Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1828 posts

Uber Geek
+1 received by user: 215
Inactive user


  Reply # 1054696 28-May-2014 02:41
Send private message

Can I ask why you need RDP on a 5 PC network 

4388 posts

Uber Geek
+1 received by user: 821

Trusted
Lifetime subscriber

  Reply # 1054708 28-May-2014 07:03
Send private message

Athlonite: Can I ask why you need RDP on a 5 PC network 


As mentioned in his replies, he needs to access work computers from home...





 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
1437 posts

Uber Geek
+1 received by user: 316


  Reply # 1056410 30-May-2014 10:46
Send private message

sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


Yes , but in the real world, you do want the client asks.
When the client companies owners/manager expects almost 100% reliable remote acess, from any out of office site (ie when overseas) you make compromises & cant experiment with settings/routers to try & get things right .

Hardware firewalls & SSL and IPSec VPN clients arnt allways reliable if the 'home' internet connection isnt very good .

4955 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1056482 30-May-2014 12:54
2 people support this post
Send private message

1101:
sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


Yes , but in the real world, you do want the client asks.
When the client companies owners/manager expects almost 100% reliable remote acess, from any out of office site (ie when overseas) you make compromises & cant experiment with settings/routers to try & get things right .

Hardware firewalls & SSL and IPSec VPN clients arnt allways reliable if the 'home' internet connection isnt very good .


surely a business owner doesn't want to have their PCs/network p0wned?

if they don't want it setup securely it shouldn't be setup at all IMHO

3343 posts

Uber Geek
+1 received by user: 1088

Trusted
Vocus

  Reply # 1056500 30-May-2014 13:15
One person supports this post
Send private message

1101:
sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


Yes , but in the real world, you do want the client asks.
When the client companies owners/manager expects almost 100% reliable remote acess, from any out of office site (ie when overseas) you make compromises & cant experiment with settings/routers to try & get things right .

Hardware firewalls & SSL and IPSec VPN clients arnt allways reliable if the 'home' internet connection isnt very good .


There's an element of education in providing IT services.  You must explain to your client why it is a bad idea, and what the consequences would be, and that it would be unprofessional for you to do what they're asking if it is inherently insecure.

3393 posts

Uber Geek
+1 received by user: 396

Trusted

  Reply # 1056643 30-May-2014 16:43
Send private message

sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


What about a terminal server?





4955 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1056657 30-May-2014 17:22
Send private message

Zeon:
sbiddle: RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 


What about a terminal server?


Same story

But hopefully someone with a server has more resources, experience and capabilities to secure

Also with RDS you can lockdown with SSL and Remote Desktop Gateway so no need for a VPN

1437 posts

Uber Geek
+1 received by user: 316


  Reply # 1058421 3-Jun-2014 11:18
Send private message

ubergeeknz:
There's an element of education in providing IT services.  You must explain to your client why it is a bad idea, and what the consequences would be, and that it would be unprofessional for you to do what they're asking if it is inherently insecure.


Theres a definite risk in EVERYTHING
The security risk of RDP , via non standard ports is minor......
minor compared to..

the real risk when clients write down the password & stick it onto their laptop
the REAL insecurity of Iphone & Android
the VERY real risk virus's & trojans infecting PC's , effectively opening up a backdoor for hackers
the real risk of users opening scam emails, clicking on links, going to websites that that nothing to do with company buseness
the very big hugs real risk of workers letting their kids/spouse use their laptops after work.

You do what the customer wants. If the NEED reliable remote access, you do what is required. Of course you tell them there is some risk.
Try telling a client they can no longer use their Android for company email as its is very insecure . smile

Lets be honest here, how common in NZ is a RDP hack, when there is a good password & non std port
Compare to how very common virus/trojan/malware infections are on Company PC's & Laptops

4955 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1058457 3-Jun-2014 12:12
Send private message

1101:
ubergeeknz:
There's an element of education in providing IT services.  You must explain to your client why it is a bad idea, and what the consequences would be, and that it would be unprofessional for you to do what they're asking if it is inherently insecure.


Theres a definite risk in EVERYTHING
The security risk of RDP , via non standard ports is minor......
minor compared to..

the real risk when clients write down the password & stick it onto their laptop
the REAL insecurity of Iphone & Android
the VERY real risk virus's & trojans infecting PC's , effectively opening up a backdoor for hackers
the real risk of users opening scam emails, clicking on links, going to websites that that nothing to do with company buseness
the very big hugs real risk of workers letting their kids/spouse use their laptops after work.

You do what the customer wants. If the NEED reliable remote access, you do what is required. Of course you tell them there is some risk.
Try telling a client they can no longer use their Android for company email as its is very insecure . smile

Lets be honest here, how common in NZ is a RDP hack, when there is a good password & non std port
Compare to how very common virus/trojan/malware infections are on Company PC's & Laptops


RDP hack is very common

Changing the port to non standard really is just obfuscating, the bots out there running these attacks do a port scan as part of the automated tools looking for fresh meat

3533 posts

Uber Geek
+1 received by user: 1113


  Reply # 1058468 3-Jun-2014 12:36
Send private message

Lipo: I run a work network comprising a Netgear ADSL modem/router and 5 computers peer to peer networked together. I run a static IP I noticed about a week ago that I was getting a huge amount of upload data traffic from my computer.

It could be between 3-4 gig a day. Obviously it was not anything I was doing. In the resource monitor svchost.exe was sending 12,000 b/sec to a site overseas I am using MS security essentials. I ran a few online virus scanners and malware detectors with no positive results I have reinstalled my operating system and factory reset my router I also remote desktop from home to my work computer. I forward ports 3389 (standard RDP port) on my router to my computers internal IP address. I forward 3390 to my colleagues computer

This morning I have traffic being upload to a site ds9777.dedicated.turbodns.co.uk. Looking at Resource Monitor, svchost was using PID 1320. 1320 in services was being used by Termservice, Nlasvc, plus some others including remote desktop. I guessed that RDP was being used. I changed the port forwarding settings on the router to my computer to 3391. Traffic has now stopped.

So the question I have and perhaps a problem 1. What was happening? 2. If I change forwarding ports other than 3389 (say 3391), once 3389 has been used, RDP does not seem to work. I did also change the registry setting to 3391 from the standard 3389. Solution 3. Any other issues that I need to look at?   Thanks


I stopped using RDP over the internet some time ago - it was hacked by someone with a chinese IP address.  

You should use teamviewer for remote desktop over the internet.   



What does this tag do
942 posts

Ultimate Geek
+1 received by user: 192

Subscriber

  Reply # 1058476 3-Jun-2014 12:49
One person supports this post
Send private message

If you must do RDP over internet

 

  • restrict in firewall to specific subnets or IP addresses if possible

     

    • you could ask for a static IP address at home which you could limit access to
  • only allow access for a specific named user account, (see 'Limit users who can log in using Remote Desktop')
  • REQUIRE Network Level Authentication
  • install RdpGuard or similar, which (when configured correctly) bans IP addresses from accessing RDP after X failed login attempts

1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44


Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52


ASB first bank in New Zealand to step out with Garmin Pay
Posted 23-May-2018 00:10


Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43


Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14


UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.