Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Shoes2468

720 posts

Ultimate Geek


#63221 22-Jun-2010 22:02
Send private message

Hi there

I have recently setup a windows server 2003 machine at home. Its mainly used for file sharing internally etc however I want to be able to connect to it remotely via RDP. To do this I would have to leave port 3389 open and forwarded to the windows server 2003 machine. I have a static IP address and was wondering how secure it is to just leave a port like this open all the time?

I have set secure passwords on user accounts but was just wanting some feedback. I'm well aware that there are third party applications which would allow connecting with this port closed but just wanting to keep it simple if its safe to do so.

Thanks

Luke 

[Moderator edit (MF): moved to IT Pro forum]

Create new topic
billgates
4240 posts

Uber Geek

Trusted

  #344329 22-Jun-2010 22:12
Send private message

Very secure. What I did on my router is forward RDP internal port as 3389 and externally as 31000. Just an example. My actual external port is something different!

So when I am accessing my server from outside, I have to type blahblah.com:31000

This way those bots who are programmed to try random IP's to connect on RDP would only try accessing it with blahblah.com:3389 which would go no where from outside network for my IP.




Do whatever you want to do man.

  

chiefie
I iz your trusted friend
5854 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  #344334 22-Jun-2010 22:19
Send private message

if you want to do just RDP, i would recommend LogMeIn Free. And you don't need to open up any firewall port at all.




Internet is my backyard...

 

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

 

Please read the Geekzone's FUG

 


 
 
 
 


marpada
337 posts

Ultimate Geek


  #344341 22-Jun-2010 22:25
Send private message

I suggest you to change the port to something different that 3389 (just change the port-forwarding settings in your router). This simple "security by obscurity" measure helps you to get rid of most script-kiddies out there. Some people also recommend renaming the Administrator account.

AFAIK the abilities to log and block brute force attempts against RDP are quite limited, so it will be as strong as your password is. If you are real paranoid you should consider some kind of VPN

davidcole
4977 posts

Uber Geek

Trusted

  #344403 23-Jun-2010 07:48
Send private message

chiefie: if you want to do just RDP, i would recommend LogMeIn Free. And you don't need to open up any firewall port at all.


RDP has the advantage of a lot lower bandwidth requirements, and being able to use the native resolution of the client machine (rather than a vnc like experience with logmein).

It does have it's uses.

Persoanlly I run an SSH tunnel to home, and then RDP that way - a VPN connection would work as well.  I'm not sure if the RDP protocol is compressed/encrypted in transmission.  So is you can't get hold of a vpn or ssh  connection - then log me in is a good bet for security.


Just remember if you have a 1920x1200 system at home, and a 1400x900 laptop when "out" that logmein/vnc etc will have to compress the screen to almost unusable sizes.




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


Shoes2468

720 posts

Ultimate Geek


  #344534 23-Jun-2010 13:24
Send private message

Great thanks for the replies, I think I will go with changing the external port and run with that. I have also changed the default administrator user name etc so hopefully all will be well.

Thanks

browned
636 posts

Ultimate Geek


  #344576 23-Jun-2010 15:51
Send private message

You might also want to make sure the RDP server has complex passwords switched on and also extend the lockout duration.

gpedit.msc, Computer Config, Windows Settings, Security Settings, Account Policies, Password Policy and Account Lockout Policy.




Home Server: AMD Threadripper 1950X, 64GB, 56TB HDD, Define R6 Case, 10GbE, ESXi 6.7, UNRAID, NextPVR, Emby Server, Plex Server.
Lounge Media Center: NVIDIA Shield TV 16GB: Kodi18 with Titan MOD, Emby.
Kids Media Center: NVIDIA Shield TV 16GB: Kodi18 with Titan MOD, Emby.
Main PC: Ryzen 7 2700, 16GB RAM, RX 570, 2 x 24"


marpada
337 posts

Ultimate Geek


  #344603 23-Jun-2010 16:41
Send private message

browned: You might also want to make sure the RDP server has complex passwords switched on and also extend the lockout duration.

gpedit.msc, Computer Config, Windows Settings, Security Settings, Account Policies, Password Policy and Account Lockout Policy.


That's a good tip in general, but remember that the Administrator account is not locked after several failed attempts, otherwise it would be vulnerable to DDoS attacks

 
 
 
 


Regs
4062 posts

Uber Geek

Trusted
Snowflake

  #344679 23-Jun-2010 20:58
Send private message

marpada:
browned: You might also want to make sure the RDP server has complex passwords switched on and also extend the lockout duration.

gpedit.msc, Computer Config, Windows Settings, Security Settings, Account Policies, Password Policy and Account Lockout Policy.


That's a good tip in general, but remember that the Administrator account is not locked after several failed attempts, otherwise it would be vulnerable to DDoS attacks


so leave the administrator password blank - you can't log in via RDP with a blank password, or do various other things :)

other users can be configured so that they do not have access to RDP.

also, if supported, enable network level authentication as the minimum security requirement.  this will block windows xp and earlier, typically, from connecting and makes the authentication process more secure.




VEB

VEB
17 posts

Geek


  #345398 25-Jun-2010 21:59
Send private message

You can also change RDP port on your machine:
HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp – PortNumber.
For WinXP and WinSrv2003 without any SP the change becomes effective after reboot.
To call, hostname:newport# or ip:newport# .

Then you can also set Encryption level to High in Terminal Server settings -> General tab.

Lastly, you can assign the right to use RDP to an unprivileged user only, and use runas as needed.

Plus, all basic user tweaks (irrelevant to RDP, but generally useful):
- create another account and put it in Administrators group, use it for administrative tasks;
- not only rename, but also disable built-in Administrator account;
- create another account, name it Administrator and leave it out of any group.

Sleep well. :)

Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.