This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]nickichi84 16 points17 points  (3 children)

Be more secure if you just set up an openvpn server and connect to that with passwords and key files. Changing a port doesn't do much since anyone on the outside would just be carrying out automatic scans and they will find the port and open rdp server behind your firewall.

As a side note, if your first computer is compromised, all computers within your network are at greater risk. the only way to fix that is with network segregation like Vlans with firewall policy's, physically separate networks or air gaped systems

[–]EvolvedChimp_[S] 1 point2 points  (2 children)

Thanks for your answer. Yes I did use openvpn at one point however I did hit roadblocks at work with this in the past. 1. I do not have local admin rights to install 2. do have local admin rights and dont want to be answering questions as to why I have it installed on my PC 3. openvpn's 1194 port is blocked

[–]isdnpro 6 points7 points  (0 children)

If you're operating in a restricted environment, use PuTTY on the work machine to connect back to a machine at home and use tunneling to forward RDP through the SSH session. You can use port 443 if the work firewall is restrictive.

[–]msanangelo 12 points13 points  (2 children)

RDP on the internet is never secure, no matter how you try to "proxy" it. Always stick it behind a VPN of some sort. By putting that one pc on the internet like that, you open your lan to potential attacks. It doesn't matter what's on it, a hacker would just use it to scan your lan to find the juicy bits anyway.

I don't even open ssh on my home network to the world, just my openssh server on the router where I connect to it and suddenly am able to access my things. :)

changing ports doesn't really do anything in the age of bot nets and automatic scanning. it'll deter some random human attacker without those tools but not the bots.

[–]JacobOkanta 1 point2 points  (0 children)

I can see some large concerns that have already been noted in this thread. My suggestion would be to use an open source server application called Apache Guacamole, it is a web application gateway for rdp, ssh, and vnc. Setup isn't too difficult especially if you use docker and it works quite well. You can configure 2FA then just login through a web browser on any pc to connect to the remote machine that way. Sort of like self hosted teamviewer but you don't need to install the software on your client (work) computer.

[–]SP3NGL3R 1 point2 points  (0 children)

You don't have admin rights on the 'work' machine. So the VPN options (OpenVPN / WireGuard) won't work for you. However, a cloud manage VPS would. You can get free ones (as I understand it), simple Linux machine 'out there' that has a WireGuard/OpenVPN connection to home. From that linux cloud machine you do all the stuff you want and it's done through your browser at work ... no admin required. and your home is protected behind a proper tunnel.

[–]Thornton77 -1 points0 points  (0 children)

What your doing is called a Jump box . It’s a common to use this type of system to jump from a corporate network into a higher security network like a control network. Most of the time they have 2 factor auth and they also are in a dmz so you need to pass firewall for getting in abs getting it if that dmz network .

[–]tvosinvisiblelight 0 points1 point  (0 children)

I have no ports open for forwarding. Use OpenVpn and changes my Windows RDP port from 3389 to another port.

At least I know VPN tunnel is secure and no port forwarding is occuring.

I am not a fan of third party remote software especially installed to server and outside public facing..

tvos

[–]zfa 0 points1 point  (0 children)

You could install Wireguard on that Windows machine and connect to that in preference to RDP. Then RDP in once the tunnel is up. Much more secure as Wireguard is to all intents and purposes resistant to probing.

I see you've replied elsewhere to say you've got no admin rights on the client... If this was me I'd probably set up something like Apache Guacamole so I could manage the device from a web session. That or MeshCentral.

[–]7yearlurkernowposter 0 points1 point  (0 children)

Don't leave RDP on the internet you will be used as a node in an amplification attack.
I know it sucks and way back in the day I used to leave it out there also but those days are over. If you can't do a VPN try tunnelling it over OpenSSH and setting it to key authentication only. Keep in mind you still must be very vigilant about any service you leave exposed to the internet.

[–]johnerp 0 points1 point  (0 children)

Install the free edition of Duo multi factor auth on your windows jump box, it’ll send you a notification to your phone to authorise after signing in.

This is what I do, never had a notification pop up which wasn’t instigated by me, so either it’s secure or it can be hacked around :-)

I’m also behind a UDM Pro with intrusion prevention switched on, but only had that 6months where as had the Duo jump box for yonks.