I'm dealing with a situation where we have several Windows servers and appliances that aren't part of an Active Directory (AD) domain, and they'll never be connected to one. Since these are operational technology (OT) devices, we've encountered some security concerns when using Remote Desktop Protocol (RDP), as it relies on NTLM authentication instead of Kerberos. The risk is relatively low since everything is on-premises, but we're not comfortable with NTLM hashes potentially being exposed on our network. I'm looking for advice on how to effectively wrap RDP sessions in SSH for an added layer of security. I'm okay with performing an extra step for SSH, but I want to make sure the sessions remain stable during use.
5 Answers
One of the simplest methods to encrypt your RDP sessions is to use IPsec within the Windows firewall. This can help secure the connection while still allowing you to use RDP.
We've started using Apache Guacamole for access to our servers. It’s really secure since only the guacamole server can reach the RDP port, and you can manage authentication credentials separately. It works great!
I've set up an RD Gateway in a DMZ for secure remote desktop connections to OT servers. Plus, segmenting your OT environment into its own domain can enhance security. It’s been effective for years!
You can also tunnel RDP over IPsec, which adds another layer of security to your connections.
Have you considered using something like Bitvise Tunnelier? It allows secure access methods and can help you manage RDP access across your network effectively.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures