Is it a valid security decision to protected exposed RDP servers by restricting IP addresses with a firewall?

rdp windows-firewall

As you probably all know, new security flaws continue to emerge in RDP for Windows. I have googled and read about this issue, and possible fixes/solutions.

It surprises me that no one mentions, to limit ip-scope in the windows firewall as a possible fix (so that only your ip's can connect to the machine). I guess this is because, for some reason, it is not a good solution (I am no expert).

So my question is, what is wrong with this solution?


Part of the reason you're not seeing that advice as a potential fix is that isn't a fix, merely a work-around. By setting up an IP block that way you're limiting the scope to something similar to the scope presented by a VPN server that allows anyone with the right credentials to connect to it. It limits the scope of the vulnerability, but it doesn't mitigate it.

The failure-mode is that one of the trusted IP's will become infected with some badware that has an RDP vuln-scanner on it, and then you're off to the races.

However, limiting the IP scope for the service vastly reduces the exposure this problem presents! Still a good idea.


Nothing, in the appropriate circumstances. We do it for customers all the time.

The problem comes when you don't realise (or forget) that you've got IP address restrictions in place, and your last (or only) RDP-accessable IP address changes -- suddenly, you're locked out, and you can't fix it (because you're locked out).

We've solved the problem at work by adding our staff VPN ranges (which are RFC1918 and hence not likely to be forcibly renumbered) to the allowed IP ranges on all customer servers, so if a customer gets locked out they can always call us up to get the restrictions changed. We also have remote console access to everything (either via the VM host console, or iDRAC, depending on whether it's a VM or physical machine, accessable only via an out-of-band backdoor network with it's own, redundant, set of VPN-mediated access restrictions).

However, absent an out-of-band mechanism for (re-)gaining access, IP address restrictions always have that risk of locking yourself out completely (and, depending on your circumstances, possibly irretrievably).


Nothing. It's a great solution if you open your RDP to the internet. Another best practice is to move the internet facing side to a different port (other than 3389).

The only reason I can think of is that folks are too lazy to maintain a possibly changing IP restriction range in the firewall.

RDP is as secure as any other protocol - as long as its managed correctly.

Related

Ping hostname returns another hostname in output : what does it mean?
How to configure knife and EC2 to create a new instance from the command line?
How do I replace text in a spreadsheet with Google Apps Script?
Accurately converting from character->POSIXct->character with sub millisecond datetimes
Passing Data from Broadcast Receiver to another Activity
Javascript IOS5 "JavaScript execution exceeded timeout"
How to implement digital signature with my existing web project
Why gcc 4.1 + gcov reports 100% branch coverage and newer (4.4, 4.6, 4.8) reports 50% for "p = new class;" line?
How to know my app is uninstalled from the device...?
Program not waiting for cin
How can I take console input from a user in node.js?
Putting classes in a DLL?