Blog Post

RDP vs. SSH/SSL/VPN for Security

Kordel

As a Network Consultant and Security Analyst, I often have the responsibility to either setup or audit Remote Administration tools of various sorts. I have my own ‘bag of tricks’ when it comes to securing these, but I always wonder where the best balance is between Security and Usability – it’s the age old question of Security – just how much inconveniance is it worth?

For the benefit of my clients and colleagues, I thought I’d lay out a few of my personal thoughts and experiences on the subject. The topic has been covered many times by many people, many of whom carry more qualifications on the subject than I myself do. But, for those that value my opinion, or would simply like another point of view, here are my thoughts on Security related to Remote Administration platforms.

First up, you have the ubiquitious (in the Windows Networking world) RDP protocol, coupled with Remote Desktop/Terminal Services. Easy to use. Easy to configure. Easy to hack…?

That’s what everyone says. But the reality of it’s actually quite secure. With proper configuration, RDP (Remote Desktop Protocol) / Remote Desktop is capable of 128-bit RC4 encryption, virtually any port or set of port allocations, and even (since Windows Server 2003) TLS (Transport Level Security). RDP has proven to be relatively bug-free, with only extremely minor flaws ever discovered (I think two or three in it’s history) and no known exploits of those flaws ever successfully executed.

RDP’s main weakness has always been Man-in-the-middle attacks. While alternate configurations (any VPN, SSL/SSH)  require authentication of endpoints, RDP does not, and is vulnerable to attacks that would reroute traffic through a malicious machine (a “sniffer”) to capture data. While all data is encrypted (at varying levels), there was never any way to ensure that someone was not capturing all session data (including encryption keys) and performing decryption to recover passwords and other sensitive data.

Enter TLS.

TLS (Transport Level Security) institutes certificate-based Authentication of the Terminal Server (computer serving the session). With TLS enabled, endpoints are validated via Security Certificates to assure both Client and Server are communicating securely and directly, with no “sniffers” in between.

Some of my favorite “tweaks” to beef up my RDP access security are:

  1. Edit the Windows Registry to enable a secondary RDP “Listener” on a non-standard port (say port 11437), and then forward ONLY that port through your Firewall.
  2. Ensure that Domain Policies on the Terminal Server’s Domain include valid Lockout Policies with low thresholds (3 attempts is good) and reasonable reset periods (30 to 60 minutes is my preference). This ensures that anyone who ever COULD gain access to your ip/address and port number would have a LONG time trying to guess passwords.
  3. Be smart about Password Security – you know (or should know) a good password from a dumb one – if it’s a word, a name, or a number that isn’t random, DON’T USE IT.
  4. Check your logs. Anybody trying to brute-force or dictionary-hack your user name/password will have several hundred years of work cut out for them if you have a good password, and the Lockout Polices setup correctly – and no matter who you are, that’s PLENTY of time to stumble upon a few thousand failed login attempts in your Security log.
  5. Set Idle Timeouts in your Terminal Server setup – long, unused connections are trouble waiting to happen. TLS can protect you from 99.999999% of session “thefts” and MIM’s, but leaving connections idle for any period of time is tempting fate (and your 0.0000001% chance of theft.)

Next up: SSH/SSL.

I have to confess, my experience with SSH/SSL and variants is a little limited – most of my handling has been WINSSHD. Which I like. Great software, very robust, configurable, and secure. I guess. But it has it’s quircks.

SSH servers (such as OpenSSH, WinSSHD, etc) provide SSH (Secure SHell) encapsulation for all communications, using Digital Certificates for Client and Server Authentication (similar to TLS). SSH supports much higher standards of encryption than RDP, specifically support for Blowfish, DES and IDEA algorithms. The Certificate based Authentication provides secure recognition before transmission of any (encrypted) data, even passwords for Domain authentication.

The problem I have run into with most SSH implementations is, quite simply, the complexity of it. SSH servers such as WinSSHD provide a host of options, the like of which would never be required by anything short of an international Conglomerate. This poses a problem for the “little guy”, who really needs to access a few work files from home, but has no idea about security, but DOES know that someone somewhere told him that “SSH” is really good for security. Beyond that, even the small-office techie who can fiddle his way through a relatively secure RDP setup is left scratching his head over SSH configurations.

Once configured, a lot of the same common sense rules apply – use non-standard ports if possible, don’t leave sessions idle forever, don’t use bad passwords, control your access lists, and CHECK YOUR SECURITY LOGS.

I’ve seen clients who get hundreds of hits a day in their logs from guys who’ve stumbled upon their IP and found port 22 open, and seem to get kicks from “hacking” a SSH server by password guessing. Badly.
But you never know… someone might be smart and guess a password, or someone on the inside might be stupid enough to use an easy password… you never know.

The bottom line in either case is the intelligence of the setup. Nothing is secure out of the box. Nothing.

For simplicity, use RDP and Google for a good setup guide (contact me through my web form for suggestions) to enact some of the measures I’ve suggested. For maximum security, if you’re willing to take the plunge, SSH (or an SSL equivalent) will provide a tighter solution. Just be ready to maneuver pages of settings and troubleshooting.

And either way, check your logs.

Eberly Systems Acquires Lebanon County LYLAB Technology Solutions

By Eberly Systems 02 May, 2024
West Lawn, PA, May 2, 2024 — Eberly Systems , the West Lawn-based managed IT services and managed voice provider, today announces its acquisition of the Lebanon-based LYLAB Technology Solutions. Eberly Systems seeks to further a movement of people who are motivated and equipped to make a difference in their world through their daily work. They believe in building lasting partnerships based on trust and transparency while delivering industry-leading solutions to support and protect critical business assets. Driven by the principles of people, excellence, integrity, and stewardship, the team prides itself on partnering with companies to securely, reliably, and efficiently grow their businesses. “We cannot be more excited to join forces with the LYLAB team,” comments Kordel Eberly, Eberly Systems President & Founder. “ The integration of LYLAB Technology Solutions into Eberly Systems solidifies our commitment to providing small businesses with unparalleled service and support. We’re proud of this new opportunity to carefully design and manage the IT infrastructure and systems of even more local businesses and communities.” The acquisition solidifies the Eberly Systems commitment to supporting businesses in Lebanon County. Merging the two teams together as one entity offers the collective team the benefit of enhancing capabilities, refining processes, and extending reach to better serve the evolving needs of small businesses in the surrounding area. Future plans include expanding their presence into Lancaster County.
computer help with IT support

Navigating Small Business Success: The Power of IT Outsourcing for SMBs

By Eberly Systems 16 Jan, 2024
A trusted MSP can be your invaluable strategic partner.

Enhancing Business Security and Productivity with Microsoft Office 365

By Eberly Systems 02 Jan, 2024
These 5 key features of Office 365 Business Premium make it essential for businesses to have.
set of keys

Key Notes from the Security Team: Q4 2023

By Eberly Systems 19 Dec, 2023
Eberly Systems has been hard at work over the last year in a concerted effort to enhance the security posture of our clients’ information technology environments. Here are the quarterly updates.
construction site

Customer Success Story: Construction

By Eberly Systems 03 Jul, 2023
After years of steady growth, the workforce at a construction development and property management company was becoming increasingly frustrated by disorganized data. Eberly Systems deployed a hybrid cloud storage solution for efficiency and secure data access.

SharePoint File Storage & Sharing Best Practices 

By Nate M. 01 Jun, 2023
SharePoint file storage has both features and limitations that you should be aware of while storing and accessing files. Here's a rundown.

Best Practices for Creating Passwords in 2023

By Nate M. 05 Jan, 2023
These are the Eberly Systems recommendations for creating good passwords in 2023.

Our Best Kept Secret: Eberly Systems Managed Voice & Phones

By Eberly Systems 15 Dec, 2022
Every business relies on phones and a phone service. In accordance with Eberly Services Managed IT, we offer Managed Voice solutions for both handheld and softphones supported by our stellar sales and help desk teams.

Eberly Systems Offers New Services to Further Enable Customer Success

By Eberly Systems 04 Oct, 2022
Eberly Systems is proud to offer new services around managed endpoint detection & response, cloud security, business internet brokerage, and unlimited projects.

Warming Hands and Hearts Through Paid Volunteer Time Off

By Becky 22 Sep, 2022
Annual fundraisers offer a great opportunity to use company paid volunteer time off.
More Posts
Share by: