Jimmy20
(Jimmy20)
1
Do you enable RDP on your client computers and servers but block it from the public internet?
How do your remote users connect while outside the office?
What is the most secure way to enable RDP internally and for remote users?
76 Spice ups
Rod-IT
(Rod-IT)
3
It’s not open to the internet by default
VPN
RDP internally and VPN then RDP externally
11 Spice ups
Jimmy20
(Jimmy20)
4
If I am onsite and rdp from my office PC to the server, is that considered safe without 2FA?
We do have VPN for all remote users setup before they can rdp to their office PC.
timhetzel
(Timb0slice)
5
Personally, I would just put 2FA on everything if that’s an option for you so you can sleep better at night. The setup isn’t terribly hard and its a pretty cheap solution to provide an extra later of protection. If RDP isn’t open to the internet it’s not as big of a concern but I wouldn’t just ignore it either.
4 Spice ups
alans
(AlanS)
6
Under a prior employer I needed to secure access for outside in access for remote workers. I created a distillation of several Best Practices methodologies that our PCI remediation vendor document.
What got implemented was to start with our existing VPN and added Multi-Factor Authentication (Used Phone Factor, now Azure MFA) to validate the user. At the same time we used a modified port for the RDP that would not show up on most scans of the network. The internal side RDP also required Network Level Authentication.
Additionally there were firewall rule to keep VPN traffic to internal networks and made a connection out of the corporate office require two or more pivots. These pivots required more permissions than the office staff were allowed.
As a side note - All these percautions are great as long as they are supported. If you leave the company and those left behind cannot understand the value of maintaining the effort, bad things can happen.
2 Spice ups
VPN from the internet to the edge - from there a packet filter to only allow 3389 from the SSL credential to the IP address or DNS Hostname of the system in question. Keeps that user off of the rest of your subnet too…
So, in this example “TroyM” authenticates via SSL-VPN to the edge. The edge then will allow 3389 and only 3389 to go to the IP of the work station (DNS Name will work as well - but this is fake)…
6 Spice ups
Off porting means nothing to a most basic port scanner…
Allowing a remote session with more ports than needed (in this example only 3398 is needed, and then only to a specific DNS name and or IP that the user needs to access).
For instance, we have a HyperV Server that has +/- 50 Windows 10Pro boxes running on it (too many oddball applications for RDS). So, we assign the host name of the system to a SSL-VPN name (taken out of AD) and we know that even folks with access can only access limited resources. No reason at all to allow additional ports or and even worse - an entire subnet.
@alans
1 Spice up
You can look at adding 2FA and contextual access security across Windows and RDP logins with UserLock .
UserLock supports 2FA through authenticator applications. They offer a second factor to better protect access to the network. More here on 2FA
Simple to manage, it works seamlessly alongside AD to extend security. (No modifications to AD accounts, structure or schema). Administer by User, Group and Organizational Unit to make implementation easy, even for larger user bases.
There’s a 2 minute demo here
1 Spice up
jct2
(JCT2)
10
RDP has some vulnerabilities, and I would implement the following to reduce your exposure to those vulnerabilities:
- Under most situations, if a user outside the network needed to connect to an internal resource, the only way that would be allowed is to first connect via VPN. If you setup a VPN connection, I would highly recommend 2f authentication.
- As a general rule, I apply firewall rules and GPO’s to not allow users to access any workstation. In situations where a user needs access, I create an exception rule to allow that user to a specific workstation.
- On servers, RDP is only allowed for administrators only within a specific security group.
1 Spice up
Our company prefers Citrix for remote access, granting VPN access to only a few, special users… IT also connect via a separate Citrix environment, containing admin tools and use Remote Desktop Manager to connect to servers, switches, etc.
macy8
(macy8)
12
We use Goverlan to remote around the office. Sometimes some people work from out of the office and they use a vpn & only they are allowed to use rdp on their computer
1 Spice up
This is what we do at my place.
3 Spice ups
ChrisOU812
(ChrisOU812)
14
I would have just stopped at “modified port for the RDP” because you cannot guarantee what ‘most scans’ on your network will be. Unless you have detection on port scans that will trigger a block of the IP address doing the scanning (or similar security measure) then every IP and port on your network can be scanned for RDP or any other accessible port.
—Edit—
Sorry, did not see the post by @anothertractor , basically saying the same thing. Don’t want to jump on someone when its already been said.
@alans
1 Spice up
The most secure way to enable RDP internally and for remote users is in layers.
-
Start at layer 8 with limiting access based on roles. Not everyone should need to RDP. If you don’t need it, disable access.
-
The most important and effective measure is to secure it with MFA. There are many IAM (Identity and Access Management) vendors that have solutions for this. UserLock and DUO have been mentioned previously. JumpCloud and Okta are two other vendors that have solid solutions for this.
-
As others have mentioned, make sure you implement firewall policies to ensure only port 3389 is allowed. (You can add security through obscurity by adding port-forwarding if you choose, but you risk over-complicating your solution.)
-
You want to make sure your connections are logged in a way that makes them easy to review and correlate to incidents. Best-case scenario, you have a SIEM tool you can forward logs to. Many times you can get logs from the firewall coming in, the server you are connecting to, and the IAM provider will many times have logs as well.
1 Spice up
Greek-Greg
(Greek-Greg)
16
VPN is the only sane way to do this, unless you enjoy sleepless nights of worry. 
2 Spice ups
I do so love the paranoid kick out there for 2FA/MFA for Remote Access…oh, such value knowing that most attacks, hacks and malicious activities are done by FTE’s with credentials…frequently, lipstick on a pig.
@chris-is-decisions
The previous person in my position had RDP open through the firewall to our terminal server on the default port. That’s been closed, now my users are required to connect to the VPN first before they are able to remote into the terminal server.
1 Spice up
dimforest
(ᴅɪᴍꜰᴏʀᴇsᴛ)
19
This is exactly how we do it as well.
2 Spice ups
ctmorsejr
(CTMorseJr)
20
That’s how we do it as well.
2 Spice ups
