1

I was reading this topic, and came up with a question, what do you guys use for remote accessing office computers? In my case “working from home”. I have read a lot of topics how using Windows RDP is unsafe and so. So what’s your choice?

cheers!

9 Spice ups
2

VPN into the network through the firewall. Safe, secure, and logged.

10 Spice ups
3

VPN is option but could be pretty complicated for users… Im talking about remote desktop. Thnks

4

RD Gateway

" I have read a lot of topics how using Windows RDP is unsafe"

pinkman.gif

2 Spice ups
5

Google. Most attacks are to rdp…

6

I don’t know of any current issues with RDP that isn’t related to weak passwords.

RD Gateway makes the connection a little bit more secure. I say just a little bit, because I don’t think that RDP is actually that insecure to begin with.

We add two factor authentication.

Make sure your users have good passwords.

4 Spice ups
7

What Robert was referring to was connect to the network via VPN and then RDP to the internal private IP address. Port forwarding RDP through the firewall is insecure. Using RDP over encrypted VPN is fine.

6 Spice ups
8

We use Kaseya.

9

What is actually insecure about port forwarding 3389? Authentication, keyboard, mouse, and video is all encrypted. The computer has a certificate to prevent MITM attacks. Okay, usually it’s self signed, but…

10

For starters, you are at the mercy of any vulnerabilities in the RDP protocol itself, such as this one:

If you go back farther, you had ones like this: Microsoft Security Bulletin MS05-041 - Moderate | Microsoft Learn

It’s easy to say in hindsight well those were patched, we don’t have to worry about them. What about the next one that we don’t know about yet?

Adding a VPN provides another layer of security. It also potentially lets them work on brute forcing user names and passwords depending on your password lockout policy if there is one. There are third party products that can add 2FA to RDP, but you may already have this functionality with your VPN product.

There were also tools like TSGrinder floating around: TSGrinder - Brute Force Terminal Services Server - Darknet - Hacking Tools, Hacker News & Cyber Security

In terms of general security, I don’t advise punching holes in your firewall from the internet to the trusted network. Things that need to be accessed from the outside without a VPN should hit a server in the DMZ.

1 Spice up
11
12

Hmm, that’s all just brute force attacks and one real implementation vulnerability in the software. I don’t see the difference between that and brute forcing credentials for VPN. Account lockout takes care of brute forcing regular acounts. Rename the administrator account to prevent that attack vector.

RDP over RD Gateway allows you to eliminate attacks against the administrator account by not allowing connections for those accounts.

I say that I trust RDP more than VPN based on OpenSSL. Just look at all critical issues in OpenSSL over the years. Targeted Attack Uses Heartbleed to Hijack VPN Sessions | Threatpost

1 Spice up
13

Because with VPN you then have 2 layers so even if they brute force the VPN and then have to do the same with the RDP it slows them down. With a lockout or even timeout for multiple failed attempts it slows them down to the point that they go and find an easier target. I can set the firewall to alert to all failed VPN log in attempts.

They also have to be using the correct type of VPN software with the correct configuration to even get it to speak to the firewall, my firewall only accepts VPN connections from it’s own VPN software.

14

If a hacker has brute forced the VPN credentials, then those are normally the same credentials as for RDP, unless you are forcing your users to remember 2 passwords, in which case they’re probably both weak, or you spend a lot of time resetting one password or the other because they don’t remember it.

You can also alert on all failed RDP login attempts.

It’s very easy to give VPN clients too much acces a over VPN. Normal policy is permit everything. Restrictions to absolute minimum such as DNS and RDP, maybe web browsing is hard. Heck, how many times do we see posts about trying to setup PPTP?

I stand by my security decision to eliminate VPN for users and only allow RDP through RD Gateway.

1 Spice up
15

Ok, here’s my spin on RD Gateway VS VPN…

Generally speaking VPN access grants remote user access to your entire network.

RD Gateway grants RD to a single PC.

OP, Remote Desktop, or any other remote access technology is only going to be as secure as your security practices and protocols.

1 Spice up
16

While not free, Splashtop Business Access is cost effective ($60 per user per year). Support multi-factor authentication, all traffic encrypted (SSL / TLS), etc. High performance. Millions of users today. No need to worry about setting up gateway, vpn, etc… broad device support ( can remote from iOS, Android, windows, mac, chromebook, etc.)

STB_Benefits.jpg
STB_Benefits.jpg800×92 15.9 KB

@Splashtop

1 Spice up
17

We set up a Linux VM with the SSH configuration set to only allow key based logins from remote connections. The client side uses Putty to connect to the SSH server and then port forwarding to send RDP traffic to/from the internal system. We’ve built some scripting around it for the regular users, but that’s what happens under the hood.

It’s all free. The strength (or lack of) the user password is irrelevant since the RDP service is never exposed to the public Internet. The SSH login requires a key (and a separate password if you want) so dictionary attacks against the SSH server are also irrelevant. It also doesn’t effectively plug a insecure remote PC into your LAN like a VPN approach.

18

Do you have any reviews on http://www.litemanager.com/ ? Looks like its free for business…

19

ConnectWise Control, formally ScreenConnect, has a free version now. Trial | ConnectWise ScreenConnect™ Remote Support

20

Yes, we do have a free version! Just want to clarify though that this is intended for commercial-use only at this time. But please let me know if you have any questions!