security & personal use of RDP

Question

I'm an absolute security nubile who wants to access his Windows desktop PC from his Mac laptop. I'd like to do this so I have all of my stuff in one place, and I also have some work documents stored on my personal PC that I'd like to access from the road. I discovered Microsoft RDP and thought it might fit the task, but I'm concerned about security implications, and some of my work documents being exposed to malicious do-no-gooders. I've made some changes to my RDP setup after a bit of searching, such as changing the RDP port to a random number, requiring authentication using NLA, and requiring SSL for incoming connections. I've also set up Duo TFA to be required on all RDP connections.

My question is, if i set up port forwarding and expose myself to the internet, is this still a really bad idea? What other alternatives do I have? I did a bit of research on VPNs, but I couldn't really make sense of it all. I'd really appreciate your advise.

Answer 1

I would say that the biggest risk exposing RDP to the internet, assuming your machine is fully patched, is the possibility of brute force attacks. If you're username is Administrator and your password is Password1 you're going to have a bad time.

Now with that said, I have run some boxes in my day with RDP exposed on the internet on a non-standard port and brute force attempts dramatically decreased. The fact you've added two-factor authentication means that you've reduced your attack vector significantly (though you should still use a long and complex password).

I would say that your setup looks safe enough.

Answer 2

In general, I'll start by saying that in general, the more services you run and expose to the internet, the greater your attack surface and higher the risk of compromise. We can break the risk down into two areas: those you can control, and those that are beyond your control.

Risk you can control

As with any remote management protocol, there are automated tools that will knock on your door all day, trying to brute force your password and log in. Things you can do to help protect against this:

• Limit access to trusted devices/networks using firewall rules. This can hugely reduce the attack surface.
• Use a strong password.
• Change to a non-standard port (you've already done this). This will foil the majority of automated tools but will not slow down a determined adversary.
• Enable two-factor authentication (you've already done this).

Risk you can't control

There are several factors that are usually beyond your control:

• The RDP protocol. It's possible that a serious vulnerability exists within the RDP protocol or its server implementation. This type of vulnerability is difficult to audit because RDP is mostly proprietary. However, there have been 0-days in the past where simply having RDP enabled and exposed allowed for remote code execution (MS15-067).
• Similar concerns with Duo. Their application could be flawed, backdoored, or allow compromise to your system if Duo's cloud-based systems themselves are compromised.
• If you're remotely connecting, it may be possible for someone to man-in-the-middle your connection and trick you into accepting their certificate.

It really comes down to your level of risk tolerance. If you fully trust that Microsoft and Duo are following best security practices, then that may be enough, in addition to following best practices. To further mitigate against these potential issues, requiring connection through a VPN or SSH tunnel could be used to add an additional layer of security.