none
RDP Security vs VPN Security RRS feed

  • Question

  • My question:

    1. Isn't it risky to have someone with unknown software, that might include potential bugs, VPN into your router? Doesn't that put the network at risk for something they might get infected with to jump off onto the corporate network?
    2. If RDP is opened to the world but, secured with credential such as, Username: Ird0Yh7FfykIXEdBT5qu and password: kOiiavkdPeMYwVYwM5gU would it be bulletproof? I know even moving off port 3389 would only minimize brute force attempts. I'm sure there would be some performance impact with bots spamming login attempts.
    3. Doesn't VPN suffer from brute force attacks that impacts the server's performance?

    Background:

    My client owns a SonicWall, Windows Server 2012, and W10 Workstations. They have a remote worker (lets call her, Janet :D ) that need to access a PC for it's applications and network shares on the Server. However, they're in a rural area. The only internet they have is unlimited cellular. I've tested RDP to that workstation and it's barely usable. VPN overhead might make it useless but I've not tested this. That, and my fears of opening up the network to infection via the VPN is why I'm asking these questions. I fear Janet might get infected and infect the network via the VPN. Just allowing RDP minimizes that in my mind. For security, I tried to set the SonicWall to only allow connections from her IP. I have no idea how often the ISP will change Janet's IP. This worked in all my other testing but not for Janet. It works from my place and my cohort in Poland. But, this issue is outside of what I'd like to address her.



    Wednesday, August 7, 2019 6:35 PM

All replies

  • Hi,

    1>
    Yes, there would be risk. It is also the VPN user’s responsibility to reduce the risk of human misconduct. Following safety guidelines to use the VPN.

    2>
    We can use some configuration such as enforcement certificates, increase security level, strange password to increase the security. in general, if you want to provide external/Internet remote connection, then, deploy RD Gateway is recommended. It combine certificate with Remote Desktop connection authorization policies (RD CAPs) and Remote Desktop resource authorization policies (RD RAPs) to restrict/secure the remote connection.

    3389 is default port for remote desktop connection, we can also manually change the port number to be another one.

    Change the listening port for Remote Desktop on your computer:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port

    3>
    VPN is also a secure mechanism to provide external user a security channel to connect to internal network/resources. You can contact your VPN provider and confirm with them about the details to improve the VPN security. 

    For remote desktop connection and provides external/Internet connection, either VPN or RD Gateway can be considered. Main difference is that, VPN provide user the permission to connect to hole internal network resources, while RD Gateway only allow specific resource to be accessed. Also, we can combine VPN/RD Gateway with other security mechanism, such as firewall to increase the security. 

    RD Gateway deployment in a perimeter network & Firewall rules:
    https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/RD-Gateway-deployment-in-a-perimeter-network-Firewall-rules/ba-p/246873

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 8, 2019 7:43 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang   

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 12, 2019 1:09 AM
    Moderator
  • My project is on hold while "Janet" is looking into better internet options. I did setup the SonicWall SSH VPN for testing. I appreciate your responses. I'd also like to get input from others here on TechNet.

    I don't believe I can deploy RD Gateway. I wasn't clear on this detail but, The Windows 2012 Server is Foundation grade software and not the full product. I'm pretty sure I'm stuck with whatever security level Windows 10 Pro has for RD.

    Monday, August 12, 2019 1:18 AM
  • Hi,

    If gateway is not your choose, and if you want to security the RDP connection, network technology such as VPN would be a better choose. 

    Article “High Encryption on a Remote Desktop or Terminal Services Session Does Not Encrypt All Information” may provide you some reference information:
    https://support.microsoft.com/es-cr/help/275727/high-encryption-on-a-remote-desktop-or-terminal-services-session-does

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 14, 2019 9:16 AM
    Moderator
  • Thank you again for the reply. Surly these issues no longer apply to modern RDP. The article is about Windows 2000, XP, and Server 2003.
    Wednesday, August 14, 2019 9:08 PM
  • Hi,

    Basic working principle is similar, and it can be considered as reference. 

    If any of above reply is helpful, please remember to click make as answer. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 15, 2019 7:10 AM
    Moderator
  • Hi,

    Please remember to click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 21, 2019 2:08 AM
    Moderator