1

I would like to setup RDP for a small office of 7 users, I can easily set them up with the usual setup and opening ports on router, but I am pretty sure this is not the most secure method, I read that if I put all the machines behind a proper firewall this would make it more secured but I am not finding a lot of info on how much more secure it is and also how best to set one up.

12 Spice ups
2

Never allow RDP over the Internet.

Have people connect to your firewall / router via VPN. Then they are on the local network and can RPD as needed.

Or, don’t use RDP at all. What are you trying to do here? Allow remote access to work machines? There are dozens of programs out there that do this and wouldn’t require VPN because they have their own secure connection methods.

But, whatever you do, don’t open ports and allow RDP.

4 Spice ups
3

I personally access RDP over the Internet and I used to find people accessing it online. I came up with simple solutions which are as follows;

  1. I created an IP range, then I specified that only that IP range can connect over RDP.
  2. There was a tutorial online I read that changed the RDP port to any port that you wish (I didn’t do this though, much as it’s a good alternative as well).
  3. I created a logon notification that lets me know the last time there was a sign in on the machine and if there were any failed sign in attempts, they are counted and displayed before the desktop is shown. The same script sends an email when a login is detected.
4

The proper method to secure RDP is to funnel its traffic via a secure tunnel. The most straightforward and fastest way to implement it at your scale is to use Zerotier IMO. There are extra rules in Zerotier Central that you can use to narrow the remote access down to RDP protocol.

5

  1. Helpful, but IPs can be spoofed if someone really wants to get in. Not all that likely to happen for a single machine, though.

  2. Pretty much useless, because people can scan port ranges in a matter of seconds.

  3. Not a bad idea, but really only tells you about something after it’s already happened.

For single machines there are many free remote access programs out there that take care of security for you. Why try workarounds like this that only sort of secure things when there are so many other options available?

1 Spice up
6

Nobody mentioning MS Remote Desktop Gateway ?

It’s our current method. Although I also use VPN connection as an alternative.

I removed the direct remote desktop access from specific IPs years ago.

7

As others have and will say, this is to be avoided if at all possible.

Until you can avoid it, there are a few other things I would recommend doing ASAP:

  1. Disable remote desktop for the administrator account
  2. Enable account lockout after n failed attempts. I would suggest 10 attempts or less and a lockout period of 30 minutes or more.
  3. Require NLA
  4. Use very strong passwords
1 Spice up
8

What do you define as ‘best’ - only then can the queisotn be answered. It is subjective.

Are you actually looking for advice on how to securely permit RDP for remote users to the office?
Many answers above but VPN is a must if you need RDP directly. Remote desktop gateway may be expensive for a small environment. Other screen sharing remote apps such as splashtop may be better for your needs.

2 Spice ups
9

Consider that if you want to connect via RDP directly you have two options:

  1. use NAT rules on your firewall to “mask” the ports which you are exposing to the internet, a very unsafe solution and also not so scalable / comfortable because you’ll have to create a rule for each RDP server and keep the list of allowed IPs always up to date.

  2. Remote Desktop Gateway, a better solution, but I wouldn’t choose it for a small environment.

In my opinion, the best solution which gives you both security and scalability is to connect via VPN to your office LAN and then simply start a local RDP connection.

10

Indeed, never use RDP over Internet… in fact, many people would even say to simply turn off RDP completely as it’s simply not a protocol designed with security in mind as RDP has had a long history of being attacked. Here are just some of the RDP exploits published, and you can simple Google to find many more RDP issues:

· April 2, 2021, Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities | Ars Technica

Yet, if you are using RDP over VPN, please make sure you do constantly monitor and patch your VPNs, and ensure you have MFA… Gartner, Zscaler, Palo Alto Networks, Fortinets, etc. are all pitching Zero Trust (& SASE / SSE) to bypass VPN nowadays… it’s also because VPN was never designed to support remote workforce and proliferation of SAAS apps (O365, Teams, Zoom, Salesforce, etc.). VPN is also constantly under attack:

  • April 2022: “Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,” the U.S Cybersecurity agencies said in a joint advisory. U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities

  • October 14,2020, SonicWall VPN Portal Critical Flaw (CVE-2020-5135) SonicWall VPN Portal Critical Flaw (CVE-2020-5135) | Tripwire

  • March 13, 2020: Department of Homeland Security (DHS) has warned, ”As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.”

  • September 24, 2020, Feds Hit with Successful Cyberattack, Data Stolen. The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit. Federal Agency Compromised by Malicious Cyber Actor | CISA

  • May 16, 2019: FortiClient installer DLL Hijacking Vulnerability PSIRT | FortiGuard Manual updates of FortiClient required asap.

  • Throughout 2019 and 2020, CISA published alerts on “Continued Exploitation of Pulse Secure VPN Vulnerability” Continued Exploitation of Pulse Secure VPN Vulnerability | CISA
    Gartner’s analysis predicts that by 2023, 60% of enterprises will phase out their remote access VPN in favor of Zero Trust Network Access solutions. Zero trust is about “trust no one, and verify everyone.” Corporate perimeter is already broken as most of the apps we use are in the cloud (Office365, Teams / Slack, Zoom, Salesforce, RingCentral, Google Workspace, Freshdesk, ServiceNow, NetSuite, etc.). SSO / Password vault (adding latest passwordless FIDO2 trend) should play a critical role in securing user access across various resources.

IMO, VPN gives excessive trust (unless you segment the networks, and also monitor device security posture, etc.). We believe it would be much better for MSP/IT to rely on a zero trust, secure remote access solution like Splashtop to provide a scalable, reliable remote access cloud-based solution that’s constantly monitored and automatically updated. No more manual updating and patching of VPN and RDP.

Splashtop invests millions on security yearly and invests in regular penetration testing. Has built-in device auth & 2FA. SSO option available. Our infrastructure includes 24x7 security monitoring/alerts… Furthermore, VPN with backhauling of traffic (unless doing split tunneling) introduce lots of performance challenges. It’s faster, safer, and cost effective to leverage Splashtop.

@Splashtop