General discussion

Locked

How secure is port forwarding

By nedg ·
I have a few clients with simple needs that dont want to buy new routers with VPN etc, in otherwords spend money.

How secure is it to port forward on the default or alternate port to remote desktop into a workstation or windows2K server?

And would you run any additional security updates or software?

thanx in advance

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by OTL In reply to How secure is port forwar ...

NOT at ALL !

Leaves remote desktop and LAN/WAN wide open to hackers.

VPN try VNC at least you would get some security, encription through the internet and require at least a login prompt.

Collapse -

by OTL In reply to
Collapse -

by nedg In reply to

I know it will have security issues, opening a port for VNC will create the same problem i am concernd about with remote desktop.

VPN login can be brute force hacked and it only provides a encrypted tunel to prevent packet snifers from intercepting information, unless you use timed key generators like SecureID.

I am not fussed on people stumbelin upon or intercepting information on the net, more so concerned about them gaining access to the server that the port is forwarded or exploiting vulnrabilties in remote desktop.

Collapse -

by CG IT In reply to How secure is port forwar ...

VPN it if its remote desktop to a workstation. At least you'll have authentication to get in via RRAS through an the VPN tunnel [which hackers can't [ha ha] see and you can use strong password requirements with encrypted passwords.

If you can change the Remote Desktop port to something other than the default that is even more protection.[all hackers know what the default port is so they will try that first]

Collapse -

by CG IT In reply to

Remote desktop is a huge security risk and leak in our opinion and we don't allow it.

Collapse -

by Joseph Moore In reply to How secure is port forwar ...

I agree. What you are proposing is not a secure way to go.
If I'm reading this right, you want to setup something (like a NetCat shell), listening on some oddball port. You then want any inbound connections to this port to be forwarded to the Windows box running Terminal Services on port 3389.
So a client would connect with their TS/Remote Desktop client to this oddball port, and with NO AUTHENTICATION at this point, they get internally redirected to TCP port 3389. That's you idea?
Yeah, that's not a good idea.
A port scan with a tool like NMAP can determine that there's port redirecting going on. That's a red flag for something to be looked at. And there is at least 1 tool that I know of that is specifically designed to do a dictionary attack against TS connections.
If your clients need to do something secure on the cheap, here's my suggestion.
Take one of their workstations (even an older one), install Win2K Server or Win2K3 Server on it, and install RRAS. In RRAS, setup the machine to be a VPN Server.
Dual-home this server (put in 2 network cards). One NIC is the inbound from the Internet, and this NIC is also the one running the VPN Server ONLY. Nothing else on this NIC. The other NIC goes to the internal network that can connect to the box you need to TS into. Configure the VPN Server for authentication and all that, and to route TCP port 3389 to the machine you want to TS into.
This way, they have inbound VPN that is secure. You've got to authenticate to the VPN server to get into an internal client on TS. You get security, encryption, all that fun stuff.
And all you need is a machine.
There are, of course, other steps to take if possible (multiple internal network segments, firewall screening, etc), but that just depends on if there's any money to spend doing this.
Here's an article on setting up VPN Server in Win2K3:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/00c498a8-95e7-4780-942e-c4594b01f615.mspx

Collapse -

by nedg In reply to

Thanx Joseph you have been helpfull

Thanx to the other guys but i already knew it was unsecure, what i needed was feedback and ideas.

Collapse -

by ITJUNKIE In reply to How secure is port forwar ...

I would strongly advise against that my friend. You are going to make yourself wide open to a number of different things.

Collapse -

by nedg In reply to

Poster rated this answer.

Collapse -

by nedg In reply to How secure is port forwar ...

This question was closed by the author

Back to Security Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums