5

I've read that I shouldn't open RDP ports on my router (obviously with port forwarding, I don't mean opening 3389 port directly). Instead I should use something like VNC (I get that solution) or create a VPN connection and then use RDP locally. If a user uses his own device to connect remotely isn't it more susceptible that way? I don't know anything about his device, it can be already infected, so when using VPN any tool can connect to the local network of that remote location. It won't happen if the user uses an RDP only connection (and doesn't save his password in connection settings). I get that RDP has many vulnerabilites, but using a VPN creates another problem. Why is that solution preferred?

Community
  • 1
Jorhanc
  • 53
  • 1
  • 3
  • 4
    If you connect to a remote system using an infected computer the remote system is always in danger no matter if you use VPN or not. Not exposing RDP ports is a precaution if the next exploit is found that allows infecting a Windows machine via RDP. – Robert Jun 29 '22 at 07:31
  • I think you have omitted some details on the VPN-to-RDP advice. There's an important detail to make that work. – schroeder Jun 29 '22 at 08:12
  • @schroeder can you elaborate? – Jorhanc Jun 29 '22 at 08:44
  • 2
    It would help if you provided a link to this advice you have read. – schroeder Jun 29 '22 at 09:13
  • RDP has lots of vulnerabilities: you should never open it to the public Internet. Use either VPN (whose protocols do not have so many holes) or RD-Gateway. Just google how much vulnerabilities were found in RDP and in Cisco implementation of IKE for example – user996142 Jun 30 '22 at 18:41
  • What leads you to believe that using VNC directly is better than using RDP directly? – Dai Jun 30 '22 at 19:33
  • 2
    @user996142 “RDP has lots of vulnerabilities” - citation needed. – Dai Jun 30 '22 at 19:34
  • Its not so much that RDP has lots of vulnerabilities as much as, security isn't the primary focus of RDP. RDP is designed for responsiveness and features for users with security tacked on after the fact. Where as VPN's primary reason for existing is security. – CaffeineAddiction Jun 30 '22 at 21:51
  • https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rdp+windows Also: https://www.paloaltonetworks.com/blog/2021/07/diagnosing-the-ransomware-deployment-protocol/ Remote Desktop Protocol (RDP) is the most popular initial ransomware attack vector and has been for years. For the 2020 Unit 42 Incident Response and Data Breach Report, Unit 42 studied data from over 1,000 incidents and found in 50% of ransomware deployment cases, RDP was the initial attack vector VNC probably has less, but experience is much worse, and RDP-over-VPN (or over RD0Gateway) is much better – user996142 Jun 30 '22 at 22:08
  • 1
    @user996142 please keep reading that article and actually look at the CVEs... Vulnerabilities in RDP are quite ***old*** and the article says that the main reason why RDP is a vector is the logins, not vulnerabilities.... – schroeder Jun 30 '22 at 22:40
  • I agree that logins are more important, but since vulnerabilities zero days, I do not want to be the first who meets them. – user996142 Jun 30 '22 at 22:45
  • some are new, btw https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21893 – user996142 Jun 30 '22 at 23:06

2 Answers2

16

By requiring a VPN you prevent the others from connecting to your RDP port directly. They have to go through your VPN first, and only then they can start connecting to your RDP.

Effectively, you're putting a shield in front of your RDP. You do not want the entire internet to connect to complex services such as RDP or SMB directly. Since they're complex services, they tend to have a much larger attack surface than the VPN service.

In addition, with VPN, your only biggest priority is to keep your VPN service patched and secure. Of course, you need to patch all your systems and everything, but it's only your VPN service that's facing the internet and getting pounded with attacks, where it's really time critical that you patch it asap. Your RDP and SMB should still be patched, but your attackers are no longer the entire internet, but rather users you have already authenticated (and who may or not may have viruses). Basically, instead of having multiple ports with services that you all need to keep secure, and that might not even be designed to be facing an untrusted network in the first place, you have a single port with a service that has definitely been designed to be facing said untrusted network.

A user connecting to your VPN also doesn't necessarily have access to your full network - you can set up firewall rules to prevent them from doing anything but connect to the specific hosts and ports you allow. These firewall rules can also be user-dependent, so some users could, for example, access only RDP, while others can access greater portions of your network. As you authenticated your users, you can do that - the port-forwarding from your router doesn't know who's connecting, and so it just forwards regardless of who it is.

Another reason, if you want to talk at a non-technical level, is that it's recommended to do so, simply because Microsoft themselves recommends against RDP or SMB being directly exposed to the internet, and as such you do something, so that it isn't.

If you consider all that, using a well-configured VPN as an entry point makes it much more difficult to attack your services directly, which is why it's generally recommended to do so.

Michael
  • 305
  • 2
  • 6
0

There were lots of vulnerabilities in RDP, like the one where being able to break in by sending a specially crafted packet. Many of them could be avoided by using NLA (you should always enable it) but still:

  • RDP doesn't allow key-based auth (unless you use smart card) and password auth is not very secure (passwords are shorter than keys)

  • Many bots scan networks for RDPs, much more than scan for IKE, for example.

  • Windows doesn't natively block IPs after failed logins. (like fail2ban does on Linux). There are third-party tools.

The best approach is to:

  • Use VPN (like IKE) with keys/certs, so only user who has the certificate may log in
  • Configure VPN server to only give access to your RDP hosts
  • Make passwords for RDP as secure, as possible (minimum 8 chars, no dictionary words etc). AD has group policy for that.
  • If all your users are from known countries, then block all other countries (lists of country IPs can be googled)

Doing so will:

  • Block bots from unexpected countries
  • Stop those bots who scan networks for RDP
  • Require user to have both: password AND certificate (much more secure)

VNC is worse than RDP because from the Windows point of view, it is not a terminal session, but a console session: many apps recognize RDP and change user experience to work faster, and RDP protocol is faster than VNC.

Even Microsoft suggests not using bare RDP, but using VPN or RD-Gateway instead.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user996142
  • 308
  • 1
  • 7