Allow RDP for public web server?
Is this a huge security flaw allowing a user to connect to your server via Remote Desktop? Right now I have a setup where I only allow a couple of ip addresses to connect through the RDP port, but I am thinking of removing that and allowing all IP connections, so I can use RDP with my iPhone if there is any problem , m not at home.
So, if I have a secure password, do you guys think this is a bad idea? Is there anything else I can do to make it more secure, but can still connect from "anywhere"? Is it possible, for example, to customize the page I have to visit to "allow login for 2 hours". Some kind of protection against obscurity?
Thanks for any help I can get.
source to share
Maybe you should post this question to serverfault. But anyway.
If you only use user password / password as access method. Then it will be very easy for an attacker to block the user (or all users, they should not even have access rights to the terminal). So yes, that would be a huge security flaw. There are many ways to protect this pleasure and make rdp available anywhere. But I am not familiar with any of them.
source to share
Two-factor authentication is very often used for any remote access to corporate servers. In many companies you will see RSA tokens used as a second factor, although I prefer to use SMS. It doesn't matter if you have two factors in the game: something you know, something you have, something that you are.
Unless your company wants to implement the second factor, I would still not recommend a publicly open RDP interface. It's open to brute force attacks, OS exploits, or just plain old denial of service (if I blow up my public interface with traffic it will slow down your company's legitimate use of the machine). At the very least, I would look at tunneling over SSH, perhaps with client side certificate authentication, or I would do port detonation to get the server interface first.
source to share
This is a security flaw, but not that huge. The traffic is encrypted, and reading the user or password from it is not straightforward, as in text-based protocols such as ftp. It is slightly less secure than ssh.
It obviously has the same disadvantages as any other remote access (possible brute force or DOS attack). You should also use a non-default account name to avoid making things easier for attackers.
Your idea to open access only after visiting some pages is not bad. This appears to be a variation on the classic port knocking mechanism (but be careful not to open the larger hole).
source to share