All geek questions in one place

How to disable port 3389 without losing RDP?

The corporate security check of our web server (correctly) reports 3389 (the standard port for accessing Remote Desktop) as open and requires us to close it.

Unfortunately, the server is actually remote, and we need RDP access.

Similarly, port 21 is for FTP.

We have strong passwords for access to FTP and RDP.

Is there a solution? Should I just configure services to work on different ports? (it seems nothing more than security through obscurity)

+6
source share
4 answers

I wrote an article about this here with a lot of photos:

http://www.iteezy.com/change-rdp-3389-port-on-windows-2008-server/qc/10098

Summary:

  • Change the registry to HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ TerminalServer \ WinStations \ RDP-Tcp \ PortNumber from 3389 to your port number

  • Allowing your port number in the Windows 2008 firewall (and specifying the scope of IP addresses that can access the server through RDP is an optional but good security practice).

  • Restart the RDP service or restart the server

+4
source

There are several options...

1) Block port 3389 only from the security scan service / software to trick the software into believing that port 3389 is closed, although this is true. :) (This is probably not a good idea in most cases)

2) Require that RDP users connect using VPN. This may be a problem, but it will improve security and possibly make your security scanner happy.

I don’t know much about the RDP protocols, but FTP (if you do not use FTPS) sends passwords in clear text, so it doesn’t matter how strong your passwords are - you send them directly visible to anyone who monitors your Internet connection . Requiring FTP connections only for machines connected to the VPN would also solve this problem.

+8
source

From the perspective of who manages security audits for global corporations, you have a few options, but first:

Enlighten your senior RDP and FTP risk leadership - it must be their challenge, whether you continue to use them and accept the risk, reduce the risk with additional security controls or replace them with something completely different

Then your options are:

  • Raise the exception in the Risk Register - senior management accepts it
  • According to @Flimzy - starting a VPN on your remote sites makes the best sense from a technical point of view: you can continue to use FTP, RDP, regardless of what is known about security problems, because you provide a layer of strong security (VPN)
  • Replace RDP and FTP with more secure connection mechanisms.

I would definitely not go down the road trying to trick a security audit - all it does is a sobering top management, thinking there are no problems, and may come back to bite you in various costly ways, possibly including personal responsibility!

+6
source

If this suits your needs, you can also restrict access to the RDP port to only a few "secure" source IP addresses. This can be done using most software firewalls, including built-in fw windows.

+2
source

Source: https://habr.com/ru/post/891084/

More articles:


All Articles