(spiceuser-68k4n) 1

Question about securing RDP, that is simply port forwarded via router.

I realize, automated bots will descend on opened ports and run their brute force attack methods. What I’m wondering; can updating windows firewall rule, to only allow connections from some wan IP address, be enough, to protect an RDP connection. I’ve tried and gone from seeing constant attacks (no firewall rule), vs no attacks (with firewall rule). No attacks that I’m aware of. What are peoples thoughts on this method, for securing RDP? Is there a way, for hackers to circumvent such a rule? Can hackers hack an active session; I would think not, since RDP traffic is encrypted.

4 Spice ups
2

IPs can be spoofed, so if someone find out what you are set to you could be in trouble.

Why do you want to do it this way instead of using an accepted secure method?

2 Spice ups
3

updating the windows firewall rule means that the connection attempts will still be comming through the router and to the host. So if there were an exploit or other you may be vulnerable.
You could add a similar firewall rule to the router so that it only allows connections form the same set of IP addresses on the port forward. This will stop the connections there. Also on the router using a different port to the default for rdp is advised - it will fool some simple port scan tools.
To increase security from this you would need to look at using either a VPN or reverse proxy and a web services rdp gateway.

1 Spice up
4

I’d be curious how the hacker could determine, what IP was listed as allowed. First off, they can’t see the port because it wont respond to them; they would need to know the port (I’m using random port number) and then spoof all IP’s against until seeing a response. Don’t think this would be likely. The accepted secure methods, in my opinion, are simply double bagging the security; usually VPN is suggested, but VPN can also be brute forced over time, so I’m experimenting with alternate methods.

2 Spice ups
5

I’ve also tried at router level; for instance, our sonic walls have the ability to create rules that can only be accessed by certain IP or domain.
As for deploying vpn or reverse proxy and web rdp gateways, it’s not feasible, for small business clients who may only have 1-2 computers.
I’ve heard many, say, the IP could be spoofed; how could a hacker know what IP i’m allowing; what would be the discovery technique?

6

This assumes the attack is coming from outside. What if someone inside gets phished or compromised and provides the information?

1 Spice up
7

I disagree. RDP Gateway is built into the RDS Server - no extra cost associated, just a bit of learning to get it setup.

Many routers include VPNs, so again, there may be little to no cost, just some education to get it setup.

1 Spice up
8

It all depends on how big a target you are. If you’re small, like my company is, you don’t have to be as worried. I’ll say it again, though. Your SonicWalls have VPN host capability. For the extra bit of security that affords, why not use it? You defeat brute force by enforcing lengthier passwords. ‘In your opinion,’… invalidates the work of thousands of security researchers over years? Now, back to RDP…

Most companies don’t have the luxury of defining static IP addresses as the client for an RDP connection. Most people are travelling, or have dynamic IP addresses assigned to them randomly by their ISPs. Let’s say you get every employee that will use RDP to have a static IP address. So, if a hacker were able to sniff out some packets going between the client and host, they might not be able to see the traffic, but they could find out the source and destination addresses. Even if they were to come close, they would just need a smallish block of addresses to try spoofing in an attack.

Beyond that, you need to defeat random probes. So you run RDP on a non-standard port, and tell your SonicWalls to blacklist any IP that hits default port 3389, amongst others, including the ones immediately around the new port you’ve chosen. If someone was persistent and observant, though, they would figure this out over time. That’s even discounting a random probe just happening to land right on top of it with the right IP address.

I was in exactly your situation a few years ago, although I couldn’t specify static IPs like you’re proposing. An RDP port was hacked, and I’ve been using VPNs ever since. My users, who are famously resistant to change and detest any extra security measures, accepted them rather quietly. Heck, with Windows 10, it’s literally clicking a Network link to attach to the VPN. That’s it.

2 Spice ups
9

I don’t believe, windows 10 PRO stand alone, with no domain server, can do rdp gateway; RDP gateway is a function of windows server and RDS licensing; so lot’s of money. I’m mostly talking about users of RDP, from a work group win10 (small business) where they want to make use of RDP, rather than buying into endless monthly subscriptions or buying expensive server software.

10

I thought you were talking about an RDS Server. Ignore that comment, then.

VPN at the router, then.

Though, the remote control apps out there (like RemoteUtilities or Teamviewer) really aren’t very expensive and will be more secure than RDP open to the Internet.

As always, you have you weigh security vs ease of use and cost.

1 Spice up
11

I’ve also experimented with host names instead of hard coded Ip’s. You set users laptop with dynamic DNS client, to update current IP; users computer updates xyz.somedomain.com to 71.88,99,10 and when the user attempts connection back to office, it’s accepted because they are connecting from xyz.somedomain.com. I was looking into the feasibility, for hackers to reverse lookup the xyz.somedomain.com and couldn’t really see how one would do that. If you do a nslookup via IP, does not show the dynmic dns name xyz.somedomain.com; usually shows the ISP’s identification for the connection (example: 3434234234shaw.canada.ca). I’d be curious to see how, a hacker could see study the traffic that was already filtered from their eye’s, unless they already new and could spoof the known IP or domain name associated with the IP. I do use Vpns for RDP but it’s not an easy sell, trying to sell a small business on expensive sonic wall router for 1 remote connection. And, I’m of the mind, that vpns are just as vulnerable as RDP, hacking wise, so it’s only a matter of time, that a bot hacker would eventually guess both vpn and Rdp passwords. Another way I’m looking to possibly secure a lone, win10pro rdp setup, is by applying 2 factor authentication to windows login; anyone know of some great ways to achieve that??

12

I would highly recommend using Splashtop Business Access for secure remote access (support 2FA, device authentication, encrypted traffic, automated updates, etc.). Splashtop starts at just $5 per user per month (billed annually). It’s high performance, support broad range of devices, reliable, and most importantly, it’s secure. We have written an article on all the issues around VPN/ RDP security challenges: Best VPN & RDP Alternative 2024
Other issue with VPN is around backhauling of traffic impacting performance. Tens of thousands of businesses have moved to Splashtop as the secure remote access solution, bypassing VPN / RDP. VPN exposes your entire network to potential risks. I’m here to answer any quesiton.

@Splashtop

1 Spice up
13

There are many inexpensive routers out there that support VPN.

That’s not true. RDP is a known protocol that’s easy to spot when sniffing traffic. VPN is just encrypted data, so could be anything. No way for a sniffer to tell what it is.

2 Spice ups
14

That would still be leaving RDP open, which would attract attackers, which could result in a DoS. I’ve seen this happen many times. Even if they don’t get into the machine it can make your Internet connection so unreliable that RDP won’t work.

1 Spice up
15

Expensive router? Even many/most consumer grade routers have it built-in these days.

1 Spice up
16

One of my clients had been using port forwarded RDP for many years; we had been using with IP filtering; I switched him over to paid splash top because I was annoyed with having to update IP’s all the time for him. We both dislike splash-top performance; it’s slow, sluggish and nothing like RDP experience. I primarily use paid team viewer to administer my clients, but will admit, disliking team viewer over RDP also; RDP is king, in terms of experience. There’s a subscription for everyhting these days. My aim, is to create a secure option for small business clients, not involving monthly subscriptions.

17

I would apply 2factor auth with IP filtering; I think it would be rock solid; just haven’t figured best option for 2 factor auth on a win10 pro workgroup computer

18

That would be VPN to the router, then RDP into the machine, as we’ve mentioned above.

19

Spoofing TCP connections is incredibly difficult, as you need to be able to get return traffic routed to you.

Cisco DUO is free for organizations of 10 users or less as an MFA option.

For such small clients, if you can restrict RDP to specific internet addresses that would be my preference. The reason being that there is NO VPN, so you don’t need to try to secure the VPN connection against malicious traffic once an authorized device connects.

If your router can’t restrict the RDP client IP, then it probably can’t restrict VPN traffic either.

A VPN allowing DNS, RDP, and maybe traffic to the Internet would be my second choice.

Unrestricted VPN after MFA would be my last choice.

3 Spice ups
20

First, thank you for being a Splashtop customer. Sorry to hear the performance issue you had experienced with Splashtop. Seem like your set up / configuration might be an issue because we do have millions of very happy users (based on our Net Promoter ratings from email survey and also 4.5-star ratings on Apple Store, Google Play, etc.). In fact, we have Disney, Fox News, Discovery Channel, NBC, CBS, and many media and entertainment companies all using Splashtop to do remote video editing: Fast & Secure Remote Access for Media and Entertainment Many 3D CAD/CAM architectural and design houses using Splashtop to remote stream 3D design works: Fast and Secure Remote Access for Designers and Architects Lots of different case studies.
Years ago, NVIDIA CEO Jensen Huang was on live stage at CES with professional gamer to remote play 3D game using Splashtop (it’s available on Youtube). Splashtop runs circle around RDP in most workload scenario. We would love to look into your set up to understand your configurations. Please feel free to PM me and our team would like to root cause the issue you have. Beyond performance benefits, Splashtop reduce IT/MSP headaches so no need to keep on updating and patching RDP and VPN for the latest security vulnerabilities, as many are reported and outlined: Best VPN & RDP Alternative 2024

@Splashtop