Remote Desktop Connection Vulnerabilities Win 7

[justaguy168]

I am thinking of setting up RDC on my parent's computer as a way to access their PC remotely. I am attracted to the idea that it is a pay-one-price solution and tightly integrated into the operating system. Host computer would be Windows 7 Professional. Client computer would be Windows 7 Home Premium. Host is behind an old Linksys wired router. Client is behind a newer Dlink wired/wireless router. On the host will check the option "Allow connection with computers running Remote Desktop with network level authentication (more secure)." Windows Firewall and Windows Security Essentials are enabled on both ends.

I read a number of posts dated years ago, that RDC and it's protocol Remote Desktop Protocol are vulnerable to man-in-the-middle attacks. Wikipedia still says this. David Pogue advocates setting up a VPN and first connecting to the VPN and then connecting to the remote desktop. The first commenter to this Help Desk Geek article mentions a VPN, SSH, and PuTTY solution.
1) Is Win 7 RDC still vulnerable to MITM attacks without a VPN?
2) Will setting up a VPN reduce vulnerability to "prudent" levels?

By "prudent" levels I mean within days / weeks of setting up hackers are not trying to crack my parent's password, have hijacked their hard drive, and stolen their identity. I realize there is no such thing as "invulnerable." My parents are generally careful, are aware of the concept of phishing, do not click on unknown links, and do not install software (i.e. "screensavers").

 

[Gillbot]

Logmein Free Edition?

 

[wirednuts]

i would just use RDP with the "more secure" level you already are planning on using. its free btw, i dont know what you mean by "pay once then done"

logmein is another nice tool. it doesnt use RDP though, so expect a slower experience. but it works well. thing thats nice about logmein is that its very quick and easy to turn it on and off... so when you need to remote in just call your parents and tell them to activate logmein, and then you can get in.

 

[theevilsharpie]

1) Is Win 7 RDC still vulnerable to MITM attacks without a VPN?

No. All versions of Windows since Windows Vista support TLS authentication, which can detect a MITM attack.

2) Will setting up a VPN reduce vulnerability to "prudent" levels?

A VPN is unnecessary if its only purpose is to guard RDP.

By "prudent" levels I mean within days / weeks of setting up hackers are not trying to crack my parent's password, have hijacked their hard drive, and stolen their identity. I realize there is no such thing as "invulnerable."

The most common attack you'll see on RDP is brute-force login attempts. Make sure your RDP-enabled users have complex passwords (this can be enforced using the computer's local security policy), and make sure account lockout is enabled and configured properly. You can also protect yourself against vulnerabilities in RDP by making sure that Windows Updates are installed automatically or are otherwise applied on a regular interval.

 

[VirtualLarry]

No. All versions of Windows since Windows Vista support TLS authentication, which can detect a MITM attack.

From my reading at the time I was researching this issue, it seems that only Server editions of Windows had that feature, and that the RDP Service in Client versions of Windows did not support it.

 

[theevilsharpie]

From my reading at the time I was researching this issue, it seems that only Server editions of Windows had that feature, and that the RDP Service in Client versions of Windows did not support it.

That was true for Windows XP/Windows Server 2003, but in Vista and later, TLS is supported across the board.

 

[justaguy168]

Thank you all for your thoughtful replies. This helps a tremendous amount.

Make sure your RDP-enabled users have complex passwords (this can be enforced using the computer's local security policy), and make sure account lockout is enabled and configured properly.

How complex is complex? Obviously letters and numbers, but how long? Mixed case? Non-numeric / non-alpha (!@#$%^&*-+)?

• "york23" is too short
• "newyork23" is probably what my parents are comfortable with
• "Delicatessen!23" is their outer limit
• "d3l1c4t3ss3n!23" is beyond them

They will have to type this password each time the screen saver kicks in or they sit down to the computer. Does Microsoft define "complex" anywhere?

Will definitely enable account lockout.

 

[SFCanuck]

Does Microsoft define "complex" anywhere?

Complex means (according to the group policy editor):
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

If "d3l1c4t3ss3n!23" is beyond them what about skipping complexity requirements but setting a high minimum password length (e.g. 17 or more) and using a password like "newyorkdelisarethebest"?

Easy to remember and definitely easier to type than a fully l33t3d password yet computationally expensive to crack.

 

[nitrous9200]

If you set up LogMeIn Free, they don't have to set up a password; it will make a new user account for its own purposes and protects that with a passphrase (doesn't matter to them since you'll be the only one using it anyway).
Overall it's a much better solution than opening up RDP to the internet, but if you do decide to use RDP then at least change the port number - otherwise the computer will get hammered with requests from automated scanners and such.

 

[nusyo]

microsoft has a password checker ... https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx

 

[justaguy168]

Overall it's [LogMeIn is] a much better solution than opening up RDP to the internet

Thank you for the advice nitrous. Okay, I'm not trying to argue with you but I do want to understand this issue better. Why do you say that LogMeIn (and perhaps by extension GoToMyPc or TeamViewer) is better? Is the idea of opening ports an unsafe one? Since RDC is so well integrated into Windows does that make the host more vulnerable? Is the RDC/RDP technology fundamentally flawed while the LogMeIn is not? Genuinely curious.

 

[justaguy168]

Oh and thank you SFCanuck and nusyo. That info will certainly help. Sorry for the sequential post.

 

[dawks]

I'd vote for LogMeIn as well. It doesnt require you open a port in the firewall, since it does NAT-T. You log in to the website, then have to log in again to the computer. It also allows you to do IP restrictions, and I think you can limit it to a block, so you could say only a range of IPs in your area on your ISP (if you really wanted too) have access.

Additionally, you don't have to worry about figuring out the IP address (not a big deal if you have a static IP). LogMeIn checks in with the server and updates its IP address so you can always find it automatically.

I've been doing remote stuff since RDP shipped with XP and LogMeIn is by far the best experience thus far. Like one other has said, it can be slow sometimes, other times its silky smooth.

If you're really set on using RDP, you could also use LogMeIn Hamachi. You install the client on each computer, and it gives you a new software network adapter with an IP in the 5.x.x.x range (private). It basically creates an always on VPN. You can then do most networking like you would if the computer was on your local LAN like file sharing. You can also use RDP over it. It give you the benefit of some extra encryption (RPD is already encrypted), and again no port forwarding, and no need to worry about IP's. The LogMeIn Hamachi client takes care of all that. I was using Hamachi before LogMeIn bought it, and still love it.

As for password strength, taking a decent password, and padding it gives you an easy to remember but strong password. Given you use a big enough character set, length trumps complexity.

So Rdp00%%%%%%%%%%%%%%%%%%%%%% is actually a very strong password. There's nothing to give a hacker/cracker any hint that there's a repeating character, they either get the password or dont. In this case you'd technically need to try an uppercase character (26 possibilities), a lower case character (26 possibilities), a number (10 possibilities), and a symbol (I counted 31 possibilities on my keyboard) in EACH position to properly crack that password. See GRC Password Haystacks. https://www.grc.com/haystack.htm

Also as mentioned with LogMeIn or RDP you can set it up so they dont have to worry about passwords, you simply create an account and use that for remote support access. Technically, their accounts dont even need passwords, if you make sure they aren't in the Remote Desktop Users group. And another win for LogMeIn, is that you can connect straight to the login screen (RDP will only log you in to a specific user account). So in one session you can log in to multiple users. Its more of an at-the-computer-console experience in that sense.

 

[vulcanman]

The other thing you should consider doing ... install VMWare Player on their computer and create a Win7 Virtual Machine. Within this VM do the following:

- Create a Standard user with non-Admin rights.
- install Chrome and uninstall Flash from Windows 7. Chrome has built-in Flash.
- Install BoxCryptor and Dropbox.
- Have them use this VM for doing all their finance and email stuff.


Let them use the host OS for all the general browsing.

If a hacker breaks into their machine ... he cannot get access to the VM and even if he did ... the data would be stored within boxcryptor with a encrypted copy in the Dropbox cloud.

 

[Emulex]

RDP is safe as long as you use extremely good passwords and deny all older versions. then set it to like port 587 or something other than 3389.

The deny older versions is the key - the attack vector was because it would allow connections to the pc then authenticate - now it requires authentication before anything.

And if you think logmein etc are unhackable - you are naive. everything is.

Strong passwords. Change them periodically. Prey.

I'd bet $500 they'll hit a drive-by email or website (flash/java/office) bug before someone brute forces a decent password. If they can't type in a good password, $17 buys you a fingerprint reader on amazon. You can change the password every day if you want to remotely and they just keep scanning their finger.

A hacker can setup a keylogger in ring-0 and you'd never know - you do realize you can ESXi 5 inside vmware workstation? Trust me there are 100's of easier way's into their machine than brute forcing RDP - most HIPS (symantec endpoint) will block someone after numerous same-ip RDP login failures. Most IPS/IDS as well. If you want to get hardcore setup a router for them and use port-knocking to enable the RDP pass-through. It's easy and if someone can guess a 5 port knock sequence (say based on date or those cheap RSA keys) then you must be hacked too.