Remote access VPN

[Hemps]

Through a VPN though ?

Nope no vpn

 

[Rickster]

are you suggesting they publish RDP out to the internet? Cause that is a big NO right there.

You can but its best to change the RDP port and have a secure password.

EG: Password2020 will get bruteforced quickly.

 

[syntax]

You can but its best to change the RDP port and have a secure password.

EG: Password2020 will get bruteforced quickly.

Changing the port really doesnt do much. Port scans are pretty much standard across IP blocks and will identify this open port as well as whats the protocol on the other side.
Probably the only time port changes work is when port knocking is used

But agreed, the secure passwords are an absolute must, usernames should be complex as well.
RDP should be secured via VPN and MFA though

 

[AlphaJohn]

At least use Zerotier or something similar to add extra layer of protection.

Open RDP you may as well publish you passwords & network on the darknet for free node use.

 

[Ipwn 4]

While rdp is the best way to handle the current situation its not as simple as forwarding a port.

1. As a minimum deploy an RDP gateway, it allows you to block redirection of drives, limit logon hours and who can get to what. Exposing RDP over SSL drastically limits the attack surface.

2. Anything exposed should have rate limiting enabled, RDP Defender is a simple tool which blocks an IP for X min and ultimately permanently. If you can only try 5 passwords every 5min even the simplest passwords take years to brute force.

3. DMZs are a thing, segregate your network so that in the event you a breached access is limited.

4. If budget allows get 2FA. Azure AD app proxy is a relatively simple way to implement 2FA while hardening your infrastructure.

 

[SauRoNZA]

Direct RDP isn’t so terrible, as long as there is a solid password policy in place combined with 2FA.

I mean ultimately if those are compromised a VPN means nothing anyway, in fact it’s worse as it provides open access to more.

 

[SauRoNZA]

2FA on RDP... What do you recommend?

As for VPN providing open access to more, why would it? You allow what you want on RDP. VPN doesn't replace other service authentication. Also, you're paying for bots to hit your network if you pay for bandwidth. If you have RDP open to the web, just check your windows logs -> security tab to see how many times it gets hit over a 24 hour period.

You’ll likely see RDP hits to any open port as people have woken up to the fact non-standard ports are being used because people thing they are clever same with SSH and many other protocols.

But what I mean is if your RDP is compromised you have only one end point affected immediately and then a bit more work to get to others.

If your VPN is compromised then everything it serves, usually the entire network on the other end is wine open. More so with SSO in play as re-authentication isn’t required, which means the VPN does technically replace other service authentication.

Can’t recommend a 2FA for RDP specifically as I don’t use Windows, I’m just saying it’s not the greatest villain in the room if a little bit of planning was done. I do believe Microsoft does provide this directly and I generally avoid their parties when I can.

Ultimately as with most things it’s circumstantial and will depend on each business and their specific requirements.

 

[quovadis]

If your VPN is compromised then everything it serves, usually the entire network on the other end is wine open. More so with SSO in play as re-authentication isn’t required, which means the VPN does technically replace other service authentication.

Sadly this is very common - Ideally each VPN user should receive a profile limiting which network resources which should be available (ie. host/network specific etc) and not a blanket scope. For my clients we insist on either 2FA which is unrelated (ie. not something that can be accessed with a SSO type login) or all VPN accounts have their own credential store with dissimilar usernames and passwords with 2FA where possible.

Also, Non-standard ports usage is ineffective and ideally you should not be exposing any server resources which allow for possible elevated privileges or vectors for vulnerability directly to the internet or any untrusted network even if protected by authentication.

 

[SauRoNZA]

Bots will recognise RDP as RDP, the signature of the response tells them what it is.

That’s what I was saying. Changing the port is maybe cutting down on some manual hacks but not very effective overall so kind of defeats the purpose.

You're not making sense. What I'm hearing is that you're suggesting that RDP doesn't give you access to anything but a single desktop but VPN gives you the whole LAN... Well if that's how it's set up, then that's your funeral. What I'm suggesting is that if you only want a single desktop available over RDP then stick it behind a VPN and not only will it NOT be exposed, after the VPN is breached, they will still need to breach RDP and they will only get access to what YOU as sysadmin provide access to. Why is a VPN automatically routing traffic to your network? Security is a bunch of things working together, VPN is a component, Authentication another, accounting another, VLANS another, etc. etc.

That is the usual use case for most, and more so for small medium enterprise where it’s often one oke with a little bit of knowledge implementing it but not enough.

What I’m saying is that an RDP direct connection that is properly secured in and of itself might in many small business use case have a better odds of success over a badly implemented VPN structure which is far more complex.

Definitely. It depends on requirements, but to suggest VPN is a waste of time is a bit weird.

Where did I say that VPN is a waste of time?

All I’m saying is that a direct RDP isn’t necessarily the end of the world and a badly implemented VPN could be far worse.

Switch off your enterprise brain for a moment and think of the small scale guys likely to get this very wrong and then ask yourself what is the quickest solution with the best results and the least cost then you might see where I’m coming from.

Even VLANs can be too much to ask of some small businesses as crazy as that sounds.

 

[quovadis]

That's not what you were saying. You were saying that having RDP behind a VPN means that the VPN will be hit with bots tying to access RDP because it looks the same to them.

How about a well secured VPN and well secured RDP? If you don't know what you're doing and you put your systems online, you have two options 1) take what's coming to you, 2) hire someone who knows what they're doing

Which is bull. You make no sense. What are you accessing over RDP? An empty desktop or company resources? Are you logging in with AD? If so, do you specifically create a different AD account to access this empty desktop with nothing on it, or do you, I dunno, give people remote access to company systems as is the point of remote access?

I work in all environments, you're the one suggesting that RDP gives access to a single box, not me.

Of course, that's why you can run a separate VPN on individual boxes to access those boxes alone is a fantastic way to give access to small company resources.

I think what he is saying is that for a small business there are plenty that utilise RDP exposed via port forwarding on a cheapie router to access a program or something installed on their server and they're perfectly fine with that especially since for most companies there aren't any other resources other than a single server. There are millions of RDP, Telnet, SSH and other such endpoints out there that are still fine running without a VPN using basic common sense with password policies etc. It's not ideal but it's probably more common than proper implementations.

 

[Guca]

Only our work-issued laptops are allowed to connect to the VPN. The issue is that you're essentially plugging foreign hardware into your organisation's network - big security risk there if it's not controlled. I also can't connect my personal laptop to the office's WiFi or physical LAN for the same security reasons.

You sound like you work for Multichoice.

 

[Messugga]

You sound like you work for Multichoice.

Or any financial institution that handles what could be considered real money.