only only only the minimum amount in as possible.

LVL 23

Expert Comment

by:Brian Gee
ID: 36555476
Implementing VPN (as mentioned earlier) or SSH connections would increase security immensely with regard to RDP sessions.
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 36555595
Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords.  If someone gets a user account with password, they can log in and do whatever they want, VPN, RDP, FTP, HTTP, OWA, whatever mechanism you have in place.  It's VERY unlikely that anyone actually snooped the traffic and found a way in and almost as unlikely they found an exploit in RDP or some other service to get in without such information.  PASSWORDS.  Bottom line.  Plus, optionally and for added security, a two-factor authentication system for a VPN or other remote connection method.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Expert Comment

ID: 36556040
Win2003 encrypts RDP traffic by default, though not very well.  You could increase this.  I would go with the other suggestions here.  Make sure the default admin account is not active, enforce strong passwords that are changed regularly, etc.  If you are using RDP for proper Terminal Services and not just a one-to-one remote desktop then you should probably use a gateway server outside of your firewall that is the only thing allowed in to your network.  If this is for individuals to get to desktops you may be better off with some form of VPN.  There is always the method of using LogMeIn or the like too.
LVL 92

Expert Comment

by:John Hurst
ID: 36556155
>>> Even implementing VPN doesn't do much if you don't have and enforce complex, LONG passwords  <-- I have my client IPSec VPN's set up so that only authorized people have access. The VPN Pre-Shared Key is, of course, very secure. But as I noted, there have been no breaches at all and the first one went in nearly 10 years ago. ... Thinkpads_User

Author Comment

ID: 36564819
No implementing VPN would keep the RDP port from being probed, is this correct?  That seems to be the biggest issue is that I can see a ton of probes on the RDP port.  It does not seem to matter if I change the default port because they will just probe all port numbers until they find an RDP, then they move to cracking the login.  So does VPN shield the port from probing and just show itself when a remote user first establishes the VPN connection?

Assisted Solution

duffme earned 125 total points
ID: 36565029
A VPN would keep the RDP port from being probed, because you would then block the RDP from the firewall and users would connect to the VPN instead.  There are different types of VPNs and different ways to implement them.  They essentially create an encrypted tunnel (using SSL is common) between the user's computer and your network; the computer may then act as if it were in your network.  The user uses a software client to connect to your VPN (server/firewall/appliance) and can then map drives, directly connect to server applications like email or databases, or connect directly to the RDP computers if desired.  An SSH tunnel is similar, but works with different protocols and mechanisms.  You can also restrict what resources a VPN user is allowed to connect to, and often (and is recommended) require that the user has anti-virus and patching up-to-date before allowing the user to connect; this can protect your network from unsafe user's computers to it.

Please first tell us if you are using a firewall and what kind.  It may already have, or allow you to enable, a decent VPN solution more easily than starting fresh.  If you are just using a consumer grade wifi router to protect your business it is probably worthwhile to upgrade to something that offers more robust protection and remote access.

Also, make sure to change passwords, perform a review, and such if you really think you have been compromised.

Assisted Solution

raghav_lal earned 125 total points
ID: 36565055
Well, to protect your servers from accessing via RDP there are few options

1. Install a Firewall (L3 Device) between Inside and Outside network. Insert this firewall device on a VLAN where machines are sitting and RDP connectivity takes place. Allowing only port # 3389 for a specific host IPs / subnets and deny all other IP subnets.
2. RDP has its own encryption feature. Enable that feature as well
3. Another option could be change the port number of RDP to some other port number. Since RDP port number is standard IANA port number, everyone can easily hack into the system using this port number.

To change the port you will need to start Windows Registry Editor.

Start -> Run… type ”regedit” and press OK
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > TerminalServer > WinStations > RDP-Tcp
Then locate the following registry subkey : PortNumber
On the Edit menu, click Modify, and then on the Edit DWORD Value click Decimal which will show us the exact port number.
Type the new port number, and then click OK button.
Quit Registry Editor and restart your computer.
IMPORTANT!!! - Make sure the firewall has the new port opened! If you do not set access enabled for that specific new port, you wont be able to have access via remote computer

4. Well some companies have implemented 802.1X authentication for access control mechanism. But this feature may not be available in many devices. You need to check those.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn about cloud computing and its benefits for small business owners.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now