Disabling RDP in your environment for security purposes
Posted by thelug_1@reddit | sysadmin | View on Reddit | 195 comments
What is your view on or has your enterprise disabled RDP for the entire organization due to it being an "extreme security risk?" Management is beginning exploratory research.
xfilesvault@reddit
We disabled RDP and SMB on all workstations. Full block with the firewall.
Disabled RDP on domain controllers.
Some further network segmentation as well.
its_FORTY@reddit
Talk about dumb.
xfilesvault@reddit
Why?
You realize I mean inbound SMB, right? There is no reason why your workstations need to be SMB file servers.
TinderSubThrowAway@reddit
We disabled mice and keyboards too, realized that it solved a ton of problems.
thortgot@reddit
SMB to workstations is an enormous lateral vector with minimal benefit.
RDP to workstations only if your workflow requires it and definitely not to domain users.
Alpizzle@reddit
Now if only we could disable the users...
Same_Bat_Channel@reddit
Disable from internet, no exceptions. There is zero good reason. Route internal traffic through a gateway and only allow rdp from that gateway. Add NPS server to layer MFA. Alternatively use something like beyond trust to leverage jump points and record sessions. Always enforce mfa or certificate auth like WHfB.
-Director of Cybersecurity
Mr_Kill3r@reddit
"Disable from internet, no exceptions. There is zero good reason." says only someone who has never had to work in IT Ops.
Cormacolinde@reddit
You are wrong. Setup a gateway if you need external access, NEVER put RDP directly out.
anonymousITCoward@reddit
what do you mean never put it directly out.. we just change port forward to non standard ports... thats secure enough...
/s
you were targeted because i could see you bursting that vein on your forehead lol
Jaegermeiste@reddit
The trick is to disable RDP globally, ti make the ignorant auditor happy.
Then install a VNC server for local access, and set the password to 'password' so you don't forget it.
Also install TeamViewer for totally bulletproof remote access.
Then, after a while, re-enable RDP - but, if caught, blame a Windows Update for reverting the setting (or alternatively come up with something else that sounds plausible to leadership but similarly shirks responsibility).
Finally, go back to binging The IT Crowd or Silicon Valley while you lazily close service tickets at random on your other monitor. Be extremely irritated if anyone disturbs your focus time. If done binging, re-read the Bible at https://www.theregister.com/offbeat/bofh/.
Profit.
Mr_Kill3r@reddit
Typical consultant, you don't foot the Azure bill, do you.
Look I am not saying that I am going to design a prod system like that.
But I can think of a few scenarios that could call for it, and you can lock it to a source IP.
itishowitisanditbad@reddit
Like what?
Mr_Kill3r@reddit
Just off the top of my head
VPN is down
Identity provider is down
Bastion/jump host is unavailable
Piddling little jobs like cloud to cloud migrations
And to think that I defended you! Last time I was balls deep in "yo momma" she said you were a nuffy, but I said said you were all right, but I was just glad you weren't mine. (Yo momma cannot get pregnant the way we do it).
idkwhatimdoing503@reddit
What does the ‘VPN is down’ mean in your context and how often does that happen for you? Like is authentication broken? Or is the internet down? And if so to either of those, how would RDP work? Do they not use the same connection or authentication? Do you have 2 factor for either your VPN or RDP? How often does your VPN go down to justify leaving RDP open to the internet?
JwCS8pjrh3QBWfL@reddit
I love this. Folks (like my CISO) trot out these hypotheticals that could never happen because of meta details they're forgetting about.
Mr_Kill3r@reddit
Username checks out
idkwhatimdoing503@reddit
haha ok you’re right idk what im talking about. leave RDP open to the internet. you are the reason i dont trust people. goodluck out there.
Mr_Kill3r@reddit
Hey, ya know out there on the big bad Internet, there are these things that have port 443 open to the public. I know, how stupid are they, right. Some of them even have log ins exposed to those "sites". Like they must get hacked every single day.
And you are the reason that I stopped f#$king yo momma.
idkwhatimdoing503@reddit
You really leave RDP accessible from the internet and try to justify it? And you are a systems administrator? If you’re worried about Azure bills, then you should be even more concerned about security I’d imagine.
Are you strictly Azure or have you ever managed on prem infrastructure? Have you ever setup a VPN or required VPN for remote access? Do you enable or require MFA when leaving RDP open from the outside?
Sorry so many questions but do you manage a personal environment or an enterprise environment? If the latter do you have a compliance team or security team that signs off on your stance? Does your insurance know or agree with your decision? Do you have insurance? Truly mind boggling that people leave 3389 open to the outside who aren’t a honeypot.
Mr_Kill3r@reddit
OK I will be civil. - not like me - I know.
Azure, On Prem (VMware but now migrated to Nutanix since broadcom), AWS, Oracle and sadly GCP (I know right).
VPN - yes
MFA - yes
Personal / Corp - both, hybrid environment at work, proxmox / tailscale on my home lab.
Sadly at work, yes I have to put up with the monkeys that run Tennable scans, they have yet to figure out 90% of what I get up to. Thankfully.
Insurance, work do sure, we are a juicy target for an Asian nation state.
I only have 3389 on the honey pot - but changing that only reducers the noise, it does not eliminate the attempts.
Look my issue, was old mates "no exceptions", if you think that too. Then well done you.
vabello@reddit
Gateways are also targets of nonstop brute force attacks and scanning.
Cormacolinde@reddit
They can still be an issue, but I consider them acceptable. Ideally, they’re set to SmartCard login only which removes the bruteforcing.
CluelessPentester@reddit
Its still a centralized node that you can put specific care into, instead of worrying about a bazillion hosts exposing RDP to WAN.
Same_Bat_Channel@reddit
15 years actually. Why do you think im in this sub? You may want to do some studying before you're the reason your network is breached.
Mr_Kill3r@reddit
It was your "no exceptions" that got me.
20+ years for me and I just finished my Masters in Cloud Computing and Virtualisation, but this ain't a dick measuring contest is it ? As I am sure you are taller than me.
I can think of a few exceptions and how to lock them down securely, if you think you can get in - have at me.
itishowitisanditbad@reddit
Provide IP of secure target, if secure it should be possible to provide.
I'll accept DMs
How much for CTFing access?
Mr_Kill3r@reddit
You are so pretty when you are angry.
It is a MS public IP, scan away princess.
ka-splam@reddit
Your comments in this thread are so empty of content and a waste of time to read. What are you even doing.
"I have a masters degree I can think of exceptions I'm using a MS IP you're a princess you don't pay the bills do you"
can you just not?
its_FORTY@reddit
Did you really sign your title at the end of your comment? lol.
EmmaRoidz@reddit
All the important people do it.
-Senior Butt Sniffer
MonkeyMan18975@reddit
Sincerely,
-Captain Raymond Holt
I-Love-IT-MSP@reddit
RDP is like the number 1 exploited thing for lateral movement. Do yourself a favor and enforce MFA with DUO for RDP and your issues kind of go away.
tmontney@reddit
And, what risk is that, exactly?
sysadminbj@reddit
We don’t have RDP accessible outside our WAN, and we’re following good cyber practices on handling auth to RDP sessions inside our network.
Select-Cycle8084@reddit
What solution are you using for auth?
sysadminbj@reddit
Normal MFA with dedicated admin accounts that are logged at a higher priority in SEIM.
TechMonkey13@reddit
What are you using for internal RDP MFA?
euphratestiger@reddit
We use Duo
WheredMyBrainsGo@reddit
We use duo as well. I like it. Gets out of your way quickly.
gangaskan@reddit
Every server and PC should have 2fa period.
Anyways we use duo too
JwCS8pjrh3QBWfL@reddit
Duo is security theater. It only handles RDP. An attacker can use a myriad of other options to get into a server that Duo completely misses.
gangaskan@reddit
I'm aware, everyone knows you should secure in layers.
yensid7@reddit
We're literally discussing using it to secure RDP.
JwCS8pjrh3QBWfL@reddit
Sure, and I am expanding the scope of the conversation. Pretending like RDP is the only attack surface and telling yourself that Duo is enough to stop attackers is short sighted, considering any attacker worth worrying about is going to be using some kind of scripting, not RDP.
WraithYourFace@reddit
This is why we didn't go with Duo. We use Crowdstrike Identity and enforce MFA on Remote Powershell, CIFS, etc for privileged accounts. Only issue is it's hit or miss sometimes.
jwalker107@reddit
That's interesting. How does one enforce MFA on CIFS? I presume it's probably some CrowdStrike wrapper on firewall rules where CrowdStrike on the server communicates with CrowdStrike on the client and only allows the CIFS traffic if they both agree you're authenticated?
yankeesfan01x@reddit
Why not use both :)
Sinsilenc@reddit
I mean we use duo and have auto elevate for any application use. That covers 9/10ths of the situations.
BitsNBytes10101@reddit
This is why you layer too.
Server management should be locked down in the firewall with explicit source IPs for WinRM, RDP, RPC Admin etc. Ideally these sources should be PAWs.
Couple that with MFA for AD such as Authlite and you have a pretty stout perimeter.
jeffrey_smith@reddit
We use Entra.
JwCS8pjrh3QBWfL@reddit
Global Secure Access has got to be one of the most important yet slept on things that Microsoft has released in a long time. Being able to put RDP and SMB behind Conditional Access without having to put anything on the server itself is awesome.
vane1978@reddit
Passwordless RDP with phishing-resistant MFA into a Jump host machine and from there use RDP over IPSec to the member servers.
This is all native tools and no third-party tools reliance. This avoids third-party zero-day exploits and saves on reoccurring licensing cost and administrative cost from managing those tools.
rvf@reddit
I’m not OP, but my org uses AuthLite.
CO420Tech@reddit
I hope the admin side of AuthLite has gotten better since I last administrated it... Used to be a real pain in the nuts.
siedenburg2@reddit
We use manageengine and it's nice to have a onprem internal solution with many options for the methods.
The-Lemon040@reddit
I’m also not OP, but we use Silverfort. Not only does it do internal MFA on RDP, It’s so much easier for analysing logs instead of using Event Viewer
DeifniteProfessional@reddit
Oh I have a question, what are you using for SIEM? We don't have any kind of log aggregation at all (and honestly I'm not convinced I know where some logs are) but I'm making a massive push to straighten up our IT
JwCS8pjrh3QBWfL@reddit
I use Rapid7 at my current job and we used Microsoft Sentinel at my old one. Rapid7's only party trick is unlimited ingest. Their query language sucks, the AI they added to generate queries has not given me something usable one single time, the portal layout and usability sucks (especially the new one), their Vulnerability Management product sucks compared to Qualys or Defender. I much preferred Sentinel, even though I know it is pretty expensive. KQL is just so much better, and the layout makes much more sense.
vane1978@reddit
SentinelOne Singularity is capable to ingest Windows Event logs from their endpoints and capable to ingest logs from Firewalls and Microsoft Entra logs as well.
raip@reddit
SIEM* :)
Security Information and Event Management
Morejazzplease@reddit
Outside your WAN? Or LAN?
BaconEatingChamp@reddit
Its fine either way, since they are saying not publicly accessible
Morejazzplease@reddit
I know what they meant. But the language is not very precise or accurate.
Select-Cycle8084@reddit
Hybrid setup I assume? most on prem solutions I've seen require 3rd party software. Time to migrate!
patjuh112@reddit
Azure extention for mfa works for us quite well for us
clbw@reddit
same for us
marklein@reddit
RDP has been disabled on every machine in our orgs for many years. There are a few exceptions of course and those have some tight firewall rules. Zero trust basically.
robotbeatrally@reddit
I don't really see a point to it. Blocked externally and internally. Everyone has laptops with docking stations at their desk for anywhere they want to go with it, and 2FA Phone APP + biometric (fingerprint or face optional), and a VPN account tied to that they can connect to any site they are in the security group for in AD to access that sites resources, 10 min idle lock. There's no need for anyone to remote to anything except for IT for support. Which you know you can use a million other apps to do.
HJForsythe@reddit
One IP address is allowed to connect to TCP/UDP 3389 on hosts. We use sflow plus a PHP script to monitor for requests in real time on TCP/UDP 3389 across our network.
Mustade@reddit
We had the RDP port blocked on the network level after a security incident last fall, but we have since turned that into a GPO that disables RDP for laptops, stations, etc but not for certain servers and RDP gateways. I think a blanket RDP block is a bad idea since it is a very effective tool for managing servers, but maybe you can get everything you need done over WinRM.
Also consider the fact that your users will find ways of doing remote access if they really want to, using tools like Chrome Remote Desktop and whatnot. You can dissuade it with AUP but it's easy to walk through paper.
raip@reddit
Disabling RDP through Public, great. Disabling RDP internally, stupid.
Hollow3ddd@reddit
Gateway here with GPO
techvet83@reddit
We also use gateway servers. How are people supposed to do their job without RDP access?
BlackSquirrel05@reddit
SSH... PS remoting.
mattisaj3rk@reddit
Also disabled because our security team believes we need to airgap all the things.
picardo85@reddit
My customers use indian MSPs, they disabled PS tempting instead which is fucking horrible as I'm a Discovery specialist.
JwCS8pjrh3QBWfL@reddit
Probably similar to why all US ISPs block SMB: it was a commonly exploited attack vector and really you shouldn't be doing it over the open internet. Use a VPN.
raip@reddit
Had to fight our security team to not disable PSRemoting because they "discovered" it was listening on the HTTP listener. They first wanted to force everything onto the HTTPS listener and when that was discovered to be difficult, they just wanted to disable it outright. Thankfully, I was able to win that fight and prove to them that HTTP is perfectly fine in our environment because WinRM is always encrypted regardless of the transport.
gsmitheidw1@reddit
Or just do the following
enable sshd (native to windows these days) on all clients or servers
Set RRP to only allow requests from localhost
Tunnel all connections to rdp over ash using public keys only
Ensure any perimeter bastion ssh "jump box" has key only, fail2ban, yubikey on a box hardened with consideration to CIS Lynis recommendations etc (lynis audit system etc).
Bijorak@reddit
VMware console...
Chellhound@reddit
Enter-PSSession, as Balmer intended.
notmyredditacct@reddit
return to office and walk into the datacenter! you gotta think like an exec here :)
Hollow3ddd@reddit
It depends on the compliance you are going for. There are options. It depends on what actual compliance needs of actual OP, not our opinions or feelings.
Certificate based RDP access and GPO enforcement usually work fine here.
hihcadore@reddit
Use the LPC protocol (leather personnel carriers) to physically log into the device.
Robbbbbbbbb@reddit
ehhhh, defense in depth.
Put it on a protected, dedicated mgmt subnet at least. Don't just open it up to everything.
I just went through our insurance renewal and it's explicitly questioned whether or not RDP is disabled internally as well.
raip@reddit
My little 2 sentence quip wasn't meant to be all inclusive. In this current age - if you're not following ZTNA practices (meaning no management VLAN and instead AAA everywhere), then you're fairly behind.
LogMonkey0@reddit
you don't need to leave it exposed to the whole internal network though.
LeaveMickeyOutOfThis@reddit
I think the conversion here should be much broader than simply RDP. Any port or protocol, regardless of its function, has the potential to be abused; however, the age-old argument of security versus productivity is one that each organization need to evaluate for themselves. Personally, there are ways to keep RDP alive as a productivity tool with numerous safeguards that can be employed to limit any exposure.
With the above in mind, I think blindly disabling something due to security concerns is the wrong approach, and would recommend the question be reframed to ask what the best way is to secure the use of RDP in our environment.
brisquet@reddit
Blocked on all workstations via windows firewall and only allowed on servers. It was a pain at first but got used to it.
ProgressBartender@reddit
How do you support users without walking to their desk? What if they’re remote?
brisquet@reddit
Screenconnect
thirtydelta@reddit
Approved users/systems have RDP and access requires MFA.
Immediate_Art1475@reddit
how to do this requiring mfa?
thirtydelta@reddit
Cisco DUO is configured on RDP access
ArizonaGeek@reddit
This is what I did in 2019. Every Windows server had Duo 2fa to login whether RDP or local.
Darkace911@reddit
What happens if the internet is down or something breaks DNS so you can't get to Duo? What is your plan to recover the domain? Had some security genius in the past restrict all of the switches to radius only then the location was sold. Somebody had to go out there in person and reload all of the switches and rebuild the configs manually.
Lukage@reddit
You can also configure/modify an OpenFail registry setting as needed.
ArizonaGeek@reddit
Had this happen a couple of times. When I installed Duo I had a script that would allow an admin to uninstall Duo from Safemode. Not completely ideal but it worked for that once in a blue moon emergency.
Reboot the server into safemode, uninstall Duo, reboot again. Now a user can get in.
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer" /VE /T REG_SZ /F /D "Service"REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"thirtydelta@reddit
We do that as well.
Ss3trnks2@reddit
Rublon offers an Rdp/session logon MFA solution as well.
ihaxr@reddit
We use RSA, you stand up the server and install an agent on the servers you want MFA on. It works pretty well, but the push notifications sometimes are delayed or you have to resend them. Entering the code to login works every time.
Asleep_Spray274@reddit
Bad actors dont RDP. If your network is breached and they have compromised high privilege credentials, RDP is the least of your problems. RDP is an interactive logon, they don't do that. Every other protocol is open for them to use remotely. You already have made several screw ups for them to get that far.
oegaboegaboe@reddit
This
BalfazarTheWise@reddit
There’s nothing more you need to do than disable external network access. Only allow internal IP access from either in office or through MFA VPN
Glittering_Power6257@reddit
“Need”, but part of security is a process of constant improvement, and making an attacker jump through as many hurdles as you can put in front of them. RDP itself might pose a formidable obstacle, but you’re still one error away from a potential compromise.
Think of it as, you’re forcing an attacker to endure the world’s hardest fetch chain quest for the Biggeron Sword.
largos7289@reddit
I'll be honest i used VNC enterprise and i was able to basically tell it to only accept IP's from this range or just my PC. RDP was just a too well known a port to exploit. I'm sure there are ways you can go the same with RDP but i never bothered.
AmazonPrimeDineNWine@reddit
RDP / Gateway should not be publicly exposed.
Personally using Azure App Proxy with DUO to secure with MFA and Conditional Access. Easy to setup and no issues for our team so far.
YaManMAffers@reddit
We just changed the port to use for RDP.
O365-Zende@reddit
We are cloud-based but use Intune. I use https://openintunebaseline.com/ with our Intune and I set their recommended restrictions for RDP for best practice
BoringLime@reddit
I feel like if you have one of the rmm that are agent based and you can remotely connect from there rmm control panel,.this is probably more secure. They usually have all the bells and whistles, like logging, recording and such. But if you are worried about remote access to things, I personally feel like remote powershell and remote wmi are the biggest concern because it's quickly exploited by pen testers. Again these too can be run from agent based rmm, as long as you trust your rmm.
mish_mash_mosh_@reddit
We don't need it and have it completely disabled.
vane1978@reddit
That’s where RDP over IPSec comes into play to help to prevent zero-day exploits.
thehuntzman@reddit
It's amazing more people don't know about Windows Firewall IPSEC policies. I even have it enabled in my home lab for RDP.
Slight-Blackberry813@reddit
This entire thread reads like I’m having a stroke.
NickSalacious@reddit
Damn I feel like the only one that turned it off lol
djDef80@reddit
We block external RDP and use Duo to protect internal connections.
demonseed-elite@reddit
RDP off on all workstations. RDP internally enabled on all servers and protected by DUO. RDP inaccessible externally without VPN which also is protected by 2FA (Entra SAML). For everything else, we have ScreenConnect with PAM.
JohnC53@reddit
For servers we block it on almost all internal networks. Replaced with BeyondTrust. And on top of that, BeyondTrust client access is only allowed from certain compliant device types (privileged access workstations).
It's been disabled on our Workstations for years.
thomasmitschke@reddit
Where is the risk? If an attacker has the right to login to something he doesn’t get more privileges just by logging in via rdp.
thrustface@reddit
Cyberark psm is not an option?
Schnabulation@reddit
I have a port-forwarding on my firewall for port 3389 to our terminal server. It's called "firewall" for a reason.
These are the words from a sysadmin customer of mine. He was wondering why his terminal server got crypto-locked. No, I kid you not.
rambleinspam@reddit
Disabled externally and disabled for every system internally that does not need it.
gurilagarden@reddit
Why do such overly-broad questions get such large responses? Am I just getting old and have been doing this for too long? Is everyone here like 22?
DheeradjS@reddit
It's smart. Defence should always be in depth.
We only allow RDP from specific jumphosts, which are locked down as as possible.
johnno88888@reddit
Disabled and access to VMs using the vmm console in cyberark
realmozzarella22@reddit
You can specify which user or group can rdp for which computer. So rdp is available but not to all employees.
There are other limitations to use too.
tarkinlarson@reddit
Rdp doesnt have its failings but untless youre going full devops infra as a code youll find your wngineers will struggle to support. If youre going that far, Why not only use containers and headless APIs or headless servers with no GUI.
Even windows has core edition. What you'll find is that people will install the gui to work on them and it'll slow people down.
To be fair most of the time a single management environment with all the remote tools that's linked to the other servers is a proportional response. You cant remote from the sql serve to the Web server, but you can from Management server to Web or management to sql.
Or even a management server or two per environment works.
However I've jumped into solutions first. What IS the actual scenario that this will reduce the consequences or likelihood of?
patjuh112@reddit
Whitelisted with mfa in the rdp stream is used, nothing public and nothing without mfa
japanfrog@reddit
virtual desktops like AVD which through VPN have access to RDP to your orgs network is the next best step. Easy to control, multiple authentication/authorization hoops, and being a virtual desktop, you can wipe and re-provision often to keep things clean.
hellcat_uk@reddit
This plus just-in-time admin rights on the servers.
japanfrog@reddit
absolutely! Only place I avoid just in time admin rights would be on developer machines that work on lower/kernel level code like driver development. Everyone else gets just in time admin.
Head-Appointment-698@reddit
Only people who are part of the rdp group can use strangely no one is. Also our security team is pushing vnc for all remote access needs so yaaa I hate it here.
woodyshag@reddit
Our security engineer was OK with RDP, but not on domain controllers. You had to axces them via vCenter console or use remote tools.
Kuipyr@reddit
RSAT on a PAW, you should rarely need to interactively login to a DC.
Chellhound@reddit
Yep - domain admins only, and ideally you keep an empty DA group and only temporarily escalate privileges through automation.
In smaller companies it's more feasible to just have a couple of the senior admins with a DA account, but more than that is a clear sign that you're too loose with permissions.
redditJ5@reddit
It's a pretty big attack vector and it would be treated as such.
Servers are in a hypervisor, you can reach console from the hypervisor, no need for rdp.
Chellhound@reddit
/s, right?
Right?
Bartghamilton@reddit
Had to scroll down way too far for this. Cant believe this many people are still using native rdp.
vane1978@reddit
What else to use?
disclosure5@reddit
You just had someone recommend host Hypervisor access showing just how ridiculous this conversation has gotten.
havikito@reddit
Exposing hypervisor instead of RDP is like yeah.
mats_o42@reddit
My basic way to secure RDP
SuspiciousOpposite@reddit
RDP is still enabled "internally" to a degree -
* Servers have RDP enabled by GPO
* Server management only has a few groups as administrators and they're the only ones allowed to RDP (Domain Admins + a couple of appropriate RBAC groups)
* Server firewalls only allow RDP from a very small number of IPs
* Those IPs belong to the session servers of a PAM suite
* PAM suite access is limited to certain people, internal/VPN access only, and MFAd
* Most people don't know their privileged account's password, as it's rotated by the PAM.
Dracozirion@reddit
You can disable RDP from your user VLAN to your server environment. Inbound connections to workstations should be completely disabled.
I rarely see cybercriminals use RDP, though. It happens but it's rare. You might as well disable SMB and RPC (which you can't).
Thr people slapping MFA on RDP are clueless. It just prevents users from getting in with certain credentials, unless RDP is the only port that's open. It's so easily bypassed otherwise.
CowOP@reddit
We use Bastion for Azure VMs and Windows app for AVD and block RDP for public
Academic-End-2820@reddit
A month ago we implemented TeamViewer
AggravatingPin2753@reddit
Enabled inside different port than default. MFA through RDP Gateway and ADFS/Entra. $0.00 implementation.
Hebrewhammer8d8@reddit
Don't manage Windows environment anymore.
headcrap@reddit
The first approach is only enabling it where it is needed, let alone opening up the firewall to allow inbound connections.
Rein in the usage if the Wild West out there.. I had to do that in my environment because some jackholes before me decided to friggin' disable the firewall and enable RDP by policy.. dumbasses.
Assumeweknow@reddit
Change the port if you need it..
RyanMeray@reddit
Oh man is this relevant.
My wife's employer made her full remote days before the COVID lockdowns reverberated across the world.
Suddenly she was sent home with a laptop, a dock, and a "we'll get you in via VPN" and that was surprisingly well-handled on short notice.
But right off the bat I was not loving the inconvenience she had to go through daily. I set her up with a sweet little multi-monitor setup with her personal computer. She had the monitors, webcam, speakers, and a networked printer. Keyboard, mouse. So many devices, so many physical connectors or settings.
In the office, her laptop was connected to multiple screens and external keyboard and mouse, so she was used to that, and her productivity would've plummetted rawdogging a laptop on the kitchen table.
So we got the laptop and dock set up next to her desktop. She'd unplug video cables and input devices from her computer and plug them into the dock, do her job, and then have to undo that at the end of the day to use her computer.
That went for like 2 or 3 days and I was like "Lemme talk to your IT guys."
This was a small enough company that you could actually talk to a human that gave a crap. I was like, "Remote desktop. Can we set her up for that?"
And there was an initial pushback, because RDP definitely had issues with exploits and whatnot. But the org had 2 factor for logins, were running AD, and they could easily set permissions so that our home network was trusted for RDP but others wouldn't be. Functionally, RDPing from a computer in a LAN to another computer in a LAN is like walking over to that computer and logging in yourself.
You get access to all the local devices on the client system, like the webcam, the networked printers, the keyboard and mouse, and at the end of the day you close the RDP window and you're back to your home computer.
We maintained this setup for years, through an org device refresh 3 years ago, but just a week ago, new laptops. And new policies.
Moving away from Active Directory and into Entra. Techs are having problems with RDP working reliably on the Entra clients enrolled so far. No more for us.
TL;DR
RDP is fucking awesome and everyone should just be RDPing into virtual machines with 2auth so we don't have all this device attachment nonsense.
scytob@reddit
with NLA on and enforced it is not a security risk within the network
use RDGateway or VPN etc to get RDP across the edge
soggybiscuit93@reddit
In general? No
RDP should be managed. Terminal servers should be used as launch points with RDP restricted (imo) by both a security group in AD and restrictions on device.
Depends on the environment too. A blanket ban on RDP wouldn't work because we use AVDs
Shadax@reddit
Our clients who have to use RDP cannoly due so over a VPN connection, so it's effectively internal.
Public RDP no way, Jose
enterprisedatalead@reddit
Feels like this usually gets treated as all or nothing when it doesn’t have to be.
From what I’ve seen, the real issue is exposing RDP, not RDP itself. If it’s open to the internet, yeah that’s asking for trouble. But internally, with MFA, segmentation, or a gateway, it’s still one of the most practical tools.
Completely disabling it sounds clean on paper, but in reality people just end up finding slower or worse workarounds.
We ended up restricting it instead of removing it, and that seemed like a better balance.
Are you being pushed to remove it entirely or just reduce exposure?
_araqiel@reddit
Project this quarter blocking RDP between workstations and from workstations to all but one hardened management server. That management server can get to the rest of the machines.
Princess_Fluffypants@reddit
It’s blocked at the core firewalls except for the users who need it, and even then the firewall rules only allow them to the exact systems they require access to.
tuvar_hiede@reddit
Ours is disabled on nearly all machines.
DGC_David@reddit
As long as it's only internal it's fine. Used to be super popular in schools.
zoredache@reddit
We don't disable it, but access is strongly limited by the Windows Firewall.
We have Domain Isolation policies so that you can only RDP to systems over IPSEC authenticated connections from trusted users on trusted computers.
vane1978@reddit
This is the way.
Unfortunately, setting up RDP over IPSec by default it uses 128 encryption. The extra step is to raise it to use 256-bit encryption (AES-256).
vane1978@reddit
This is the way.
Unfortunately, setting up RDP over IPSec by default it uses 128 encryption. The extra step is to raise it to use 256-bit encryption (AES-256).
RDP to servers should always be done from a jump host machine.
auriem@reddit
I would prepare my resume. I’m too old to deal with that kind of stupid.
Lazy_Sweet_824@reddit
I’d say the tail is wagging the dog. Cyber needs to be checked.
RDP is not inherently insecure but some orgs permit use that is insecure. For instance you should not permit it across security borders without VPN.
I’d also ask how they plan to perform remote administration of servers without RDP. There really are no better solutions.
cbowers@reddit
Disabling sounds like something you do if you have not implemented sufficient controls. On the one hand, if you're not using it for support (assuming endpoints more than servers here), because you're using other tools like ScreenConnect in a framework where every connect from IT is logged as a ticket automatically for capturing context and transparency... Then it can make sense to disable it. If your fleet is managed, you can certainly send a comment to re-enable it on a particular endpoint...
But I think orgs tend to worry and disable surfaces that they know they haven't controlled sufficiently. If you had something like DUO MFA on all logins including local ones, and a SIEM agent logging every authentication... And SIEM has baselined the expected activity... and SIEM rules to alert on a sudden lack of expected authentications from the accounts the endpoint is assigned to, and lack of MFA auths showing up in the SIEM (after every X minute auto inactivity lock)...
I wonder if you'd still be wanting to disable it, vs have insight that only assigned users with MFA can RDP or local login. And in the unlikely event something else logs in.... You'll know and the endpoint will be quarantined (automatically or manually)...
anonfreakazoid@reddit
Anyone replace RDP with another remote tool like screenconnect or logmein?
do_not_free_gaza@reddit
N-Sight
AdamoMeFecit@reddit
RemotePC
https://www.remotepc.com
brian4120@reddit
Jesus your company sound like my company about 3 years ago.
End result: we didn't. Restrict access, internal LAN only, allow access from specific subnets if you really want to get fancy.
nyckidryan@reddit
Depends on what you're using it for.
Daily use for remote workers? Deploy a terminal server. I worked at Citrix corporate HQ for a while and only had a Wyse Winterm box on my desk.. short of not being able to play a music cd with it, you couldn't tell it wasn't a full desktop when using it.
For IT staff to manage servers? Use a centrally managed access system rather than relying on RDP.
TheRealLambardi@reddit
Well if there is internet exposed or desktop exposed to rdp floating around when they leave your network. The answer is “come closer so we can all slap you repeatedly”.
RDP protocol itself isn’t so much problem. (Albeit MSFT has failed in the last at the protocol). What is a problem:
Incorrectly configured RDP is. Allowing users to save creds in an rdp file or cache is. Allowing RDP access without MFA every time generally is. Not actively logging and monitoring is. And any sysadmin that puts rdp in the internet is just asking, pleading for problems, especially if all of the above is not done. Also leaving chrome unmanaged that allows remote access is worse than above.
Replace it with another admin access tool without addressing actual effective management can be just as or worse than rdp.
Real answer: determine what remote access into systems is…manage the eff out of it and go out of your way to bloc ALL other methods to the point of being a pain.
zrb77@reddit
Open to public, no. For internal, we have admin subnets that can get thru our internal firewalls to get servers for RDP.
Cormacolinde@reddit
Disable? No.
Limit to PAWs or IT staff by default? Absolutely.
g3n3@reddit
Typical click ops windows admins require gui so you have to keep rdp.
xxSpik3yxx@reddit
No RDP through outside WAN like others have said. For internal we use Zscailer (ZPA) with Okta (SSO).
DeadOnToilet@reddit
We disabled RDP and SSH years ago, with methods in place to enable remotely if we needed to troubleshoot. Same with any remote service that isn't needed (SMB, etc). Servers aren't meant to login to regularly. And when a server fails, we generally just redeploy it via CI/CD pipeline.
deefop@reddit
Internally? Rdp is the best answer internally. If you're exposing Rdp externally, that's really stupid
InevitableOk5017@reddit
Why would I allow remote console to a system that has access to everything. Is it time consuming and do I have to log into different systems to get console access 30 times a day? Yes, is it annoying, yes is it secure? Yes. Good luck accessing that one system that does stuff and there is only 1 way to access console. It’s a console cable to the chassis and then maybe if you are lucky it the right console cable and if it is the right console cable the settings are correct and if you device supports the usb to console cable because you are on a laptop that is unable to get drivers.
havikito@reddit
I'm pretty sure RDP protocol is more secure than any other remote desktop solutions. And it is also fast. Only have not approved shadow sessions disabled.
justaguyonthebus@reddit
Are you talking endpoints or servers?
RubixRube@reddit
It is not an all or nothing, RDP access can be controlled through Intune / group policy.
There is a possibility that you have users within your environment who have valid reason to be using RDP while on the internal network, for one IT?
Having RDP open to outside of your network is crazy, however internally, less so, but internally you can close the gates and open it for some.
CharcoalGreyWolf@reddit
Segmented LANs with access only to those that need it is our preferred, with NLA enforced. Pretty normal.
bakonpie@reddit
RDP is fine if you don't expose to the internet and have MFA (hint: go passwordless). if the day comes where there is a wormable RCE zero day in it, have a policy ready to deploy to close it up via Windows Firewall. you'll have some advanced notice since that is going to be sprayed against internet facing hosts first before it gets to internal networks.
KoalaOfTheApocalypse@reddit
Lazy and ignorant - let's universally disabled smb and rdp
Work ethic and competency - properly secure these things and provide valuable resources to the company.
-GenlyAI-@reddit
Yes fully disabled internally
BarracudaDefiant4702@reddit
We block it from the internet, and we do per user rules on the vpn such that most users don't have access by default, and others can only access specific RDP machines. I think RDP also requires MFA, but I mainly hit linux boxes and RDP setup is generally a different group. Depending on network on prem, sometimes vpn can be bypassed, but most RDP is remote anyways.
Goodlucklol_TC@reddit
Radius auth on VPN, RDP disabled by default
superb3113@reddit
Our policy: RDP is enabled via firewall rules only between the two VLANs for workstations and servers. It is disable on VLANs for WiFi and Management interfaces for obvious reasons. For further granularity, only workstations and servers that actually need to have it enabled with have it so at the OS level (Windows in this case), and only specific AD groups/users are assigned via the Computer Management RDP User group.
canadian_sysadmin@reddit
As with anything security, depends on your risk profile/analysis.
Obviously you never have it open externally. Internally, you could limit by host/subnet/etc. The rabbit hole can get deep there depend on just how far and crazy you want to get.
We allow it from some workstations and subnets, not all.
vane1978@reddit
My opinion is to use RDP clients when you need to remote into machines. Using third-party remote software is a huge security risk.
Additionally, I would suggest to work on implementing a passwordless strategy approach and transition to Entra ID joined computers. There you can RDP passwordless into your Entra id machines.
Master-IT-All@reddit
I think you mean to say, leave it disabled. Remote Desktop Protocol is not enabled by default on Windows Desktop or Server.
EFT_Urbanfox@reddit
Is it accessible from the internet... If not, then...
Thisbymaster@reddit
Does you organization have an alternative to login to servers or for remote IT staff? If no one uses it, sure. But if there is something business needed for it, no.
disclosure5@reddit
This one of those dumb management suggestions that leads to people actually having to do work on servers basically coming up with the slowest possible malicious compliance workound.