External access to RDP

alistairmcintosh1857 · 2014-07-18T06:46:06.000Z

We have a fairly high percentage of our users who access our RDP server from remote locations.

They mainly use VPN in order to gain access to the internal network, however we also have the RDP port redirected on the firewall, point straight to the server.

This allows any user who is having issues connecting to VPN a means to access the system.

The downside of this is that it leaves the server possible open to various attacks ie Brute force etc. and is an obvious security risk.

Is there any suggestions on how I can lock this down a bit more, while still maintaining some of the ease/functionality of the open port???

Huw3481 · 2014-07-18T07:00:05.000Z

I’m a firm believer in VPN only in this situation - although I am looking at RDWeb as an alternative.

alistairmcintosh1857 · 2014-07-18T07:06:12.000Z

That would be my preference, however there have been occasions where the user us unable to connect to VPN & can only get access via the “direct” route.

maxsec · 2014-07-18T07:08:14.000Z

change the port for a start, possibly restrict by originating ip-address but exposing RDP to the interwebs is a really big threat IMHO and there a risk you should not incur of at all possible.

FInd out what the prolem with the VPN is and address that is a better solution

alistairmcintosh1857 · 2014-07-18T07:10:41.000Z

Main issue with VPN tends to be Error 800’s, which I believe are caused by something on network external to our server.

aceofspades · 2014-07-18T10:05:06.000Z

I agree with the others. What device is handling VPN? Are the connection problems with all or specific users?

timlaino2715 · 2014-07-18T10:07:14.000Z

Second this - if you have to leave it open change to non-standard port. I’d still try to get the VPN issues ironed out though and move in that direction.

cliffhastings0133 · 2014-07-18T10:32:09.000Z

Use Remote Desktop Server Gateway, problem solved!

support.microsoft.com

Windows help & learning

Find help and how-to articles for Windows operating systems. Get support for Windows and learn about installation, updates, privacy, security and more.

mac-mad · 2014-07-18T12:13:37.000Z

Totally agree, VPN for RDP. I certainly wouldn’t want to open any ports for RDP which can come from any t’internet IP. However if this is your only option, at the very least lock the port on the firewall to specific originating IP’s. But this will be troublesome to administer as most ISP’s (in the UK at least) use dynamic IP.

oeiadmin · 2014-07-18T13:35:19.000Z

CPHastings:

Use Remote Desktop Server Gateway, problem solved!

Windows help & learning

Agree, if direct VPN isn’t an option then stand up a Remote Desktop Gateway Server within your DMZ.

alistairmcintosh1857 · 2014-07-18T14:02:39.000Z

CPHastings:

Use Remote Desktop Server Gateway, problem solved!

Windows help & learning

RDP gateway looks like a good way ahead - I’ll look into it.

Also looking @ SSL VPN solutions which may prove better than then current PPTP/L2TP setup