Solved

RDP-only VPN safe from virus?

Posted on 2014-01-18
7
825 Views
Last Modified: 2014-01-22
Can a virus-infected XP laptop harm our network via VPN if we only allow RDP port from the VPN subnet?

We have a user who has declared his intent to use XP even after microsoft ends support for XP.  Because he has never gotten a virus, he isn't worried.  

He said we shouldn't worry about him because we only allow RDP from our VPN subnet to the rest of the network.  So, even if he had a virus or worm, it can't affect us.

THOUGHTS?

Thanks,
Mike
0
Comment
Question by:mike2401
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 4

Accepted Solution

by:
colditzz earned 167 total points
ID: 39790623
RDP does enable local-remote resource mapping, clipboard, pass-through Hard drive access, pass-through Printer access, etc... it is possible that this could be used by malware to infect the remote machine, however the flip side to this is you cannot guarantee that a Windows Vista, 7, 8/8.1 machine wouldn't have a virus or malware running on it just because it is covered by MS support.  I would suggest that ensuring your RDS servers are fully patched and are running up to date anti-virus/malware software is your best line of defence against any inbound 'attacks'. It is also possible to integrate and IDS/IPS inline with your VPN server to monitor 'dodgy' traffic patterns.

Hope the above helps.
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 333 total points
ID: 39792178
The RDP client cannot infect the RDP server, unless infected files are transferred - the same as with Internet downloads on the remote machine. If you prohibit RDP drive mapping, transferring files won't work. If you don't, the action still has to be initiated from the RDP session, which runs on the server, so client infection cannot do that.

The VPN itself is as safe as you configure it to be. It is still a network connection, and the firewall might be vulnerable to specific attacks.
0
 

Author Comment

by:mike2401
ID: 39792184
Thanks.  I guess logmein has the same issues (only a risk if you transfer files?)

Mike
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 333 total points
ID: 39792251
LogMeIn and such work differently, as they allow access using a proxy web server acting as kind of address broker. No VPN involved. But the features are similar - outside of the session there is no way for the client to control the server, and inside the session only very limited means for the server to act on the client.
0
 

Author Comment

by:mike2401
ID: 39792262
Glad to hear that about logmein.  I've always hoped that a virus/wormed person I was logmein'd  into could not harm me.
0
 

Author Comment

by:mike2401
ID: 39800370
Thanks everyone!

I'm glad that our VPN approach, only allowing the RDP port, seems safe!

Mike
0
 

Author Closing Comment

by:mike2401
ID: 39800373
Awesome, thank you!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question