How secure is MS RDP

Forums › IT Pro and developers › How secure is MS RDP

Shoes2468

785 posts

Ultimate Geek

#63221 22-Jun-2010 22:02

Hi there

I have recently setup a windows server 2003 machine at home. Its mainly used for file sharing internally etc however I want to be able to connect to it remotely via RDP. To do this I would have to leave port 3389 open and forwarded to the windows server 2003 machine. I have a static IP address and was wondering how secure it is to just leave a port like this open all the time?

I have set secure passwords on user accounts but was just wanting some feedback. I'm well aware that there are third party applications which would allow connecting with this port closed but just wanting to keep it simple if its safe to do so.

Thanks

Luke

[Moderator edit (MF): moved to IT Pro forum]

billgates

4705 posts

Uber Geek

Trusted

#344329 22-Jun-2010 22:12

Very secure. What I did on my router is forward RDP internal port as 3389 and externally as 31000. Just an example. My actual external port is something different!

So when I am accessing my server from outside, I have to type blahblah.com:31000

This way those bots who are programmed to try random IP's to connect on RDP would only try accessing it with blahblah.com:3389 which would go no where from outside network for my IP.

Do whatever you want to do man.

chiefie

I iz your trusted friend
5877 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#344334 22-Jun-2010 22:19

if you want to do just RDP, i would recommend LogMeIn Free. And you don't need to open up any firewall port at all.

Internet is my backyard...

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

Please read the Geekzone's FUG

marpada

476 posts

Ultimate Geek

#344341 22-Jun-2010 22:25

I suggest you to change the port to something different that 3389 (just change the port-forwarding settings in your router). This simple "security by obscurity" measure helps you to get rid of most script-kiddies out there. Some people also recommend renaming the Administrator account.

AFAIK the abilities to log and block brute force attempts against RDP are quite limited, so it will be as strong as your password is. If you are real paranoid you should consider some kind of VPN

davidcole

6041 posts

Uber Geek

Trusted

#344403 23-Jun-2010 07:48

chiefie: if you want to do just RDP, i would recommend LogMeIn Free. And you don't need to open up any firewall port at all.

RDP has the advantage of a lot lower bandwidth requirements, and being able to use the native resolution of the client machine (rather than a vnc like experience with logmein).

It does have it's uses.

Persoanlly I run an SSH tunnel to home, and then RDP that way - a VPN connection would work as well. I'm not sure if the RDP protocol is compressed/encrypted in transmission. So is you can't get hold of a vpn or ssh connection - then log me in is a good bet for security.

Just remember if you have a 1920x1200 system at home, and a 1400x900 laptop when "out" that logmein/vnc etc will have to compress the screen to almost unusable sizes.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

Shoes2468

785 posts

Ultimate Geek

#344534 23-Jun-2010 13:24

Great thanks for the replies, I think I will go with changing the external port and run with that. I have also changed the default administrator user name etc so hopefully all will be well.

Thanks

browned

636 posts

Ultimate Geek

#344576 23-Jun-2010 15:51

You might also want to make sure the RDP server has complex passwords switched on and also extend the lockout duration.

gpedit.msc, Computer Config, Windows Settings, Security Settings, Account Policies, Password Policy and Account Lockout Policy.

Home Server: AMD Threadripper 1950X, 64GB, 56TB HDD, Define R6 Case, 10GbE, ESXi 6.7, UNRAID, NextPVR, Emby Server, Plex Server.
Lounge Media Center: NVIDIA Shield TV 16GB: Kodi18 with Titan MOD, Emby.
Kids Media Center: NVIDIA Shield TV 16GB: Kodi18 with Titan MOD, Emby.
Main PC: Ryzen 7 2700, 16GB RAM, RX 570, 2 x 24"

marpada

476 posts

Ultimate Geek

#344603 23-Jun-2010 16:41

browned: You might also want to make sure the RDP server has complex passwords switched on and also extend the lockout duration.

gpedit.msc, Computer Config, Windows Settings, Security Settings, Account Policies, Password Policy and Account Lockout Policy.

That's a good tip in general, but remember that the Administrator account is not locked after several failed attempts, otherwise it would be vulnerable to DDoS attacks

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#344679 23-Jun-2010 20:58

marpada:
browned: You might also want to make sure the RDP server has complex passwords switched on and also extend the lockout duration.

gpedit.msc, Computer Config, Windows Settings, Security Settings, Account Policies, Password Policy and Account Lockout Policy.

That's a good tip in general, but remember that the Administrator account is not locked after several failed attempts, otherwise it would be vulnerable to DDoS attacks

so leave the administrator password blank - you can't log in via RDP with a blank password, or do various other things :)

other users can be configured so that they do not have access to RDP.

also, if supported, enable network level authentication as the minimum security requirement. this will block windows xp and earlier, typically, from connecting and makes the authentication process more secure.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

VEB

17 posts

Geek

#345398 25-Jun-2010 21:59

You can also change RDP port on your machine:
HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp – PortNumber.
For WinXP and WinSrv2003 without any SP the change becomes effective after reboot.
To call, hostname:newport# or ip:newport# .

Then you can also set Encryption level to High in Terminal Server settings -> General tab.

Lastly, you can assign the right to use RDP to an unprivileged user only, and use runas as needed.

Plus, all basic user tweaks (irrelevant to RDP, but generally useful):
- create another account and put it in Administrators group, use it for administrative tasks;
- not only rename, but also disable built-in Administrator account;
- create another account, name it Administrator and leave it out of any group.

Sleep well. :)