11

I am connecting from my home Windows 7 machine to a hosted server Windows Server 2008 R2. I am connecting to it using Remote Desktop on a non-default port.
I am wondering if I should go to the effort of setting up a VPN connection for Remote Desktop Access with something like OpenVPN. I'm not a security professional, I just want to try and make the connection to my hosted server as reasonably secure as I can.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Mark Allison
  • 213
  • 1
  • 2
  • 6

2 Answers2

11

As often with security, the answer to that is "maybe". In theory, if setup right and if you're keeping your system up-to-date, RDP is actually quite secure. Possibly not the most secure system available but still it can be considered secure enough for most usage (and can be extended if necessary).

The first and most relevant issue you will encounter with RDP is the potential for DOS against your administrator account. This one is easy to understand: if you've setup a limit to the number of failed attempt to log on, someone can simply keep trying to access your account and keep it locked. On unix, you'd use fail2ban to prevent that from happening but there is no clear equivalent in windows (although there are plenty of solutions, from scripts to full-fledged commercial program that will do the same). Another simple solution is to limit the range of IP addresses that will be allowed to connect to RDP in the first place or force users to go through a VPN first. Another option is to use IPSec. Yet another (and better) solution is to add 2 factor authentication to your system: mandating the use of a smartcard for RDP connection makes the whole authentication process very secure, if a bit difficult to setup.

The second issue you're going to encounter is the security of the connection. If you've setup RDP correctly (i.e. you've setup a server certificate correctly, you're forcing network-level authentication and you're using RDP over TLS) , then there is little risk.

Adding a VPN layer on top of this wouldn't add much to the overall security. Assuming you where running it from another machine it would still be a worthy addition since it would improve the security in depth (because in order to compromise the final machine you'd have to break two systems instead of one) but if you're installing everything on the same system, you actually increasing the system's area of vulnerability by adding another potential way to exploit vulnerability.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • 1
    I have disabled the Administrator account and set up a named account which is a member of Local Admins. I will set up another "back up" account in case the first is denied. Good point, thanks for that. I will have to investigate setting up a server certificate, because I haven't done that. I am just using RDP as it is in a default installation, but have modified the listening port and forced NLA. I also need to move files back and forth from this remote server now and then, and have an SFTP server setup. Maybe I should use a VPN for RDP and file access? Forgot to mention that in my original Q. – Mark Allison Jul 15 '13 at 10:36
  • If your RDP connection is secure and assuming you don't need unattended operation, you can just use that for file copy. – Stephane Jul 15 '13 at 12:08
  • This question seems to be getting a lot of views. I did go to the trouble of setting up an OpenVPN server, and it wasn't that hard. – Mark Allison Apr 09 '17 at 13:12
2

Using a non-default port is just a step, because automated scanners and worms will not be able to find it.

Microsoft’s Security Bulletin MS12-020, released in March 2012, described critical vulnerability in Microsoft’s RDP implementation on most Windows platforms (CVE-2012-0002), so consider configuring your RDP settings to use Enable Network Level Authentication (NLA) as suggested by Microsoft

Remember to have strong password to deal the brute force attack from worms like "Morto"

I hope I was helpful ^_^

Alesanco
  • 153
  • 1
  • 8