TL;DR We are looking at opening port 3389 for a terminal server all the advice I’ve seen is that its suicidal but without good explanations as to why. Is it really that bad?
We are looking at setting up a terminal server for staff to access remotely. They are going to be using a bunch of devices including iPads, Android Divices, Windows (XP to 8), OSX, Linux, pretty much anything with an RDP client.
I want this to be stupid simple and work on everything. My plan is to setup remote.example.com (obviously with our real domain name) to point to our server then secure it by:
- Firewall everything except port 3389.
- Set there encryption level to highest (with a certificate) and not allow “Negotiate”
- Lock accounts with more than 7 failed attempts and look at maybe some script to block based on IP addresses with failed logins (https://security.stackexchange.com/a/17354/22241)
- Other obvious things such OS updates and anti-virus.
However when I talk about setting up a public facing RDP the responses are generally along lines of:
“Don’t open port 3389 put a VPN in front of it” – but as far as I can see the two main arguments for this are encryption (Doesn’t RDP already do this?) and better authentication because people will brute force RDP. We allready have a PPTP VPN setup but it just uses the same account username/password combo to authenticate as our Terminal server would so I don't see a terminal server adding to our attack surface. The only argument that I think holds any weight is setting up a VPN (such as Cisco) that supports two factor authentication, that sounds good but will massively reduce the number of devices that are supported.
"Don't do it, use an RD Gateway" As far as I can see reading http://technet.microsoft.com/en-us/library/cc731150.aspx the advantages of a RD Gateway are:
Manage multiple servers from a single entry point with fine grained control over who can connect to what and so on. - Sounds good but we only have one terminal server.
Uses port 443/HTTPS so people behind poorly configured outbound firewalls can connect – sounds great but RDP already offers encryption and changing the port doesn’t add security. Also for all the extra ease of not needing to deal with outbound firewalls comes the lack of support from most RDP clients (last I checked the OSX clients couldn’t connect to RD Gateway)
"Don't use RDP, use (Hamachi/Team Viewer/Jump Desktop/VNC … seriously/some other RDP tool) it's safer" To me any of these suggestions go from putting all your eggs in one basket (Microsoft) to putting all your eggs in another basket (Hamachi) but without tangible security benefit.
Am I just being dismissive? Is setting up a public facing RDP server a bad idea?