Re: RDP connection via dyndns

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

"Bill Kearney" <wkearney99@xxxxxxxxxxx> wrote in message news:X-CdnVboa-hHVpjUnZ2dnUVZ_hydnZ2d@xxxxxxxxxxxxxxxx
With a VPN you only open one port. Yes, once the user is authenticated they have (possibly) full access to the network and all protocols you allow over the VPN but they still have to authenticate.

With RDP they access a session on a box. Limited to that box's access to the local network and to that user account's access. That is CONSIDERABLY less exposure than a VPN connection.

If you are connect via a VPN directly to a server running RRAS and the server is inside your network then what you say is true. Nowhere in this thread have I recommended that setup. Please read all the posts again. Again, I'll point out that if someone gains local admin access they soon have domain access. RDP protects your network from the outside machine. It does not protect you from whoever finds a way to logon to the target machine inside your network. In one sense it is less secure because that machine is already trusted by the network.


That is the same with RDP. Both are only as secure as the authentication process. If you open many RDP ports to many computers as the numbers increase so does the likelihood of an easy to guess local administrator password.

If an admin is lazy, no protocols, ports or whatever is going to help the security. But that's a phenomenally weak argument to support your point.

It's not weak at all. I work on many different networks. When I first start with a new network it's very common to see clients with default OEM installs where the local administrator account has no password.


With a decent firewall you can limit the protocols allowed over the VPN connection.

And at the same time you argue about weak passwords? Oh please, you can't realistically expect to argue it both ways. Programming protocol limitations on a firewall tends to be significantly more complex. Enough such that even IF they had a firewall (or upstream router) that supported it the likelihood they'd use it rapidly approaches zero.



I use these capabilities on firewalls all the time. I know many other people who do. Others in this thread have indicated they do.

It all comes down to management. The more ports you have open, the harder it is to manage them. It doesn't really matter what the ports are for. If you need the capability to RDP to more than a couple of computers on a network it is much easier to manage the security of one VPN port than several RDP ports. With several RDP ports you need to manage the target IP addresses. This means static IPs or DHCP reservations. You need to change the registry on each of these computers. If you need to add a new computer or change an existing computer you need to consult a manual list of what port to use then make sure the list and the registry on the target are updated. You need to check each computer for local admin accounts. You need to setup an IP address that doesn't conflict with something else. The list goes on and on. It is a management nightmare. Management nightmares easily become security nightmares. Yes, it's hard to setup good security for a VPN. This doesn't mean it's not the best solution. I use both solutions all the time. Where I need the best security I use RDP over a VPN that uses a firewall as it's endpoint. It is the best solution for security. It takes more work to get that security but once setup it is far easier to manage.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/




.

Relevant Pages

  • Re: Maybe OT - Home Network issue
    ... a security problem in the web camera, ... ports - some do. ... lacks sufficient CPU power to run more than one VPN tunnel at a time. ... OpenVPN) and then your packets will route properly into your home network. ...
    (sci.electronics.repair)
  • Re: Maybe OT - Home Network issue
    ... network trying one known exploit after another. ... Please explain to me how opening 3 ports to a specific device ... a security problem in the web camera, ... lacks sufficient CPU power to run more than one VPN tunnel at a time. ...
    (sci.electronics.repair)
  • Re: VPN cant access internet whilst connected to VPN
    ... >>> The proper method should be to ask the Firewall people at your office ... >>> allow outbound HTTP access for VPN users. ... > But allowing access to the local home network is more of a security risk ...
    (microsoft.public.windowsxp.general)
  • RE: VPNs - Firewalls and Security
    ... we turned off sysopt connection permit ipsec and then added the ... VPN connections. ... VPN's - Firewall's and Security ... You had configured that vpn users access internal network, ...
    (Security-Basics)
  • RE: Desktop Support Access
    ... To enable and disable ports would require access to the interface ... Better Management for Network Security ... Ensure robust IP security through policy-based management ...
    (Security-Basics)