cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RDP best practice

SOLVED
Conversationalist

RDP best practice

Hi guys,

 

I recently replaced an aging ASA with a Z3 for one of our 2 person offices to discover that the users in this office had been using RDP to access their PC's from their home PC's.

 

I'm very reluctantly to reinstate RDP access and I'd like to get some "best practice" steering on it from you, my peers, to do the right thing by my users and my network.

 

Whatdoyathink?

 

Mere

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: RDP best practice

From a network POV, if you can't avoid RDP:

 

1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.

 

2. Only over a VPN tunnel.

 

3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.

 

Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.

8 REPLIES 8
Highlighted
Kind of a big deal

Re: RDP best practice

From a network POV, if you can't avoid RDP:

 

1. Only from a device owned and managed by your business. Make sure it is fully updated. Run some kind of AV. Follow some kind of end point management best practices with regards to security.

 

2. Only over a VPN tunnel.

 

3. Use long complex passwords for access to RDP. Ideally over 15 char. Passphrases are ideal so users can remember them.

 

Have your sys admins review the Microsoft RDP best practices and implement them as much as possible on the server end.

Kind of a big deal

Re: RDP best practice

Issue them laptops.

Here to help

Re: RDP best practice

I agree with @Nash, VPN first, then RDP.

 

When I started at my company RDP was available from the Internet via NAT to our server running QuickBooks. I quickly removed that translation and told everyone who accessed it that they have to VPN first.

 

I also agree with both @jdsilva and @Nash, only allow it from company issued devices. You have no control over their home devices or idea what they're already infected with.

 

Kind of a big deal

Re: RDP best practice

@BeachBum Haha! My comment was intended to imply laptops are portable, so they can take them home and completely remove the need for RDP. But, your point is a good one and I agree with that too:)

Kind of a big deal

Re: RDP best practice


@jdsilva wrote:

@BeachBum Haha! My comment was intended to imply laptops are portable, so they can take them home and completely remove the need for RDP. But, your point is a good one and I agree with that too:)


 

For most of my users, it's laptops plus VPN so they can access server resources! Because cloud resources have cooties, I guess.

 

One client left RDP open to the world on a Quickbooks server. They had tens of thousands of USD stolen partly because of that, partly because of brute forceable shared credentials. Small business, so it was pretty staggering.

 

Don't do open RDP.

Kind of a big deal

Re: RDP best practice

RDP externally makes me very nervous, I always things VPN and if they doesn't work something such as team viewer or other remote software other than RDP. 

 

 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Head in the Cloud

Re: RDP best practice

Outside of all the options mentioned, there is software that can secure RDP for your users. Also RDG is actually what should be used and not direct to machine. The other option is use an entirely different software or method to access the data that the users need to access. I have found users that were using RDP to check email. In that use case it is way easier to find the right solution for them.

Kind of a big deal

Re: RDP best practice

I'm tending more towards using MFA if it must be publically accessible.  Duo even offers it for free for up to 10 users.

https://duo.com/

 

https://duo.com/docs/rdp

 

 

Note you can also use Duo MFA for local Windows authentication as well if you want.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.