Downsides of Direct RDP over Internet

Forums › IT Pro and developers › Downsides of Direct RDP over Internet

1 | 2 | 3

5043 posts

Uber Geek

#2714654 28-May-2021 15:53

Thanks guys, that makes a little more sense. I think Apache Guacamole will be the way to go for this one scenario (and probably lock that down to trusted IPs), and I'll stick with VPNs for everything else.

But I'm finding the discussion interesting, and just looking at it from a purely academic standpoint:

I knew that a non-standard port did little to prevent people finding an open RDP port.
I knew lockout policies were only a defense against brute force.
I knew that neither of the above, or NLA, were a protection against possible newly discovered (or unpatched) exploits in RDP itself.

But my thinking was these weren't overly important if it was locked down to a only a few trusted IPs. I surmised that the port couldn't be easily found if not scanning from a trusted IP, and that any potential exploit could only be taken advantage of by an attacker coming from a trusted IP.

SpartanVXL:
The whitelist of IP’s is just changes the level of security. It can significantly lower the chance of an issue happening as you drop a wide scope of entry, but there is still an avenue of attack which is the ‘trusted’ IP’s.
If you consider how easy it is to avoid geoblock, it’s the same manner if somebody figures out you have a whitelist.

Isn't circumventing a geoblock a lot easier than appearing to come from one of only a few specific IPs. Wouldn't an attacker first need to determine the trusted IP(s), and then successfully spoof said IP in such a way as to take advantage of an unpatched exploit (if one exists). In short, wouldn't it need to be a highly motivated and targeted attack?

Paul1977

5043 posts

Uber Geek

#2714656 28-May-2021 16:04

Waspnz:

So was re-reading your original post and focussed more on this bit "except for known trusted public IPs". Assuming you mean to configure your router's firewall to only allow connections from your known public IP (whitelist):

Specifically I would still not use RDP in this case because there is malware (older, now supposedly patched, vulnerabilities but likely there will be more in the future too) that can spread via RDP to your network should that trusted IP become infected. A malicious actor could get inside the trusted IP's network, observe the RDP connections and decide to attack you too

Regarding the VPN server, if you host your own I would still restrict access to just the trusted IP and use multi-factor authentication

@Waspnz Correct, my thinking was to have the firewall drop all other traffic attempting a connection.

I hadn't considered malware spread via RDP. But wouldn't that be an issue even if the RDP was over a VPN?

As I said in my last post, it's academic now as I'll almost certainly just go down the Apache Guacamole route. But I still think this is all useful info, as there's a lot of "don't use RDP port-forwards" articles and post on various forums - but they are almost exclusively talking about a wide open port-forward. And the ones that do touch on having it locked down to certain IPs tend to just say "VPN is better" with no further explanation. Where possible I prefer to know exactly why I should use one method over another.

PANiCnz

990 posts

Ultimate Geek

#2714713 28-May-2021 16:31

If you're going the Guacamole route make sure to grab the MFA plugin, thanks another 30 seconds to add and configure and well worth the extra protection.

Paul1977

5043 posts

Uber Geek

#2714715 28-May-2021 16:34

PANiCnz:

If you're going the Guacamole route make sure to grab the MFA plugin, thanks another 30 seconds to add and configure and well worth the extra protection.

Will do, thanks.

MadEngineer

4278 posts

Uber Geek

Trusted

#2714794 28-May-2021 18:10

Why? Because you’re relying on a single insecure feature of ip filtering. IP filtering isn’t user based and isn’t going to be maintained. A VPN sign in can be AD controlled for example.

https://en.m.wikipedia.org/wiki/Swiss_cheese_model

Take a read of any fatal car crash report.

You're not on Atlantis anymore, Duncan Idaho.

jjnz1

1363 posts

Uber Geek

Lifetime subscriber

#2714861 28-May-2021 19:32

If you’re going down the route of using Guac and 2FA, just Geo-restricted to NZ only and you’ll be fine.

The benefits are you can use it from anywhere in NZ including mobile, tablet, work, public wifi etc

No need to restrict to an IP unless you are hiding Top secret stuff :)

Paul1977

5043 posts

Uber Geek

#2714866 28-May-2021 19:39

MadEngineer: Why? Because you’re relying on a single insecure feature of ip filtering. IP filtering isn’t user based and isn’t going to be maintained. A VPN sign in can be AD controlled for example.

https://en.m.wikipedia.org/wiki/Swiss_cheese_model

Take a read of any fatal car crash report.

But why is IP filtering on a perimeter firewall insecure? Genuine question, what method(s) could an attacker employ to get past it?

Tradepub

Free professional, reference and technical white papers (affiliate link).

MadEngineer

4278 posts

Uber Geek

Trusted

#2714880 28-May-2021 20:24

What I've explained is it's not so much that a hacker may employ a method to get around it but more how it's not a reliable form of protection.

Driving perfectly safely may forever save you from crashing, even with bald tyres, until a single moment of inattention.

You're not on Atlantis anymore, Duncan Idaho.

Waspnz

3 posts

Wannabe Geek

#2714910 28-May-2021 22:39

Paul1977:

Waspnz:

So was re-reading your original post and focussed more on this bit "except for known trusted public IPs". Assuming you mean to configure your router's firewall to only allow connections from your known public IP (whitelist):

Specifically I would still not use RDP in this case because there is malware (older, now supposedly patched, vulnerabilities but likely there will be more in the future too) that can spread via RDP to your network should that trusted IP become infected. A malicious actor could get inside the trusted IP's network, observe the RDP connections and decide to attack you too

Regarding the VPN server, if you host your own I would still restrict access to just the trusted IP and use multi-factor authentication

@Waspnz Correct, my thinking was to have the firewall drop all other traffic attempting a connection.

I hadn't considered malware spread via RDP. But wouldn't that be an issue even if the RDP was over a VPN?

As I said in my last post, it's academic now as I'll almost certainly just go down the Apache Guacamole route. But I still think this is all useful info, as there's a lot of "don't use RDP port-forwards" articles and post on various forums - but they are almost exclusively talking about a wide open port-forward. And the ones that do touch on having it locked down to certain IPs tend to just say "VPN is better" with no further explanation. Where possible I prefer to know exactly why I should use one method over another.

Definitely academic now. Something I'd like to see more specific answers for too

My opinion on why one is better than the other?

History - simply there have been attacks via RDP so it gets a lot of focus, VPN less so
Malware exists that can exploit RDP automatically - less so malware that can exploit both VPNs AND RDP automatically together (I've never even heard of one? but an attacker could do one then the other)
Trusted public IP allows the entire network and devices behind that IP (you might have 500 devices behind that IP! - what is an acceptable level of risk really depends on your specific scenario)
VPN restricts access to a single source device/user

Yes you are correct that it can still spread via RDP over the VPN. Could also argue that you could be abducted and forced to give access. However consider how much less likely this is to occur - now two things (RDP and VPN) both have to compromised before its an issue. Regardless of the protocols we are trying to reduce the risk to an acceptable level (probability X impact). @MadEngineer is on to it - adding multiple layers is what we do because we expect nothing is ever 100%

I don't know about what is behind your trusted IP but lets make some assumptions and consider the different probabilities of these scenarios:

RDP limited to the trusted IP - yep that's probably 99% of the 'real world' probability taken care of and pretty good. 1 in 100 chance of winning lotto=great! 1 in 100 change of being struck by lightning=bad!
VPN and RDP only with trusted IP - now we've limited it to just a single PC
Computer not always turned on/VPN not always connected? - now we've reduced the time of day an incident can occur to e.g. 8 of 24 hours (although mileage here is not great if the malware runs when you power on the pc and connect)
Per-App VPN - now we've limited it to just a single app on the single PC - probably typical automated malware could not use this because the VPN is not available to the whole OS/system

Of course there are many more layers you can add - consider even other controls like off-site backups that help you recover if an event occurs

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2714975 29-May-2021 10:10

Rdp cves are a fault waiting to happen.

I have lost count of the number of customers who have been hit by this in the last year. Generally always leads to a ransomware situation...

Nonstandard ports are just dumb. Sure it will slow down an attack port scanning for common ports. But when we have so many services like shodan out there. Its a simple lookup to find all the rdp servers regardless of port.
Please just don't do it. You make everyone's life an extra step difficult for a preserved security gain that doesn't exist.

Configuring ip acls on a firewall in front of that machine is a pretty decent way of controlling this.

Always ensure you have lockout configured, as that just makes most attempts skip your ip all together. Easier targets out there...

Keep ontop of your updates. If a big CVE drops, plan urgent patching.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Paul1977

5043 posts

Uber Geek

#2714987 29-May-2021 10:31

Thanks for the thorough feedback at @Waspnz.

Surmising from everything I’ve read so far (and my own thinking), restricting to certain IPs does increase security by several orders of magnitude (e.g. takes possible attackers from millions/billions of devices down to potentially as low as just a few). But adding more layers of security, like VPN or Remote Desktop Gateways, is always going to improve this even more - so why wouldn’t you?

Some feel that restricting by IP on the firewall opens you up to more potential for human error to allow more access than intended - either through misconfiguration or lack of maintenance. That’s true enough.

I personally suspect you don’t see it discussed as even a possible solution very often because (security implications aside) in most use cases, locking down to IPs isn’t useable for a mobile workforce. VPNs (in addition to having a high level of security) work extremely well for both mobile and home-based workers.

Is the above pretty much correct?

Paul1977

5043 posts

Uber Geek

#2714988 29-May-2021 10:41

hio77: Rdp cves are a fault waiting to happen.

I have lost count of the number of customers who have been hit by this in the last year. Generally always leads to a ransomware situation...

Nonstandard ports are just dumb. Sure it will slow down an attack port scanning for common ports. But when we have so many services like shodan out there. Its a simple lookup to find all the rdp servers regardless of port.
Please just don't do it. You make everyone's life an extra step difficult for a preserved security gain that doesn't exist.

Configuring ip acls on a firewall in front of that machine is a pretty decent way of controlling this.

Always ensure you have lockout configured, as that just makes most attempts skip your ip all together. Easier targets out there...

Keep ontop of your updates. If a big CVE drops, plan urgent patching.

@hio77 In retrospect I probably shouldn’t have included that part in my initial post as a lot of attention has been focussed on it in some replies. It would have never been intended to be used as any real line of defence, as I’m more than aware that on its own it achieves very little.

sparkz25

750 posts

Ultimate Geek
Inactive user

#2714993 29-May-2021 10:51

Paul1977:

I personally suspect you don’t see it discussed as even a possible solution very often because (security implications aside) in most use cases, locking down to IPs isn’t useable for a mobile workforce. VPNs (in addition to having a high level of security) work extremely well for both mobile and home-based workers.

Have a look at Zerotier, we have been using it for some time now, and it's great! can host on some firewalls and also on Devices such as mobiles and PCs.

MadEngineer

4278 posts

Uber Geek

Trusted

#2715052 29-May-2021 11:07

Worth noting that VPNs are under constant attack also. You need monitored logging and fail2bans on your firewall even for VPNs now.

People are working from home so businesses have had to add VPN services that they’ve not had before.

You're not on Atlantis anymore, Duncan Idaho.

1101

3122 posts

Uber Geek

#2715957 31-May-2021 09:27

Whats to stop hackers doing brute force attacks on anydesk remote (unattended) access ?.
There was also reports of TeamVeiwer being compromised a few years back .

many companies use VPN to protect RDC's .
BUT , the staffer will often be using his home PC for remote access to work, the same PC that junior is using to run cracked games & go to porn sites
VPN gives the staffers INFECTED home PC direct access to the company network.

Some AV products now offer protection against brute force password attacks on RDC .
They will lock-out the IP trying the attack.
BUT , one highly recommended AV (that IT Techs love) stupidly will allow that attacker's IP back in for another attempt within about a hour (who designed that)

Products like RDPGuard also will blacklist IP's trying password guessing attacks .
Not perfect, but better than nothing.

1 | 2 | 3