1

I have often been told that allowing RDP access over the internet is a security risk - my understanding is that this logic stems from the idea that a potential hacker would brute-force the username and password in order to gain access. For instance, see this article.

Recently I had a call with Microsoft and they told me that this is not actually a security risk because the RDP protocol has a built-in protection against brute force and will automatically disable itself if too many attempts are made to access it (although I have not been able to independently verify that this is actually the case). Regardless, we can assume that any server who can be accessed via RDP over the internet has an account lockout policy (which will lock-out an account after 20 failed attempts).

Assuming that all users have a extremely strong, randomly generated passwords, where is the vulnerability of accessing a server using RDP over the internet? And how is this less secure than having a VPN which authenticates via a RADIUS server using Active Directory (aka the same user-store as we are using to RDP into a specific server).

p.s. Some people have suggested that changing the RDP port may increase security - but would this even be necessary given the above? If there is a security risk, couldn't a potential hacker user a port scanner to determine which port IS being used for RDP?

William
  • 113
  • 1
  • 4
  • 1
    Hiding the port is not a security measure. It raises the level of effort to exploit problems, but should not be considered "protection". – schroeder Dec 05 '17 at 21:03
  • Possible dup [RDP Attempts From Unknown IPs, How to Protect?](https://security.stackexchange.com/questions/130490/rdp-attempts-from-unknown-ips-how-to-protect) – RubberStamp Dec 05 '17 at 21:18
  • Many duplicates of this https://security.stackexchange.com/a/157299/90657 – multithr3at3d Dec 06 '17 at 18:31

1 Answers1

3

It all depends on your risk scenario and what you want to protect against.

RDP has had some security issues, and leaving this exposed is just expanding your threat surface. But that might not be a problem for you.

The other problem is about those pesky AD account passwords. You are correct about every point you made. There are default account lockouts and you can have a password policy that enforces strong passwords, and these things enforce a strong security posture.

But passwords are used by people. By using RDP and the same credentials externally as internally, once you get one credential, you get access to both areas (external access and internal access). By splitting up the credentials and/or the technology to enter them, you provide defence-in-depth.

This way, if someone is phished for their credentials, for example, the attackers do not get automatic external access: they have another barrier to breach and do not have an all-access pass.

So, yes, from a general best-practice perspective, putting an additional authentication layer on top of your RDP access makes sense.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Thanks for the details! Instead of exposing RDP to the internet if one were to put RDP behind a VPN (which uses active directory for authentication), would that could as adding an additional layer of authentication (assuming we are using a VPN that doesn't leverage a Pre-Shared Key - obviously that method 'wins' in this scenario). – William Dec 05 '17 at 22:45