Security of Remote Desktop
August 14, 2007 1:35 PM   Subscribe

There are probably exploits that no one here knows about. If you get "yes", then it's "yes", but "no" means nothing.

If you decide to punch a hole in a firewall, then at least expose that machine to as little of the 'Net as possible. Figure out what networks you'll come from, and add an explicit "except allow these addresses to this port", after the primary rule, "deny everything".
posted by cmiller at 2:12 PM on August 14, 2007

The main issue is being certain that Windows 2003 Remote Desktop doesn't have any remotely exploitable vulnerabilities in it which is rather hard to do. Even if you stay perfectly up to date on patches you could still be caught by the exploit before the patches are released.

If you limit the number of IPs that you allow to connect to RD though you should be much less likely to get attacked. Assuming those IPs are on trusted networks at least.

Security is not a boolean. It's no so much that you are either secure or not secure, you are just at a lower risk. With the configuration you have suggested you are certainly at some risk, although probably pretty low, of getting exploited.
posted by public at 2:19 PM on August 14, 2007

Note that RDP has a fairly serious trust issue - that is, there is no verification that the server the client is connecting to is actually the server that the client is expecting to connect to. This makes it possible to launch a man-in-the-middle attack whereby the attacker pretends to your client to be the server, and pretends to the real server to be a client, and captures all traffic during the session.

I don't know whether this has been fixed in 2k3, but it's still a real problem in other versions.
posted by aberrant at 2:41 PM on August 14, 2007

I wouldn't do it.
You would be better off using an ssh tunnel. That's how I manage my servers from afar.
posted by Cat Pie Hurts at 2:48 PM on August 14, 2007

Yah, vpn or ssh to the inside of your firewall, then RDP or anything all you want. Better way to go IMO.
posted by thilmony at 3:14 PM on August 14, 2007

There aren't any published remote exploits on the Windows remote desktop, as far as I know. But this does not guarantee that there aren't any exploits out there that have yet to be published, nor does it guarantee that none will be found down the line.

So if you do this, you're taking a risk. You're betting that there are no privately-known exploits now, and that none will be found in the future, either. You can reduce your exposure by using an SSH or VPN tunnel, like Cat Pie Hurts and thilmony say.
posted by event at 3:53 PM on August 14, 2007

is LogMeIn Hamachi more / less / just as secure?
posted by sharkfu at 5:16 PM on August 14, 2007

is LogMeIn Hamachi more / less / just as secure?

I don't know the answer but I have seen criticism because it's not open source, at least from what I remember, I guess the theory being that it's much more difficult to analyze closed software for exploits.
posted by 6550 at 9:03 PM on August 14, 2007

VPN or ssh is the way to go, but if that's a no-go (why would it be?) then you can configure an IPSec policy on the Windows box to only accept RDC port-bound packets from specific source networks, or you can even require certificates. The IPSec policy capability of Windows is a fairly granular firewall that not many people take advantage of.
posted by pmbuko at 9:38 PM on August 14, 2007

If you are running a cisco router you can set up an ipsec vpn server easily. If you're not there are a number of fairly cheap VPN products out there, and if you're interested in going cheaper, buy a WRT54GL (important hardware rev) and go with one of the x-wrt images on it. Easy VPN!

I've been fond of some ZyXel vpn servers and if you have an extra old timy server you can always roll smoothwall on it it.
posted by iamabot at 11:39 PM on August 14, 2007

« Older Help decorate my house in a we...   |   How do I get across Staten Isl... Newer »

This thread is closed to new comments.