6

I know of a company who has port 3389 open on their router and forwards this to a Windows SBS 2003 server. The server has the Windows firewall switched on, is patched and has an up to date antivirus program, the router is a Draytek 2820.

Is this a secure combination?

Thanks

AviD
  • 72,138
  • 22
  • 136
  • 218
JMK
  • 2,436
  • 7
  • 27
  • 38
  • 1
    +1 to both answers here, so far. I would add that, if you *do* choose (for whatever reason) to leave RDP open to the Internet, you should change it to a non-standard port. (At least on the firewall, if not also on the Server.) Is this security through obscurity? Yes. But, it's better than no security at all. Additionally, you may want to consider at least using IP-based filtering for the inbound connections if the legitimate ones are only coming from a limited number of IPs or ranges. – Iszi Mar 21 '12 at 19:32

2 Answers2

9

By "open on their router" I assume you mean open to the Internet. I'd advise against this. Remote Desktop Protocol is susceptible to known attacks. Also you say "patched", but even as recently as last week Microsoft issued a security bulletin against RDP:

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.

I would strongly recommend putting some kind of security gateway (e.g. authenticated firewall, VPN...) in between users and the RDP service.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Mark Beadles
  • 3,932
  • 2
  • 20
  • 23
  • +1, but RDP has (or at least MS's implementation of it) very strong authentication features built in, these just need to be enabled and enforced. – AviD Mar 22 '12 at 09:48
2

I agree with Mark, although I have had clients in the past that I've taken over their account and one of the first things that I do is disable the NAT or rule to allow in RDP traffic and either setup some VPN connections to come in on (more secure) OR use a third party solution like logmein or teamviewer. (some people will debate the security on these but either is an improvement IMO over RDP.) If the data is ultra critical then you may want to consider VPN only. If the company objects (which I've had happen to me in the past) I always say, it's not "if" but "when" you get hacked, how would you defend negligence?

Brad
  • 849
  • 4
  • 7
  • Thanks, what would you say if you work at the company but don't believe the people in charge of this have done their job properly? – JMK Mar 21 '12 at 16:54
  • Do you have any I.T. polocies in place that you could "update" with "the times"? You could always point out recent headlines in the paper or online of hack attacks. Also if this component "broke" ;-) and an "update" of a VPN tunnel need to be applied as a "workaround" could you pull it off? Again if it "broke" coudl you blame updates on patch tuesdays? I hate to reccomend something deceitful to management but if they are incompetent to the max sometimes you have to be proactive rather than reactive. Who gets fried if compromised is what I might ask. – Brad Mar 21 '12 at 17:05
  • Yeah, I like the "headlines" idea, something along the lines of "I don't think we can use RDP anymore guys, I read recently that it's not secure now" ;-) – JMK Mar 21 '12 at 17:08
  • it would be secure over a VPN. What hardware are you using? Cisco? Sonicwall? Also I like to look at http://www.exploit-db.com/ daily to make sure that everything that applies to me I know about. Can you reccomend any sites htat you use for research? – Brad Mar 21 '12 at 17:16
  • Honestly no I can't recommend any sites that I use for research exploit-db.com looks like a good start, the whole network security thing is something I haven't been interested in until quite recently, now I obsess over it! – JMK Mar 21 '12 at 17:30
  • 1
    Another good site that has lots of links on current information is http://malc0de.com/dashboard/ – Brad Mar 29 '12 at 15:15