Lockdown Remote Desktop

For a while, I was a brilliant human and exposed my 3389 port to the world (3389 == Default Remote Desktop Port). So what alternatives do you have to securing yourself while enabling remote desktop over the interwebs? There are 6 main ways to accomplish this:

1. VPN

You knew this one was coming, didn’t you? And this is not the most eloquent way to say this, but: if you don’t want STDs or kids, wrap it up. Now convert STDs to attackers on the internet and kids to the lifetime of un-recoverable data in some cases or things published to the world you didn’t initially intend to have published. But wait, how did that relate to a VPN? VPN is the condom, you are… the other part in the condom. Sincerest apologies for the analogy. The future bullet points won’t be so crude.

2. SSH Tunnel

Took me a long time to actually USE this method, but it is SO FREAKING EASY! Set up a server/ firewall/ switch to have port 22 exposed. Download and install Putty. Type in the port of your exposed SSH port. Before clicking anything else, expand Connection>SSH>Tunnels, then type in the source port field 3388. Destination type: where 192.x.x.x is the IP of the device you want to connect to, 3389 is the RDP port. Click Add.

Now go back to Session, make sure you have the ip address or domain you will connect to port 22 on. I’d recommend clicking “save” at this point so you don’t have to type all of that in again. Now click open and connect to your remote device. You DO have to log in!! Once you’ve logged in, just open remote desktop and type where 3388 is the port you chose in “source port” in the previous step. Congratulations, you’ve connected over an SSH tunnel.

3. Firewall

Firewalls are good stuffs. You can use the built in Windows Firewall, your network firewall (like PFSense), or something further out of bounds. Regardless of your choice, if you limit it to only the IPs you need, this is a fairly safe route as well. And while your at it with this one, why not add a custom rdp access port in there?

4. Alternative software

There are software utilities like RDSKnight out there that you could technically use to accomplish this same thing. It has a few more built in tools than just a firewall like Geo blocking, user restrictions, time restrictions, etc. Or maybe Teamviewer/ Screen Connect/ or some other utilities similar in function?

5. Two Step Authentication

Let’s say you do decide to leave yourself exposed. At least try something like Duo.

6. Don’t open it at all.

Admittedly, you don’t have to open it at all. At the end of the day, you do you!

Leave a Reply