What's your thought? RDP via VPN

Imagine the following.

2 networks, each behind their own corporate firewall connected via dedicated VPN… Would using RDP to connect from one network to another networks server be deemed a security risk?

I don’t understand why /how this would be, but there is a client of ours who claims fbi contacted them and recommended them not to do so…

Thoughts?

5 Likes

If it’s all on the inside network and not exposed to the public Internet it’s about as secure as can be. Traffic will be encrypted by VPN.

The biggest thing that would make this a security risk are:

  1. the RDP ports open to the public internet (even though they are behind firewalls, often times people misconfigure and expose the machine to the outside world
  2. there is no/weak authentication on the RDP session, so anyone on the other network can access
  3. there is no auditing/logging on the RDP session to play back what happened if you discover later there was an incident

VPN would provide confidentiality of the traffic between the two sites to the standard of encryption protocol used. In addition if a fairly modern server (windows) the RDP session itself will also be encrypted therefore providing more confidentiality to the traffic if MITM.

The question of security risk if VPNs are of a decent standard would be the integrity of the firewalls between the two sites.

The RDP ports between the two sites are a threat surface in which if the firewalls aren’t the best could be exploited.

Depending on the client, military government etc the assurance lead may not be willing to hold that risk.

I suppose the red flag would be the RDP ports… But they could try using a PAT. I have been under pic-dss review and was informed that RDP is not secure due to man in the middle attacks. I was confused but we had to write a compensating control for that. So yeah I suppose its not secure

Connection between two administrative and security domains always introduces risk to both sides. You’d really need to perform a full risk assessment of the exact proposed configuration, protection and monitoring systems. Things like domain credentials, privilege escalation bugs, tunneling, additional system connectivity, data exfiltration and at least half a dozen other things come into play.

It’s a non-trivial assessment process if the systems, users, data or threat models are at all comprehensive. Nobody’s going to be able to adaquately quantify that risk with such a generic question.

Opening RDP to entities outside “your network” is not best practice. Would the FBI recommend something that violates best practice ? Probably not. That does not mean it’s a bad design, or should not be done when the proper controls are in place.

There are MANY people in this industry who default to “no” with no consideration for the details.

If a legitimate law enforcement agency called you on the phone and said that your environment was at risk. This would probably indicate a specific set of issues with your environment that they noticed.

I imagine that many people who run Windows VMs in a hosted environment like AWS are using RDP to control some of their boxes. All corps that I’ve seen use a jump box, (aka bastion host) for RDP sessions between datacenters/offices.