Join 3,555 readers in helping fund MetaFilter (Hide)


Is Microsoft Remote Desktop secure enough for the Internet?
August 11, 2005 9:50 AM   Subscribe

Does Microsoft Remote Desktop need stunnel?

I need to set up a remote control scheme for a friend. The computer he wants to control runs XP and so does the laptop from which he wants to control it. Given that, I don't see the point in installing VNC when Microsoft's Remote Desktop will work.

For security, though, I'm wondering if I need to setup stunnel. If I were setting up VNC, I would secure the connection using stunnel, but do I need to do this for Microsoft's Remote Desktop? I could speculate as whether the Remote Desktop needs more security, but I'd rather not set it up, if it's not needed - reason being that the less I put on my friend's computers, the less I need to maintain for him.

Anyone out there using Remote Desktop over an Internet connection? Should I wrap SSL around it?
posted by clearlynuts to Computers & Internet (7 answers total) 1 user marked this as a favorite
 
RDP is designed to be secure. VNC is not. That's why you must use stunnel or ssh with VNC.

There may be vulnerabilities in RDP or Microsoft's implementation of it, but I don't think any are known (and I have searched on this very question before). There also may be vulnerabilities in SSL or stunnel. You can be really careful by using them both at the same time, but I wouldn't bother.
posted by grouse at 10:11 AM on August 11, 2005


Check Windows Update. There was a vulnerability in RDP that was just patched :P
posted by devilsbrigade at 10:40 AM on August 11, 2005


As with every other Microsoft product, there have been numerous weaknesses found via authenication, timestamping and DoS vulnerabilities.

I would recommend you do many things, including restricting access to port 3389 to IP, changing the default port on which RDP runs from 3389 to something else, as well as tunneling the protocol through a VPN, SSH or stunnel.
posted by Mr. Six at 11:41 AM on August 11, 2005


I second Mr. Six's advice. Beware, though, that if you change the port from 3389 to something else, you will have to have the full Remote Desktop Connection client installed on a computer in order to connect. This is only really an issue if you're using the web-based ActiveX version of Remote Desktop.

I personally do not "wrap" my RDP sessions, because I don't have anything of value, and to my knowledge, there are no "rdp sniffers" anywhere out there.

There's some good information about the security of RDP on Experts Exchange regarding this topic. The second "Accepted Answer" pretty well sums it up, IMHO.
posted by chota at 12:40 PM on August 11, 2005


Force RDP to use 128-bit encryption, and specifically check to see which users are allowed to connect. You can do most of this using the Group Policy Editor, which has no shortcut but can be run via

%SystemRoot%\system32\gpedit.msc /s

at the command prompt or Run menu. (I also saved this as a shortcut for future use.)

The basic instructions I used to do this can be found here on the MobyDisk website.
posted by caution live frogs at 1:57 PM on August 11, 2005


Check Windows Update. There was a vulnerability in RDP that was just patched :P

You're right! !@#$ing Microsoft. I take it all back.
posted by grouse at 4:28 PM on August 11, 2005


Consider Copilot. It's a modified VNC that works with a SSL "reflector" so it's both encrypted and works through NAT on both ends, proxies, and firewalls. Not free, it costs for a day pass (to use the reflector service, essentially).
posted by RikiTikiTavi at 11:02 PM on August 11, 2005


« Older Looking for upper/mid back str...   |  I'm an American who developed ... Newer »
This thread is closed to new comments.