Re: RDP connection via dyndns

---

• From: "Bill Grant" <not.available@online>
• Date: Sun, 26 Oct 2008 16:57:47 +1100

---

"Kerry Brown" <kerry@xxxxxxxxxxxxxxxxxxx*a*m> wrote in message news:O83pyryNJHA.4116@xxxxxxxxxxxxxxxxxxxxxxx

"Bill Kearney" <wkearney99@xxxxxxxxxxx> wrote in message news:hb2dnWuiaqAkQp7UnZ2dnUVZ_t3inZ2d@xxxxxxxxxxxxxxxx

While I agree that VPNs can be a security risk, opening more ports through the router for rdp can also be a a security risk. In this case where only two ports are needed opening another port is probably the lesser risk. If you wanted to rdp to several computers or even all computers on the network then the VPN would be a better option. It's easier to manage one VPN connection and leave all the workstations listening on the default rdp port. Both options involve some risk. The risk can be managed.

I think you miss my point. Having even a dozen RDP ports open would only mean RDP connections would be at risk. Opening a VPN would allow ALL protocols through it. This is potentially a much greater risk. One with a lot less logging to catch hacking attempts.

Maybe it's like opening a window versus a garage door. Even if you open a dozen windows, it won't allow the same 'size' risk as a huge garage door. Not exactly a perfect analogy, but close enough.

I would not trade ease of router configurations against the security risks. To quote Franklin, those that would sacrifice liberty for security deserve neither. Paraphrasing that as those that would risk security for simplicity deserve the disaster they get.

With a VPN you only open one port. Yes, once the user is authenticated they have (possibly) full access to the network and all protocols you allow over the VPN but they still have to authenticate. That is the same with RDP. Both are only as secure as the authentication process. If you open many RDP ports to many computers as the numbers increase so does the likelihood of an easy to guess local administrator password. On the networks I manage I have many more dictionary attacks against RDP ports than VPN ports. Once someone has RDP access with local admin credentials it is only a matter of time before they have domain credentials. With a VPN you can use certificates that can't be guessed. With both you could use 3rd party two factor authentication. With a decent firewall you can limit the protocols allowed over the VPN connection. You can use some form of NAP, NAC, etc. to ensure the computer connecting through the VPN meets network standards. With both you can limit the connection to specific IP addresses. Security is about managing risk. You take appropriate steps to manage the risk that comes with doing a task. As I said earlier both RDP and VPN access come with a risk. The risk can be managed as long as you understand what the risk is. With a decent firewall/VPN device I really don't see that one VPN connection is less secure than many RDP ports. It may be but it doesn't have to be. Depending on how you setup RDP it may be the less secure option.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

I think that you are kidding yourself if you think that a firewall will limit protocols used over VPN. When the VPN traffic comes through the firewall it is still encrypted and encapsulated. All the firewall sees is the wrapper. It has no idea what is inside the encrypted data.

.

---

• Follow-Ups:
  • Re: RDP connection via dyndns
    • From: DevilsPGD
  • Re: RDP connection via dyndns
    • From: Kerry Brown

• References:
  • RDP connection via dyndns
    • From: Haralambus
  • Re: RDP connection via dyndns
    • From: Kerry Brown
  • Re: RDP connection via dyndns
    • From: Bill Kearney
  • Re: RDP connection via dyndns
    • From: Kerry Brown
  • Re: RDP connection via dyndns
    • From: Bill Kearney
  • Re: RDP connection via dyndns
    • From: Kerry Brown

• Prev by Date: Re: RDP connection via dyndns
• Next by Date: Re: RDP connection via dyndns
• Previous by thread: Re: RDP connection via dyndns
• Next by thread: Re: RDP connection via dyndns
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: RDP connection via dyndns ... the router for rdp can also be a a security risk. ... two ports are needed opening another port is probably the lesser risk. ... VPN connection and leave all the workstations listening on the default rdp ... (microsoft.public.windows.server.networking) Re: RDP connection via dyndns ... you to establish a VPN connection to the network then RDP to individual computers over the VPN connection. ... With multiple RDP ports you're limiting the connection to solely RDP connections. ... (microsoft.public.windows.server.networking) Re: RDP connection via dyndns ... In this case where only two ports are needed opening another port is probably the lesser risk. ... If you wanted to rdp to several computers or even all computers on the network then the VPN would be a better option. ... (microsoft.public.windows.server.networking) Re: RDP connection via dyndns ... the router for rdp can also be a a security risk. ... In this case where only two ports are needed opening another port is probably the lesser risk. ... If you wanted to rdp to several computers or even all computers on the network then the VPN would be a better option. ... (microsoft.public.windows.server.networking) Re: Ports needed ... VPN right now. ... With RWW and RDP I think our users are set. ... >> Can someone confirm that I have the right ports next to those services. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.networking  > 2008-10