Windows Remote Desktop Security?

By Codyt8 ·
I have read alot of information about remote desktop and i see it has security issuses. When users want to work from home, Administrators have to open port 3389 on there routers firewall and foward that port to the users workstation ip address. Then hackers can use NMAP to scan for the port 3389 and attack remote desktop with certain applications. My question is what if you never open port 3389 on your routers firewall and only use Remote Desktop on your Local Area Network and not over the Internet using your external IP address, are you still at risk to be attacked? And if so, How?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

No, not in the same way.

by seanferd In reply to Windows Remote Desktop Se ...

There might be something that could occur within the LAN, but that is a lower risk.

However, simply having a port open means nothing. You just don't open ports you don't use. Attackers, using nmap or not, always know your port 80, 53, etc. are always open.

Further, know the difference of a port being open on your router from a port being open on a computer. The first is internet-facing, while the latter is in your network behind the router and its firewall.

There is no inherent security risk in having any port open over another port being open, other than the fact that you are connected to the internet at all. Any real risk involving Remote Desktop is more likely to be in RDP itself, not just the port being open.

Collapse -

Some more notes...

by TobiF In reply to Windows Remote Desktop Se ...

I agree with all Seanferd said above, but would like to add a couple of notes.

On your router you can't have more than one forward from port 3389. If you want to open connections to several computers, then you'd need to move the RDP client to a different port number on each computer and then forward the corresponding ports to each computer from your router. (The RDP protocol doesn't like to be forwarded from one port number to a different one, so you need to touch the registry in all these computers.)

A more secure solution is to publish the RDP hosts only for the internal network, and then let your colleagues connect to the work network via VPN, instead. Once they've reached the inside, they can then connect their RDP session the normal way.

Edit: Deleted a tail that was left over.

Collapse -

Remote Desktop Security

by Codyt8 In reply to Some more notes...

Thanks for the info, it was very helpful. I was looking for a remote access solution that i could implement over a LAN, without having to install third party products on every computer on site. So i wanted to enable Windows Remote Desktop on the computers but i was concerned about its security issues i have read about.

Related Discussions

Related Forums