What's more secure: ThinRDP or regular RDP?

Posted on 2011-10-31
Medium Priority
Last Modified: 2012-06-21

I'm going to show my igorance of good information security here.

Let me lay out the scenario: say we have a Windows 2008 R2 terminal server which about 20 folks access.  We want it to be accessible from outside the corporate network, but we don't want to use VPN.  We also can't make use of a TS/RDS Gateway (I have my reasons).

So, we're left with a couple options - use a program like ThinRDP for RDS (http://www.thinvnc.com/thinrdp/html5-rdp.html) to make RD sessions available over an HTML 5 capable browser, or simply setup NAT between the terminal server and the outside world and open up RDP on the firewall for connections to that IP.

Either way, we're stuck opening ports on the firewall and NATing traffic from one of our public IPs to our internal IP.  The difference is which port is being opened (any port for ThinRDP, 3389 for RDP) and which application is doing the listening (ThinRDP server or Win2K8).  I think ThinRDP has one added advantage over the alternative, though: we can setup a ThinRDP 'gateway' of sorts in our DMZ that accepts connections and passes them through the firewall to the corporate network, wheras if I were to create a direct NAT to the terminal server, it'd be introducing a public IP directly into the corporate network.

Thoughts?  I need to make the TS publicly accessible (no VPN and no RDS gateway) but I want to keep some security in place.

Question by:mhentrich
  • 2

Author Comment

ID: 37059795
Follow up Q:

I forgot, I also want to throw in the third option of using regular NAT to the terminal server but making use of two factor authentication via phone factor:

Maybe that is the best option?

LVL 15

Accepted Solution

jrhelgeson earned 2000 total points
ID: 37060803
For our customers, we set up SSL VPN.  They browse to the web page, log in with their network credentials, then click the link for RDP to their desktop. Most modern commercial firewalls (i.e. non-consumer-grade) support SSL VPN.

From what you have given above, the more secure option is going to be the one that reduces your attack surface the most.  Given the two you've listed above, I would opt with plain old RDP - it keeps more options available to you, and it gets patched with the OS should any vulnerability get discovered.

Also, make sure users have strong passwords.

Author Closing Comment

ID: 37140253
Closest thing to an answer!

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question