RDP on a Non-Standard Port

jdsilva
Kind of a big deal

RDP on a Non-Standard Port

This one is fun, so I thought I'd share. I'm getting this from our Provisioning team who opened a case with Support and received this answer.

 

***Edit***

 

I quoted the wrong rule on the first post. It's actually https://www.snort.org/rule-docs/1-49040

 

***End Edit***

 

And apparently this rule is always triggered when the MX detects RDP being used on a port other than 3389. 

 

Now, for real people, you shouldn't ever expose RDP to the internet on any port... But I get that it's done. So for those doing it on non-standard ports watch out for this. You might be cut off from your remote desktops 😞

9 Replies 9
BrechtSchamp
Kind of a big deal
jdsilva
Kind of a big deal

Nevermind me. I'm being dumb. I'm quoting the wrong rule. Support did give us Sid 1-49040... It's me that's screwing up the copy pasta 😞

CarolineS
Community Manager
Community Manager

Copy pasta! Yummmm
Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
Blueshift
Conversationalist

Jesus Christ this issue did my head in. Was struggling the entire WEEK trying to figure out why RDP was throwing "internal error" messages and why connections would logon then log off.

 

We have 2 virtual servers that clients RDP into. One was working fine and the other (of course, our main one which uses different ports) crapped out on Tuesday (which I see now is when the definitions got added/updated).

 

What a nightmare.

 

Does this rule only relate to RDP requests using different ports than 3389? I'm concerned about whitelisting this rule for our server that uses different ports and thereby lowering the additional security (if any) this rule might provide.

BrechtSchamp
Kind of a big deal

If you want to portforward multiple servers behind a single public IP you probably don't have much of a choice.

 

To avoid the issue (and increase security at the same time), imo, ideally you build a VPN tunnel to the target network and use RDP over that tunnel directly to the destination IP addresses without port forwarding.

Blueshift
Conversationalist

Thank you. Is there a way to modify the enforcement of this rule on the MX so it doesn't trigger on the default OR the alternate port I'm using but still trigger on others? Basically a way to write in a whitelist for this rule but only on two specific ports.

BrechtSchamp
Kind of a big deal


@Blueshift wrote:

Thank you. Is there a way to modify the enforcement of this rule on the MX so it doesn't trigger on the default OR the alternate port I'm using but still trigger on others? Basically a way to write in a whitelist for this rule but only on two specific ports.


Not possible for now I think.

jdsilva
Kind of a big deal

You can't modify it, but you can whitelist it on the Threat Protection config page. But, be careful here, these settings are Org wide, not specific to that network. You can only whitelist Org wide.

 

image.png

Blueshift
Conversationalist

Thanks, I've done that. I'd just ideally like a way to keep the security this rule provides but be able to edit in the ports that it should ignore since one of our servers uses non-standard RDP ports.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels