0

I am planning to deploy a Windows server running a web application into a colocation for the first time. I have already run IIS lockdown and done a number of other security tweaks based on advise from the smart folks here on the site.

So now I am wondering what I do for providing secure remote desktop or similar access to the machine for tweaking and manipulating the app online. taking the app offline etc. Do I ask the provider to set up some sort of whitelist allowing my office IP forward to the RDP port or do I need to provide hardware or other software to lock the box?

If there is a similar question or tip, point the way and I will close this question.

MikeJ
  • 1,381
  • 4
  • 13
  • 24

3 Answers3

1

In principle, RDP uses encryption, so you could just use it over the Internet as-is. However, it has a history of security vulnerabilities, and it's probably best to leave encryption to a dedicated protocol.

So I'd recommend setting up some kind of extra encryption, either a VPN, or a SSH tunnel or similar. Then you can use RDP across that.

See for example

Remote Desktop over SSH to Windows 7 box

for using RDP over SSH. SSH is probably easier to set up if you need it just for RDP. If you need to access other services as well, a VPN might be more appropriate (but then, you can access everything locally over RDP anyway).

Restricting access by IP is an additional security measure, but also severely limits your ability to access the system. With a VPN/SSH tunnel, I don't think it's necessary.

Community
  • 1
sleske
  • 10,009
  • 4
  • 34
  • 44
  • Do you have any details on these vulnerabilities? – Mark Henderson Sep 01 '09 at 09:18
  • I'm not intimately familiar with RDP, but AFAIK, early versions used no encryption at all, and later versions were vulnerable to MITM attacks in the default configurations; just google for details. I would just trust a dedicated security protocol like SSH or a VPN more than RDP which added security as an afterthought. – sleske Sep 01 '09 at 10:56
1

When your server's in the colo does it just have Internet access, or do you also have a LAN extension or similar private circuit to manage it over? If so, then it's a non-issue and RDP won't be a problem. If not, then I'd definitely recommend locking RDP down past the defaults; different port, oddly-named Admin account with a strong password and a restriction on which IP addresses can connect to the service.

RainyRat
  • 3,730
  • 1
  • 24
  • 29
  • My understanding is that the colo provides the cage, the power and the power. My understand is that I probably need some sort of router in between the port and the box to filter access? – MikeJ Sep 01 '09 at 10:12
  • 1
    Yes, definitely. A firewall would be more suitable, but routers support access lists as well - assuming no private circuit, you'll want to allow the great unwashed of the Internet access to ports 80 (and possibly 443), while locking port 3389 (assuming you leave RDP running on the default port) down to just your own external IP from wherever you're managing it from. – RainyRat Sep 01 '09 at 11:36
1

I usually run RDP on a port "other than" 3389 (security through obscurity). Also, I lock down RDP to allow only one certain user account.

djangofan
  • 4,182
  • 10
  • 46
  • 59