August 3, 2018
by Grant Hamono
The Remote Desktop Connection features in Microsoft Windows allow staff on the road, all over the world, to access their workstation. The productivity benefits of this are obvious.
The security implications are also obvious. Get this wrong and you are handing over full control of the machine to bad people who will harm you if they can profit from it.
So what’s the right way to go about this?
One common misconception in the IT sphere that using the Microsoft Remote Desktop Client is not secure as it is poorly encrypted.
This is old news now. With recent versions of Windows, the encryption method used for this is actually quite good, and often stronger than those used in banking applications.
However, there are issues with just relying on the MS Remote Desktop Protocol (RDP). Firstly, it uses a well known port and one of the first things checked by attackers. If this port is open, you’re putting this workstation’s login prompt out on the open internet.
If this happens the only thing standing between you and your network being compromised is the strength of your password. In a better world, this wouldn’t be such a big deal because people from all walks of life would just realise how crucial this password is. This is not the world we live in.
In particular – from the point of view of the humble IT technician – there’s no effective way of policing whether anyone is reusing the same password they used on Myspace in 2006 or on some cheesy internet forum that stores all the passwords in plain text in a database that can be read an SQL injection attack. You can write the best password policy in the world and most people will just never take any of it seriously until it comes back to bite them.
And it just so happens that senior staff are often the worst at this. Which means it’s actually a bit scary just how trivial it could be for an attacker to help themselves to the most sensitive emails and financials. There is the further headache of the attacker having control of a local machine as a launching pad for further attacks.
One way to by redirecting the RDP traffic through a non-standard port.
This is helpful, especially against worms and other automated attacks. But like any “security through obscurity” approach, it’s hardly ideal and can be thwarted by attackers fairly easily.
If you have multiple users that need remote access then you’ll also need to open up more ports (1 per desktop), and the more ports you have sitting open, the more vulnerable you are to attack.
A much better solution is to set up a VPN connection into your network. This has several benefits:
There are several options for setting up a VPN – each with its own features, advantages and disadvantages. At the top of the pile is probably OpenVPN: a free, open source VPN with great security. This is a bit more fiddly to set up and the client application will need to be installed on client devices.
Windows Server also has native Point-to-Point Tunneling Protocol (PPTP) and Secure Socket Tunneling Protocol (SSTP) VPN services that comes standard with each iteration of Windows Server. Every version of Windows since Windows Vista comes with a client for both of these protocols – on a Mac, the client application will need to be installed.
PPTP was introduced back in the days of dial-up internet and is considered a relatively weak form of encryption. This is not such a terrible concern if all you’re using it for is remote desktop traffic, which is already well encrypted. If you’re going to use it for other traffic as well, such as general internet use, that’s something to think about. On the plus side, the light encryption means you get a super fast connection.
SSTP was introduced with Windows Vista and is a step up in terms of encryption strength. By default, SSTP uses port 443, the same port used by your web browser. This means business travelers unlikely to encounter firewalls out in the wild that block this port. It also means that to any nosy types, the traffic will look a lot like ordinary encrypted web browsing.
For extra security you should establish a Terminal Services Gateway in the demilitarised zone of your network. This is a server role that lets you manage which users can remotely access which computers through policies you can configure.
It can also be set up to help audit the security of the connecting computer, such as whether the operating system is up to date with security patches, or whether antivirus is installed and active.