RDP best practice

Solved
Meremortal
Conversationalist

RDP best practice

Hi guys,

 

I recently replaced an aging ASA with a Z3 for one of our 2 person offices to discover that the users in this office had been using RDP to access their PC's from their home PC's.

 

I'm very reluctantly to reinstate RDP access and I'd like to get some "best practice" steering on it from you, my peers, to do the right thing by my users and my network.

 

Whatdoyathink?

 

Mere

1 Accepted Solution
Nash
Kind of a big deal

From a network POV, if you can't avoid RDP:

 

1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.

 

2. Only over a VPN tunnel.

 

3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.

 

Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.

View solution in original post

8 Replies 8
Nash
Kind of a big deal

From a network POV, if you can't avoid RDP:

 

1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.

 

2. Only over a VPN tunnel.

 

3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.

 

Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.

jdsilva
Kind of a big deal

Issue them laptops.

BeachBum
Here to help

I agree with @Nash, VPN first, then RDP.

 

When I started at my company RDP was available from the Internet via NAT to our server running QuickBooks. I quickly removed that translation and told everyone who accessed it that they have to VPN first.

 

I also agree with both @jdsilva and @Nash, only allow it from company issued devices. You have no control over their home devices or idea what they're already infected with.

 

jdsilva
Kind of a big deal

@BeachBum Haha! My comment was intended to imply laptops are portable, so they can take them home and completely remove the need for RDP. But, your point is a good one and I agree with that too:)

Nash
Kind of a big deal


@jdsilva wrote:

@BeachBum Haha! My comment was intended to imply laptops are portable, so they can take them home and completely remove the need for RDP. But, your point is a good one and I agree with that too:)


 

For most of my users, it's laptops plus VPN so they can access server resources! Because cloud resources have cooties, I guess.

 

One client left RDP open to the world on a Quickbooks server. They had tens of thousands of USD stolen partly because of that, partly because of brute forceable shared credentials. Small business, so it was pretty staggering.

 

Don't do open RDP.

BlakeRichardson
Kind of a big deal
Kind of a big deal

RDP externally makes me very nervous, I always things VPN and if they doesn't work something such as team viewer or other remote software other than RDP. 

 

 

SoCalRacer
Kind of a big deal

Outside of all the options mentioned, there is software that can secure RDP for your users. Also RDG is actually what should be used and not direct to machine. The other option is use an entirely different software or method to access the data that the users need to access. I have found users that were using RDP to check email. In that use case it is way easier to find the right solution for them.

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm tending more towards using MFA if it must be publically accessible.  Duo even offers it for free for up to 10 users.

https://duo.com/

 

https://duo.com/docs/rdp

 

 

Note you can also use Duo MFA for local Windows authentication as well if you want.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels