Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1828 posts

Uber Geek
+1 received by user: 215
Inactive user


  Reply # 1054696 28-May-2014 02:41
Send private message

Can I ask why you need RDP on a 5 PC network 

4332 posts

Uber Geek
+1 received by user: 805

Trusted

  Reply # 1054708 28-May-2014 07:03
Send private message

Athlonite: Can I ask why you need RDP on a 5 PC network 


As mentioned in his replies, he needs to access work computers from home...





 
 
 
 


1164 posts

Uber Geek
+1 received by user: 237


  Reply # 1056410 30-May-2014 10:46
Send private message

sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


Yes , but in the real world, you do want the client asks.
When the client companies owners/manager expects almost 100% reliable remote acess, from any out of office site (ie when overseas) you make compromises & cant experiment with settings/routers to try & get things right .

Hardware firewalls & SSL and IPSec VPN clients arnt allways reliable if the 'home' internet connection isnt very good .

4936 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1056482 30-May-2014 12:54
2 people support this post
Send private message

1101:
sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


Yes , but in the real world, you do want the client asks.
When the client companies owners/manager expects almost 100% reliable remote acess, from any out of office site (ie when overseas) you make compromises & cant experiment with settings/routers to try & get things right .

Hardware firewalls & SSL and IPSec VPN clients arnt allways reliable if the 'home' internet connection isnt very good .


surely a business owner doesn't want to have their PCs/network p0wned?

if they don't want it setup securely it shouldn't be setup at all IMHO

Fully Operational
3343 posts

Uber Geek
+1 received by user: 1088

Trusted
Vocus
Subscriber

  Reply # 1056500 30-May-2014 13:15
One person supports this post
Send private message

1101:
sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


Yes , but in the real world, you do want the client asks.
When the client companies owners/manager expects almost 100% reliable remote acess, from any out of office site (ie when overseas) you make compromises & cant experiment with settings/routers to try & get things right .

Hardware firewalls & SSL and IPSec VPN clients arnt allways reliable if the 'home' internet connection isnt very good .


There's an element of education in providing IT services.  You must explain to your client why it is a bad idea, and what the consequences would be, and that it would be unprofessional for you to do what they're asking if it is inherently insecure.

3366 posts

Uber Geek
+1 received by user: 383

Trusted

  Reply # 1056643 30-May-2014 16:43
Send private message

sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


What about a terminal server?





4936 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1056657 30-May-2014 17:22
Send private message

Zeon:
sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


What about a terminal server?


Same story

But hopefully someone with a server has more resources, experience and capabilities to secure

Also with RDS you can lockdown with SSL and Remote Desktop Gateway so no need for a VPN

1164 posts

Uber Geek
+1 received by user: 237


  Reply # 1058421 3-Jun-2014 11:18
Send private message

ubergeeknz:
There's an element of education in providing IT services.  You must explain to your client why it is a bad idea, and what the consequences would be, and that it would be unprofessional for you to do what they're asking if it is inherently insecure.


Theres a definite risk in EVERYTHING
The security risk of RDP , via non standard ports is minor......
minor compared to..

the real risk when clients write down the password & stick it onto their laptop
the REAL insecurity of Iphone & Android
the VERY real risk virus's & trojans infecting PC's , effectively opening up a backdoor for hackers
the real risk of users opening scam emails, clicking on links, going to websites that that nothing to do with company buseness
the very big hugs real risk of workers letting their kids/spouse use their laptops after work.

You do what the customer wants. If the NEED reliable remote access, you do what is required. Of course you tell them there is some risk.
Try telling a client they can no longer use their Android for company email as its is very insecure . smile

Lets be honest here, how common in NZ is a RDP hack, when there is a good password & non std port
Compare to how very common virus/trojan/malware infections are on Company PC's & Laptops

4936 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1058457 3-Jun-2014 12:12
Send private message

1101:
ubergeeknz:
There's an element of education in providing IT services.  You must explain to your client why it is a bad idea, and what the consequences would be, and that it would be unprofessional for you to do what they're asking if it is inherently insecure.


Theres a definite risk in EVERYTHING
The security risk of RDP , via non standard ports is minor......
minor compared to..

the real risk when clients write down the password & stick it onto their laptop
the REAL insecurity of Iphone & Android
the VERY real risk virus's & trojans infecting PC's , effectively opening up a backdoor for hackers
the real risk of users opening scam emails, clicking on links, going to websites that that nothing to do with company buseness
the very big hugs real risk of workers letting their kids/spouse use their laptops after work.

You do what the customer wants. If the NEED reliable remote access, you do what is required. Of course you tell them there is some risk.
Try telling a client they can no longer use their Android for company email as its is very insecure . smile

Lets be honest here, how common in NZ is a RDP hack, when there is a good password & non std port
Compare to how very common virus/trojan/malware infections are on Company PC's & Laptops


RDP hack is very common

Changing the port to non standard really is just obfuscating, the bots out there running these attacks do a port scan as part of the automated tools looking for fresh meat

3235 posts

Uber Geek
+1 received by user: 918


  Reply # 1058468 3-Jun-2014 12:36
Send private message

Lipo: I run a work network comprising a Netgear ADSL modem/router and 5 computers peer to peer networked together. I run a static IP I noticed about a week ago that I was getting a huge amount of upload data traffic from my computer.

It could be between 3-4 gig a day. Obviously it was not anything I was doing. In the resource monitor svchost.exe was sending 12,000 b/sec to a site overseas I am using MS security essentials. I ran a few online virus scanners and malware detectors with no positive results I have reinstalled my operating system and factory reset my router I also remote desktop from home to my work computer. I forward ports 3389 (standard RDP port) on my router to my computers internal IP address. I forward 3390 to my colleagues computer

This morning I have traffic being upload to a site ds9777.dedicated.turbodns.co.uk. Looking at Resource Monitor, svchost was using PID 1320. 1320 in services was being used by Termservice, Nlasvc, plus some others including remote desktop. I guessed that RDP was being used. I changed the port forwarding settings on the router to my computer to 3391. Traffic has now stopped.

So the question I have and perhaps a problem 1. What was happening? 2. If I change forwarding ports other than 3389 (say 3391), once 3389 has been used, RDP does not seem to work. I did also change the registry setting to 3391 from the standard 3389. Solution 3. Any other issues that I need to look at?   Thanks


I stopped using RDP over the internet some time ago - it was hacked by someone with a chinese IP address.  

You should use teamviewer for remote desktop over the internet.   



What does this tag do
849 posts

Ultimate Geek
+1 received by user: 155

Subscriber

  Reply # 1058476 3-Jun-2014 12:49
One person supports this post
Send private message

If you must do RDP over internet

 

  • restrict in firewall to specific subnets or IP addresses if possible

     

    • you could ask for a static IP address at home which you could limit access to
  • only allow access for a specific named user account, (see 'Limit users who can log in using Remote Desktop')
  • REQUIRE Network Level Authentication
  • install RdpGuard or similar, which (when configured correctly) bans IP addresses from accessing RDP after X failed login attempts

1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.