Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

question on Remote Desktop Services Security

Posted on 2011-09-22
5
Medium Priority
?
504 Views
Last Modified: 2013-11-06
Question about Remote Desktop Security. Please read it carefully before answering quick and half answers. Thank you.

1. When you have a Server 2008 R2 (standard installation) with Remote Desktop enabled, what is the security risk of making it publically accessible over the internet? Should you never do that or is the security risk limited? I know there have been removed a lot of vulnerabilities in the RDP protocol but I'm not sure what the status is today.

2. If you DO enable it are there any special things you should pay attention to?

4. Is it more advisable to only make the RDweb interface publically available or is that imposing the same security risk?

Thanks for any help in advance.
0
Comment
Question by:Stephans2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:jrgcomputing
ID: 36579946
There is a risk with making a RDP available over the Web. A lot depends on your password policy and how strong your user accounts are.

A safer way would be to set up VPN on demand and use VPN to establish a connection to the local network and then initiate the RDP from there.
0
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 2000 total points
ID: 36716974
Yes, there is always a risk, but if you make it so that only network level authentication is allowed, then it's less of a risk.  This means that you have to authenticate to the sever before you can establish the RDP session.  It's as secure as SSL on an FTP server, so unless somebody tries to brute force you, you are probably fine.

RDWeb is also fine to make publicly available.  People will connect to the RDweb using SSL, and only after they are successful, can they launch the .RDP file which will connect them to the session.  Lots of companies use the standard security.

Two tips I can give you however,

If you're using RDWeb, then you might as well also use RD Gateway - RD Gateway will allow you to tunnel RDP sessions through your SSL enabled web server.  You can also impose a lot more security on RD Gateway than you can on a standard RDP session.  It's a bit more complex to set up, but there are many guides available on the net for that.

Another tip is to change the default port for RDP - you can make it so that you either

Make your servers listen on the different port or
Make it so that your Nat router forwards the external port of choosing to the internal port 3389.

To change the port number, open the registry and change the value for HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber to be your new port number.

Be careful that you don't specify a hex value and think it's a decimal value :)
0
 

Author Comment

by:Stephans2
ID: 36717283
Thank you Lester for your excellent answer.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175643
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question