We have a client who insists on having 6-7 lan PCs open to the internet for RDP. The RDP listening ports on each PC has been changed from default. These ports are forwarded in their Sonicwall TZ200 FW. I'm going to implement either or both of these security measures: require a vpn and allow RDP connections from lan addresses only, and/or create users in the Sonicwall and require the RDP users to authenticate to the SW before establishing the RDP session. But my question is still pertinent: Can the listening ports be determined by port scans against the firewall and public IP address, and, if so, how best to prevent?
Asked
Active
Viewed 247 times
2 Answers
4
Short answer. Yes
Longer answer. Services with ports open to the Internet can be discovered regardless of what port they're listening on. RDP is no exception. Port scanning is quite common.
The supported configuration in your situation is to license and use the RDP Gateway service. You have a single entry point listening on 443 and encrypted with TLS which then acts as an RDP tunnel to get wherever you're going on the internal network.
It's not just a wide open thing for anyone to use. It has a separate authentication layer (via Active Directory) and you can get pretty granular with the security model. As in, group A can only reach computer group B, etc.
A lot of environments choose to just use a VPN instead because it's "easier".
Ryan Bolger
- 16,472
- 3
- 40
- 59
2
To address your direct question: yes, all listening ports and the services on them can generally be discovered by running a trivial port scan. You can't really stop this entirely, while I have had some success slowing/blocking port scanning attempts with psad, it is likely not supported by your firewall and is not undefeatable.
Dylan Knoll
- 470
- 2
- 9