Thursday, April 11, 2019

New RDP Compliance options

Hello.

I am an administrator at a small business who was just given some new requirements by a big customer for our server network/rdp environment. Their new rules are:

Can't use standard RDP port

Must only allow access from trusted subnet

Can't access from outside.

I was never foolish enough to have an internet facing RDP port listneing. Since getting this, I have created a group policy that changes the port that all machines in the "server" OU use for RDP connections from the standard to some number we made up. Let's use 90210 for an example.

However, I am wondering about the subnet portion. Everything I read online says you should use the Windows Firewall to do this but that seems clunky to me. I'm wondering if I can just put an ACL on the server Vlan interface on our core switch that could do the job quickly and easily?

Would something like this work?

10 permit tcp (the.trusted.subnet) (the.server.subnet) eq 90201

20 deny tcp any (the.server.subnet) eq 90210

30 permit ip any any

Does this seem like a good thing to do or am I totally on the wrong track here? Any ideas of the best way to implement this would be apprecaited!! Thanks!



No comments:

Post a Comment