1

In my workplace people are connecting with their PCs (with Windows on them) through basic RDP when they work from home. The only precaution taken is changing default 3389 port to a diffrent one and using strong password. This seems like a bad idea. There is no option to configure simple VPN to gain access to files because employees need to remotely use software that utilizes physical HASP keys- avaliable only on their computers. What is the correct approach in this situation?

Improve this question
0

2 Answers 2

Reset to default
2

Yes, RDP per se isn't secure enough to use over the Internet.

There is no option to configure simple VPN - why not? You should definitely use VPN to secure RDP access: set up a central VPN gateway, VPN clients and remove the port forwarding mappings from your NAT router.

Product recommendations are off-topic here however, but you could try on Software Recommendations.

Improve this answer
3
  • 1
    I didn't think of that. Setting up VPN and THEN using RDP with local addressing makes sense. By central VPN gateway you mean configuring it through local server with Windows 2019 Server and adding Remote Access -> Direct Access and VPN (RAS) role or software like OpenVPN? Or something completely else and I'm mixing stuff up? Commented Dec 9, 2021 at 10:56
  • Yes, you can install a gateway on one of your servers (less recommended), on a dedicated server, or use a hardware appliance - most business-grade routers have VPN functionality. Commented Dec 9, 2021 at 11:03
  • everything is clear now, thank you very much for help Commented Dec 9, 2021 at 11:15
0

Changing the RDP port is security through obscurity, and not really viable when there are only 65535 TCP ports to scan.

Using a VPN and then hopping through that to connect over RDP is pretty standard. As mentioned, you can often set this up on a enterprise, or even SMB, router.

However, another solution is to use a Remote Desktop Gateway server. It uses a special protocol which essentially acts as an HTTPS tunnel/proxy (with a secured UDP performance protocol also). It is supported by nearly all RDP clients I know of. Although primarily designed with a VDI solution in mind, it can also be used very easily for normal workstations.

There are a number of different providers for this, you may want to go to Software Recommendations for different options.

The protocol allows complex policies as to when to allow logons, for how long, which PCs, what device redirection, etc. Not all provider support all of these.

The benefit of this over a VPN is that you have far more control over what is going once a user has connected to your network, and they never directly route their device onto your network, so you are far less vulnerable to anything they have on their private devices.

Improve this answer
5
  • We really don't recommend any products here to avoid advocacy and spam. Also, it very much standard to control your users' VPN connections so that they can't do what they shouldn't. Commented Jan 2, 2022 at 16:24
  • VPN has far less control over it, as mentioned. Sorry wasn't aware this was "product recommendation" as it's a standard Microsoft RDP feature Commented Jan 2, 2022 at 16:27
  • @Zac67 Is it OK if I mention RDG servers without mentioning a specific supplier? As there are other companies that do it Commented Jan 2, 2022 at 16:29
  • Yes, that's fine as long as there are several actual products covering that. :-) Commented Jan 2, 2022 at 16:39
  • Yes Parallels RAS supports it Commented Jan 2, 2022 at 16:47

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.