8

I've heard from more than one IT Manager that they don't allow users to user RDP to connect to their internal network from the outside, because it's not safe. They claim that if they'd allow their users to do so, then anyone from the outside will have access to their network as well.

I'm not getting it. In order to use RDP, you need a user name and password, and you can't get in without it. The same is for using Gmail, online banking, and any other web service.

So what do they use instead? LogMeIn. Or a VPN connection, and then use internal RDP. VPN also requires a user name and password.

If they're afraid of a brute-force attack, then someone can brute-force attack the VPN server or LogMeIn just the same. And if these other technologies have lockouts (after x number of failed attempts) then why can't the same be set up for RDP?

Similarly, people always say that VPN is very secure because it uses a "tunnel". I don't fully understand what that means, but regardless, why can't the username and password be cracked the same way any website or web service which uses a user name and password can be.

as9876
  • 934
  • 1
  • 13
  • 38
  • I have actually heard that any remote app that uses WinVNC is considered non-secure. RDP had not been an issue in the workplace because you have to have VPN login first into the domain. Did just hear that LogMeIn is no longer free (the less than 10 user) version. Teamviewer maybe the next up-and-comer. – Leptonator Jan 27 '14 at 23:18
  • @Leptonator, I'm talking about RDP from the _outside_, with a static IP, _without_ doing VPN first. – as9876 Jan 27 '14 at 23:20
  • Great question as9876 and 4 years later no one has answered it lol ! Me thinks the IT managers you heard from read about it somewhere or some vendor salesperson told them, and the myth stuck. Having said that, i have used VPN clients that required no username / password, ie. all the internals are hidden and only work from my specific laptop. similarly for other users. Does it make it more secure? not sure.. what if someone stole my laptop? – joedotnot Jun 23 '18 at 01:33

1 Answers1

6

With proper configuration, RDP is capable of 128-bit RC4 encryption, virtually any port or set of port allocations, and has proven to be relatively bug-free, with only extremely minor flaws ever discovered.

On the other hand, the secure tunnel created in a VPN is far more secure than Remote Desktop. All your data is encrypted for safe transfer from one remote location to another. Moreover, VPN only allows shared content to be accessed remotely to tighten the security. If your device falls in the wrong hands, they won’t be able to access and manipulate unshared data and resources.

The bottom line is that both RDP and VPN have their own advantages, however, with high security, better performance and manageability, VPN seems to be a clear winner in the competition of Remote Desktop VS VPN service.

Rose Ab
  • 421
  • 2
  • 6
  • I don't see how connecting a user's home computer on your network over VPN is considered more secure than only allowing access over a secure RDP connection to a computer that is already on your network. Isn't the attack surface of an entire home computer, plus the VPN protocol, much larger than the attack surface of only the RDP protocol? – Lee Jensen Apr 19 '17 at 23:17
  • If RDP encrypts data and VPN tunnel encrypts data, is the transfer of the data over VPN tunnel really any more secure? RDP can be configured to allow only restricted users to connect (limiting access to data and resources this way). Also, there are some old VPN protocols that are deemed insecure (eg PPTP), but you can still find companies that use it (I had a client last year that used it). So, saying VPN is far more secure is overgeneralizing at least. It depends on protocols used and configuration. – zigzag Mar 19 '20 at 11:38