The Dangers of Using RDP Without a VPN

Connecting to a network via Remote Desktop Protocol (RDP)/Terminal Services without a VPN is very dangerous. I’m amazed by how many companies allow RDP (TCP Port 3389) into their networks without first establishing a VPN to protect this (and other) traffic. By default, RDP traffic is encrypted, but it's still subject to Address Resolution Protocol (ARP) poisoning, where a client can be fooled into connecting to a rogue server with a man-in-the-middle-attack. Because the authentication process during a RDP session is weak, a system acting as the rogue server can intercept all of the RDP traffic and decrypt it. Microsoft acknowledged the problem and has released a new version of the RDP client with Windows XP Service Pack 2 (SP2), however even this version is still subject to a man-in-the-middle-attack attack.

If you need to allow RDP connections from remote locations, make sure to establish a site-to-site VPN tunnel before allowing this type of traffic into your network. Even computers that have a VPN client aren't secure because hackers often go after the poorly protected client end-points of the RDP session. To protect RDP traffic on a broadband connection, make sure to use a firewall-to-firewall VPN.

— Alan Sugano