Meraki

Meremortal · ‎Aug 22 2019

Hi guys,

I recently replaced an aging ASA with a Z3 for one of our 2 person offices to discover that the users in this office had been using RDP to access their PC's from their home PC's.

I'm very reluctantly to reinstate RDP access and I'd like to get some "best practice" steering on it from you, my peers, to do the right thing by my users and my network.

Whatdoyathink?

Mere

Nash · ‎Aug 22 2019

From a network POV, if you can't avoid RDP:

1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.

2. Only over a VPN tunnel.

3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.

Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

Nash · ‎Aug 22 2019

From a network POV, if you can't avoid RDP:

1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.

2. Only over a VPN tunnel.

3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.

Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.

Windows 10 Client VPN scripts: Makes life better!

jdsilva · ‎Aug 22 2019

Issue them laptops.

http://blog.brokennetwork.ca |

@jdsilva

BeachBum · ‎Aug 22 2019

I agree with @Nash, VPN first, then RDP.

When I started at my company RDP was available from the Internet via NAT to our server running QuickBooks. I quickly removed that translation and told everyone who accessed it that they have to VPN first.

I also agree with both @jdsilva and @Nash, only allow it from company issued devices. You have no control over their home devices or idea what they're already infected with.

jdsilva · ‎Aug 22 2019

@BeachBum Haha! My comment was intended to imply laptops are portable, so they can take them home and completely remove the need for RDP. But, your point is a good one and I agree with that too:)

http://blog.brokennetwork.ca |

@jdsilva

Nash · ‎Aug 22 2019

@jdsilva wrote:
@BeachBum Haha! My comment was intended to imply laptops are portable, so they can take them home and completely remove the need for RDP. But, your point is a good one and I agree with that too:)

For most of my users, it's laptops plus VPN so they can access server resources! Because cloud resources have cooties, I guess.

One client left RDP open to the world on a Quickbooks server. They had tens of thousands of USD stolen partly because of that, partly because of brute forceable shared credentials. Small business, so it was pretty staggering.

Don't do open RDP.

Windows 10 Client VPN scripts: Makes life better!

BlakeRichardson · ‎Aug 22 2019

RDP externally makes me very nervous, I always things VPN and if they doesn't work something such as team viewer or other remote software other than RDP.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

SoCalRacer · ‎Aug 22 2019

Outside of all the options mentioned, there is software that can secure RDP for your users. Also RDG is actually what should be used and not direct to machine. The other option is use an entirely different software or method to access the data that the users need to access. I have found users that were using RDP to check email. In that use case it is way easier to find the right solution for them.

PhilipDAth · ‎Aug 22 2019

I'm tending more towards using MFA if it must be publically accessible. Duo even offers it for free for up to 10 users.

https://duo.com/

https://duo.com/docs/rdp

Note you can also use Duo MFA for local Windows authentication as well if you want.