What's more secure: ThinRDP or regular RDP?

Posted on 2011-10-31
Last Modified: 2012-06-21

I'm going to show my igorance of good information security here.

Let me lay out the scenario: say we have a Windows 2008 R2 terminal server which about 20 folks access.  We want it to be accessible from outside the corporate network, but we don't want to use VPN.  We also can't make use of a TS/RDS Gateway (I have my reasons).

So, we're left with a couple options - use a program like ThinRDP for RDS ( to make RD sessions available over an HTML 5 capable browser, or simply setup NAT between the terminal server and the outside world and open up RDP on the firewall for connections to that IP.

Either way, we're stuck opening ports on the firewall and NATing traffic from one of our public IPs to our internal IP.  The difference is which port is being opened (any port for ThinRDP, 3389 for RDP) and which application is doing the listening (ThinRDP server or Win2K8).  I think ThinRDP has one added advantage over the alternative, though: we can setup a ThinRDP 'gateway' of sorts in our DMZ that accepts connections and passes them through the firewall to the corporate network, wheras if I were to create a direct NAT to the terminal server, it'd be introducing a public IP directly into the corporate network.

Thoughts?  I need to make the TS publicly accessible (no VPN and no RDS gateway) but I want to keep some security in place.

Question by:mhentrich

    Author Comment

    Follow up Q:

    I forgot, I also want to throw in the third option of using regular NAT to the terminal server but making use of two factor authentication via phone factor:

    Maybe that is the best option?

    LVL 15

    Accepted Solution

    For our customers, we set up SSL VPN.  They browse to the web page, log in with their network credentials, then click the link for RDP to their desktop. Most modern commercial firewalls (i.e. non-consumer-grade) support SSL VPN.

    From what you have given above, the more secure option is going to be the one that reduces your attack surface the most.  Given the two you've listed above, I would opt with plain old RDP - it keeps more options available to you, and it gets patched with the OS should any vulnerability get discovered.

    Also, make sure users have strong passwords.

    Author Closing Comment

    Closest thing to an answer!

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    OfficeMate Freezes on login or does not load after login credentials are input.
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now