Getting Jittery about Remote Desktop Security

[Happo]

The network at work in question is all machines running XP Pro. They are behind a firewalled (NAT/SPI) router and each invidual machine has a software firewall (McAfee) as well.

Recently we have received a few requests to set up Remote Desktop connections. In order to do this I have changed the default port on the machines in question (3389) to something less obvious but am still a little concerned about the security of all this. I have to use port forwarding on the router and exceptions in the software firewall so that users can connect.

This circumventing of security procedures has been playing on my mind a bit lately. These are precisely the tools that have prevented us from being hacked for many years. I have informed the users of the potential of bypassing these systems and the importance of a robust password etc

I guess my question really is this. Since these machines are now totally accessible from anywhere on the net (provided you can figure out which port to use, which probably isn't that hard) how secure is the RD login procedure? I should mention, without saying too much, that data security at our firm is a very big deal.

We haven't had a virus or a single major incident in over three years and I would like to keep it that way. I have heard about VPN's and the like but my background is not in Windows so I don't know much about all this, besides the system has been working perfectly and I don't want to rock the applecart unless absolutely necessary. I would appreciate any comments and suggestions on this matter including any additional security concerns that may present with all this going on.

Thank you,
Daniel.

 

[rn4it]

Daniel,
Well, there's a couple things I can think of off the top of your head.
1- Read up on Windows VPN and implement it, however this could become cumbersome depending on the number of users that need RDP.
2- Invest in a VPN device and VPN client software, this could range from, upgrading current hardware to investing in new VPN routers that allow for client to site VPNs.
3 - Lastly, You could request the client side Public IP address and only allow those devices in to the device using RDP.

Personally, I'd look at the company and it's growth factor, then decide wether investing a larger sum of money would be useful. If not, then I'd look into inexpensive solution ie Netscreen's (not to endorse them) but I've used them at branch offices you can configure site to site and client to site VPN's great for small could pretty stable. good luck

 

[Serbtastic]

Ensure you encrypt your remote desktop connections using the instructions in this article:

http://www.windowsecurity.com/articles/Windows_Terminal_Services.html

 

[sab4you]

data security is a very big deal"

If this is the case, then I suggest you do as much as you can - do both the suggestions.

1) Get a good VPN server. Restrict VPN access to only approved IP addresses.
2) Increase the remote desktop encryption to 128 bit.

You didnt mention your windows network security, but I would ensure your running on a domain, not workgroup. If you allow one remote desktop client, then make sure everybody in the LAN is using appropriate passwords, such as 8 characters or more, special character, upper and lower case, etc.

 

[Happo]

Thanks for the suggestions. I have done some fairly extensive research into VPN hardware and software and it seems to be the way to go.
I am still in consultation with the bean counters though and there will still be many more 'discussions' before any money is released so I can implement what I want.
I will let you know basically what I have done if and when it happens.
As a side note I have stopped all RD connections for the time being, for security, and it gives me more bargaining power...

Thanks again,
Daniel.