Is Remote Desktop to Workstations Secure?
I have users that want to use remote desktop for remote access to their workstations. I have RADIUS connected VPN server that I use, however I remember to connect and disconnect rather than send web traffic over the VPN.
I doubt they will do this, because the previous IT consultant left them RDP open and didn't even suggest to change passwords such as 1234,password and {insert child/pet name}. Now they have to use the Password policy that R2 ships with , so I know we are more secure in that regard.
So the most important issue is how dangerous is leaving 7 and XP Remote open to the internet?
Solution 1:
If you have passwords set to be of a decent length and complexity, RDP is encrypted, so it for the most part is secure. I personally wouldn't do it, preferring to use something like a Cisco VPN client on workstations then VPN to the workstation rather than leaving it open to the webbertubes. RDP can be susceptible to MITM attacks and you'll probably get bots and scans that will probe them.
I'd also set your policy to lock out accounts if they are tried 3 times with incorrect passwords to prevent/minimize brute force attacks.
Summary: it's probably secure enough to do this, but it's bad practice and should be avoided.
EDIT: there are worms that attack RDP, so you'll want to be mindful of this in enforcing your policies. I.e., Morto.
Solution 2:
I wouldn't generally recommend using RDP directly over the Internet, if only because using a VPN gives you an additional layer of authentication (and the possibility to easily integrate hardware tokens). The RDP protocol does include encryption and, if you're using the newest versions of the RDP client, authentication of the remote server (and potentially mutual authentication via Kerberos-- "Network Level Authentication", or NLA in Microsoft parlance).
The main problem with RDP isn't the protocol, but rather problems with brute force password attempts. Your edge firewall can, hopefully, rate-limit new connection attempts. There are host-based solutions to block IP addresses sourcing repeated brute force connection attempts, but that's only putting a finger in the dike. Good password policy is helpful, but you can't ever be sure that your users aren't using the same passwords somewhere outside of your control (a third-party site that gets "owned", etc). Adding VPN authentication on top of the RDP password gives a belt-and-suspenders approach.
The "con" that I've heard expressed with VPNs versus direct RDP relates to the IP-level connectivity to the LAN afforded to VPN clients. To this, I'd say simply terminate your VPN in a DMZ and limit the traffic in and out of the VPN. This isn't a valid argument for using RDP over the Internet versus a proper VPN.