Home Forums how secure is Remote Desktop compared to GoToMyPC

A fair amount of my time is spent working remotely using gotomypc however the costs are starting to pinch. How secure is Remote Desktop [using win 10] compared to gotomypc? Should I be using "virtualization" with either program ?

Thanks

I use RDP with port forwarding through my office router to get to my office workstaton from home (or any remote location.)
My IT guy says it is not completely secure, but obviously nothing is if all the big guys are subject to hacking even with their super duper security.

It works really well, I can use Dragon over the connection, and it is built into Windows, and is no extra cost. It is also much clearer than the fuzzy screens of GoTomyPC.

The IT guy says I can improve security by using VPN -- but I haven't got around to it.

There is nothing wrong with using RDP over the Internet as long as you do the following:

* Keep your system patched every month.
* Have a STRONG password for all user accounts allowed RDP access. And also have a lockout policy to lock the account after 5 or so bad attempts.
* Set the encryption level for RDP connections to HIGH.
* Optional: install an SSL cert to use for encryption from a certifying authority such as Godaddy.
* Do not allow any computer less than Windows 7 to connect. No Windows Vista or XP machines.
* Turn on Network Level Authentication.

Follow the above steps and you'll be fine.

JamesNT

Thank you James.
That recent "cloud" experience is scary -- I like having my own server, but I understand there are risks to that as well.

So, part of the answer to this question is knowing what your network setup is? What OS on the clients. Are you using Client/Server or Peer to peer? Are you using port 3389 on your router or a different port?

I stated in my answer that clients should be Windows 7 or higher.

Client/Server or peer-to-peer is irrelevant. Network setup is assumed to be a firewall/router separating the client network from the Internet like everyone else uses.

I always assume port 3389. Changing ports for RDP is nice and all but doesn't really add that much security. I won't stop you from doing it, however.

All the same group policy settings for RDP in Windows server are available in Windows client via Group Policy.

Hi Tom,

Let me give you my take on the above question. First, the reason I asked if you were using a server is there was really no reason to into RD Gateways, etc. if not. Using RDS and RD is more secure than almost any other setup. You can't set up a RDS on a PC. Also, I asked if it was client/domain, because it is safer than P2P.

First, RD Gateway does not remove port forwarding from the equation...it simply moves the forwarding from port 3389 to port 443. No matter how you look at it getting access via 3389 or any other port via the registry is not as safe as 443 Doing that puts a massive target on your network and opens you up for brute force attacks and significantly increases the likelihood of breach. Hackers routinely scan the Internet for port 3389 as it's a very easy way to get into a network. In smaller environments without a lot of users it can be easier to control passwords and whatnot, but users will always set passwords that aren't secure and having 3389 will eventually allow someone to take advantage of that fact. Moving RDP to port 443 reduces the likelihood of this occurring because the RD Gateway service doesn't respond like an RDP session, so it's less likely to be attacked via scripts designed to attack RDP. Then there is the fact that if you use an SSL certificate which is signed by a trusted certification authority for the RD Gateway server (Yes, it requires a Server OS to have an RD Gateway on your network), only computers trusted by the RD Gateway will be able to connect at all, since RD Gateway refuses connection if the certificate returns an invalid trust for any reason. This is a *much* more secure solution, since you can control who has access to the Root CA Certificate and which devices can install that certificate much more easily than you can control your passwords. You could go around to every computer and use local group policy, etc. or you can lock down your computers and control access via Server Group Policy. There are many reasons to use a server and that is just one of them. But, it gives you almost unlimited control over your environment.

Also, domain is much more secure than workgroup in Windows for a lot of reasons, one of the biggest being that user credentials in a Domain can't be "Cracked" through the use of rainbow tables and other password cracking techniques. There are techniques that can be used to break into a domain and gain administrative access, but password cracking is not generally an effective technique. Group Policy also makes it a lot easier to manage workstations and control access to them. It also provides tools for locking down access to prevent unauthorized use if needed.

GoToMyPC isn't more secure than RD Gateway using a SSL certificate that is signed by a trusted certification as I mentioned, but is potentially more secure than straight RDP. The difficulty in answering this question is that you are dealing with a third party whose security practices are not under your control. If GoToMyPC is compromised in some way, it can cause problems, and other third party remote access applications have had serious vulnerabilities that resulted in session eavesdropping without user knowledge in the past (Teamviewer, specifically, had a problem with this a couple years ago, if I remember correctly).

Hello and Happy New Year to All,

I would like to ask a broader question for suggestions for remote access software. I have been using LogMeIn happily for years, but they raise their price every year. I am looking for alternatives. I don't want to set up remote desktop, I do like the ease of a third party solution.

Any suggestions from the gurus? I have run across RemotetoPC which is much more affordable, comments?

Once again, what OS, what setup, i.e. client/server with domain or P2P. What OS on the server. RDP is free and likely more secure than most. Remember, while GTMPC, which I believe bought LMI, still has the man/woman in the middle.

One good thing about GTMPC, although you probably wouldn't use it much, is the ability to set up remote sessions where you can get assistance. Like I could log in and see your screen or you could see my screen. Like support with AC or any other company.

For instance, someone could remote in and set up RDP. Personally, I wouldn't use TeamViewer or any other third party than GTMPC/LMI or use the free and basically as secure RDP. Which is also much faster to connect.

P2P
Windows 7

Well, here we are full circle. P2P vs Client/Server Domain. Donna, please don't take this personally. Even a small office will reap many benefits using a client/server setup. When we "debated" this before, it was always about AC and its need to be on a client/server vs P2P. Those touting the benefits of using a server and a server OS could never really get across that it wasn't all about could a P2P run AC. It was about, yes it could, but can a P2P allow the so many other benefits? So, one is running their office with a client/server setup. The Windows OS will already have RDS and a RD Gateway (Terminal services before 2008). Here is where RDP would be so simple to set up. Port forward to 443. Port 443 used by RD Gateway and a certificate. Using a 3rd party certificate makes you much more secure. You talk to GoDaddy or DomainIt.com or one of the many other domain/certificate other companies, and they will walk you through your domain name and SSL certificate. Microsoft will provide you with a domain name now. Once your remote computer uses RDP, they will use the Gateway to go to any computer on the network. Not to mention Remote Web Access and remote SharePoint, etc. Group Policy on a server is rather simple and sitting down in front of it and going through the many settings will give you options you didn't even know existed. Users using Control Panel to do certain things. Hide it. Need to change password policy on every computer at once. It takes five seconds. One of my favorites since I have to work on users' computers all the time and can't find an icon since the background is either loaded with beautiful desert scenes or winter snow drifts or pictures of their kids, I can allow only a black wallpaper. They can't even get to the setting to try to change it. And, of course, setting the password policy to 10 characters, using lower case and upper case and numbers and characters. I don't even allow my users to set their own passwords. I set passphrases or use other methods to allow them to easily remember them without hackers to guess or use brute force. You can do this on each computer separately, but it takes quite a bit of time to go around to each computer and set up. And, don't forget that each client may have five accounts.

It is important to note that you can make RDP much more secure with James' suggestions. Just so you know how to get there, you need to use mmc by typing mmc in a run or search field, then browsing to:

Console root\Local computer policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session\Security: then using Set Client Connection Encryption Level and enabling it. Once you get there save it as a favorite. Do this on every computer or just use a Group Policy Object from the server.

I have a friend who has done networking with Microsoft Windows. All the credentials of MVP and MCITP, etc. Every time I screw up and ask him a question about P2P, his reply is I am not wasting my time on a P2P question. It is simply way too difficult.

Just for fun go to a site like http://random-ize.com/how-long-to-hack-pass/ and type in each of your computer passwords and see how long it would take to crack them. Then type in something like "IuseAmazingcharts4(" and it becomes trillions of years to the 5th power. Or use a song like Goodbye Yellow Brick Road and make it gbYbrej5%5 and you get to 609 years. Just capitalizing the Y changes it from 22 years to 609 years. And, these are passwords you can remember for six users. And, they don't need yellow stickies on the back of their computers.

But to answer your original questions, Google https://www.pcmag.com/roundup/355572/the-best-remote-access-software or https://tinyurl.com/yb6r8out and choose what hits you want. Splashtop is pretty good. Notice the https:// on these sites. SSL/443, what banks use. What a server would use with a certificate.

You are a doctor. Plumbers and carpenters go to you for high blood pressure, diabetes, even eczema. Why do doctors not go to reputable IT companies to set up their networks? Just sayin'

Bert,
Thank you. That article is a help, I am going to look at Splashtop.

I do understand that there are many benefits of a server network. But, in my teeny, tiny office with a grand total of 3 computers, P2P is not that hard.

LOL. No most people would consider P2P easier. It is sort of a mantra among IT techs that they are more difficult due to not have the same consistent characteristics that a domain does. I am sure my friend could troubleshoot and fix any issues you had. :-)

So, now what is going to happen to all the Medical Clouds in the era of Meltdown and Spectre??

I'm thinking about returning to 4x6 index cards and a pegboard system.
Worked well for a very long time -- no one ever hacked that arrangement.

(edited to put URL of the quote).

As you can imagine, Microsoft has already taken care of this problem in Azure. As far as the other cloud vendors go, the ones who buy servers then pay a datacenter to host them and then resale that server space to others, there is no telling.

If you have data in a cloud other than the big three (Azure, AWS, Google) then I suggest you get someone on the phone.

JamesNT