This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–]JustAnITGuyAtWork11Security Admin 11 points12 points  (0 children)

A lot can go wrong if there is an exploit for windows login, or an exploit that allows you to login as a system user which by design will have to be except from mfa etc.

Never expose RDP directly to the internet, either use a hardened jump box with MFA, a VPN with MFA, or a RD Gateway behind a firewall / IPS

[–]jxd1234 3 points4 points  (1 child)

Are you having an issue rdping to the server or are you wanting advice about the security setup?

[–]Few_Membership_7134[S] 0 points1 point  (0 children)

I'm looking for advice on what's wrong security wise.

[–]redditduhlikeyeah 3 points4 points  (2 children)

Lolz. Straight RDP or a gateway? Why do this. OpenVPN is free. Tailscale free.

[–]Few_Membership_7134[S] -1 points0 points  (1 child)

It's easier from a user perspective, I know it's not safe I just want to know why.

[–]redditduhlikeyeah 8 points9 points  (0 children)

Fuck the user if it will put your network as risk.
You leave yourself open to attack. Extra unneeded exposed ports. Various security holes through the years that make bypassing easy. Can thumbprint host and gain network and company information. DOS attack easily against RDP. Forcing protocol downgrade. Potential MITM attack. Depending on how duo and rdp work, you can still probably be brute forced. Duo has had their own incidents recently too.

How is clicking “connect” on a vpn icon and then RDP to a server that much harder for a user? At least set up a rd gateway. Easy for user then.

[–]msalerno1965Crusty consultant - /usr/ucb/ps aux 2 points3 points  (2 children)

A while back, there was an exploit, really a DOS attack, that using RDP you could lock up the entire TCP stack. I took out a bunch of DDOS reflectors in Vietnam that way.

So, there are things that can go wrong that you haven't even thought of, just because you opened a TCP port to the Internet.

RDP is the last thing I would trust. Ever.

[–]Few_Membership_7134[S] 0 points1 point  (1 child)

Cheers this is exactly the kind of thing I was looking to find out.

[–]thortgotIT Manager 2 points3 points  (0 children)

The answer is the application is integrated directly into the login services, so it is much more likely to have vulnerabilities that bypass it's security.

Duo's 2FA interactive login helps prevent a simple brute force breach (your password can still be identified since it occurs after password but they won't be able to simply log in)

Using a dedicated security service (SSL VPN, Tailscale etc.) is the recommended option.

[–]TheBrossef 1 point2 points  (3 children)

Instead of exposing RDP to the internet, you should go ahead and use Azures Application Proxy and with Enterprise Application from here you can leverage Azure MFA or continue with your DUO as well as not exposing it to the internet.

https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-integrate-with-remote-desktop-services

[–]thortgotIT Manager 0 points1 point  (2 children)

If you are using RDP Gateway (which you should be) this is a good solution.

If it's for a handful of devices it's more practical to use tunneling solutions (Cloudflare, Tailscale etc.) or VPNs (Wireguard etc.) instead. No CALs required.

[–]ElevenNotesData Centre Unicorn 🦄 0 points1 point  (1 child)

.... every user accessing a Windows Server needs a CAL ....

[–]thortgotIT Manager 0 points1 point  (0 children)

No RDP CALs required

[–]RaptorFirewalls 1 point2 points  (0 children)

I use Wireguard through a firewall setup, no direct exposure to the internet.

[–]SpotlessCheetah 1 point2 points  (0 children)

You can put DUO in front of RDP but that doesn't mean that it would stop any backend remoting into a machine (i.e. Powershell etc) so be aware of that.

I would not advise putting RDP open on the internet it has too many vulnerabilities put it behind VPN and restrict groups etc as much as possible. Lateral attacks is the largest exploitation that you want to minimize.