Is Remote Desktop Connection Login secure over wireless?

G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Greetings experts!

When I am using free public wireless hotspots such as coffee-houses, etc.,
the security warning indicates that the connection is not secure, and I
understand that (essentially :)

My question is: If I use an un-secured wireless network connection, then
attempt to use Windows Remote Desktop Connection to connect to my PC at
home, is the username and password I type into the Remote Desktop Connection
settings encrypted or otherwise protected? Or am I at risk of hackers
intercepting the login credentials I pass to RDC?

Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

The secure tunnel is created before you enter your credentials and even then
your password is never sent over the network. However I would never enter my
credentials on a public kiosk computer or other computer that I do not know
is secure/clean. From your description it sounds as if you are using your
own laptop. --- Steve


"Mark Findlay" <mfindlay@speakeasy.org> wrote in message
news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
> Greetings experts!
>
> When I am using free public wireless hotspots such as coffee-houses, etc.,
> the security warning indicates that the connection is not secure, and I
> understand that (essentially :)
>
> My question is: If I use an un-secured wireless network connection, then
> attempt to use Windows Remote Desktop Connection to connect to my PC at
> home, is the username and password I type into the Remote Desktop
> Connection settings encrypted or otherwise protected? Or am I at risk of
> hackers intercepting the login credentials I pass to RDC?
>
> Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Thanks Steve,

Just to clarify my understanding: the "secure tunnel" you refer to - that's
something that RDC creates automatically on my behalf? In other words, there
are no special configurations or special connection settings I need to
create on my laptop or the target PC? I only ask since I had seen some
references in other postings to private VPN etc., and I don't have any of
that set up. I am just using the default installations of XP on both laptop
and PC.

If there are any special configuration steps I need in order to establish
the "secure tunnel", could you elaborate on those?

Many thanks!
Mark

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eIHF00kiFHA.2644@TK2MSFTNGP09.phx.gbl...
> The secure tunnel is created before you enter your credentials and even
> then your password is never sent over the network. However I would never
> enter my credentials on a public kiosk computer or other computer that I
> do not know is secure/clean. From your description it sounds as if you are
> using your own laptop. --- Steve
>
>
> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
> news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
>> Greetings experts!
>>
>> When I am using free public wireless hotspots such as coffee-houses,
>> etc., the security warning indicates that the connection is not secure,
>> and I understand that (essentially :)
>>
>> My question is: If I use an un-secured wireless network connection, then
>> attempt to use Windows Remote Desktop Connection to connect to my PC at
>> home, is the username and password I type into the Remote Desktop
>> Connection settings encrypted or otherwise protected? Or am I at risk of
>> hackers intercepting the login credentials I pass to RDC?
>>
>> Thanks!
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Remote Desktop establishes the tunnel before you logon. You do not have to
do anything special. Just make sure you use real strong passwords on your
computer as others most likely attempt to logon also when they see port 3389
TCP open on your computer. I would also enable auditing of logon events in
Local Security Policy so that you can keep track of such. If you find an
abuser you could try to configure your firewall or ipsec filter to block
access from that persons public IP address. --- Steve


"Mark Findlay" <mfindlay@speakeasy.org> wrote in message
news:eMA8jNyiFHA.1412@TK2MSFTNGP09.phx.gbl...
> Thanks Steve,
>
> Just to clarify my understanding: the "secure tunnel" you refer to -
> that's something that RDC creates automatically on my behalf? In other
> words, there are no special configurations or special connection settings
> I need to create on my laptop or the target PC? I only ask since I had
> seen some references in other postings to private VPN etc., and I don't
> have any of that set up. I am just using the default installations of XP
> on both laptop and PC.
>
> If there are any special configuration steps I need in order to establish
> the "secure tunnel", could you elaborate on those?
>
> Many thanks!
> Mark
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eIHF00kiFHA.2644@TK2MSFTNGP09.phx.gbl...
>> The secure tunnel is created before you enter your credentials and even
>> then your password is never sent over the network. However I would never
>> enter my credentials on a public kiosk computer or other computer that I
>> do not know is secure/clean. From your description it sounds as if you
>> are using your own laptop. --- Steve
>>
>>
>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>> news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
>>> Greetings experts!
>>>
>>> When I am using free public wireless hotspots such as coffee-houses,
>>> etc., the security warning indicates that the connection is not secure,
>>> and I understand that (essentially :)
>>>
>>> My question is: If I use an un-secured wireless network connection, then
>>> attempt to use Windows Remote Desktop Connection to connect to my PC at
>>> home, is the username and password I type into the Remote Desktop
>>> Connection settings encrypted or otherwise protected? Or am I at risk of
>>> hackers intercepting the login credentials I pass to RDC?
>>>
>>> Thanks!
>>
>>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Hi,

If I may add, just double check on Terminal server that the Encryption Level
is set to at least High.

For added security you could also add TLS to prevent e.g.
"man-in-the-middle" attacks...

How to configure a Windows Server 2003 terminal server to use TLS for server
authentication
http://support.microsoft.com/?id=895433

--
Mike
Microsoft MVP - Windows Security

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23b%23v05yiFHA.3656@TK2MSFTNGP09.phx.gbl...
> Remote Desktop establishes the tunnel before you logon. You do not have
> to do anything special. Just make sure you use real strong passwords on
> your computer as others most likely attempt to logon also when they see
> port 3389 TCP open on your computer. I would also enable auditing of
> logon events in Local Security Policy so that you can keep track of such.
> If you find an abuser you could try to configure your firewall or ipsec
> filter to block access from that persons public IP address. --- Steve
>
>
> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
> news:eMA8jNyiFHA.1412@TK2MSFTNGP09.phx.gbl...
>> Thanks Steve,
>>
>> Just to clarify my understanding: the "secure tunnel" you refer to -
>> that's something that RDC creates automatically on my behalf? In other
>> words, there are no special configurations or special connection settings
>> I need to create on my laptop or the target PC? I only ask since I had
>> seen some references in other postings to private VPN etc., and I don't
>> have any of that set up. I am just using the default installations of XP
>> on both laptop and PC.
>>
>> If there are any special configuration steps I need in order to establish
>> the "secure tunnel", could you elaborate on those?
>>
>> Many thanks!
>> Mark
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:eIHF00kiFHA.2644@TK2MSFTNGP09.phx.gbl...
>>> The secure tunnel is created before you enter your credentials and even
>>> then your password is never sent over the network. However I would never
>>> enter my credentials on a public kiosk computer or other computer that
>>> I do not know is secure/clean. From your description it sounds as if you
>>> are using your own laptop. --- Steve
>>>
>>>
>>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>>> news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
>>>> Greetings experts!
>>>>
>>>> When I am using free public wireless hotspots such as coffee-houses,
>>>> etc., the security warning indicates that the connection is not secure,
>>>> and I understand that (essentially :)
>>>>
>>>> My question is: If I use an un-secured wireless network connection,
>>>> then attempt to use Windows Remote Desktop Connection to connect to my
>>>> PC at home, is the username and password I type into the Remote Desktop
>>>> Connection settings encrypted or otherwise protected? Or am I at risk
>>>> of hackers intercepting the login credentials I pass to RDC?
>>>>
>>>> Thanks!
>>>
>>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Thanks for that info Mike. In this case I believe the user is probably using
XP Pro [home pc mentioned]. If that is the case he still could use local
Group Policy to make sure default high encryption is enforced by going to
computer configuration/administrative templates/Windows components/terminal
services/encryption and security. --- Steve


"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:uby9wV3iFHA.3692@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> If I may add, just double check on Terminal server that the Encryption
> Level is set to at least High.
>
> For added security you could also add TLS to prevent e.g.
> "man-in-the-middle" attacks...
>
> How to configure a Windows Server 2003 terminal server to use TLS for
> server authentication
> http://support.microsoft.com/?id=895433
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23b%23v05yiFHA.3656@TK2MSFTNGP09.phx.gbl...
>> Remote Desktop establishes the tunnel before you logon. You do not have
>> to do anything special. Just make sure you use real strong passwords on
>> your computer as others most likely attempt to logon also when they see
>> port 3389 TCP open on your computer. I would also enable auditing of
>> logon events in Local Security Policy so that you can keep track of such.
>> If you find an abuser you could try to configure your firewall or ipsec
>> filter to block access from that persons public IP address. --- Steve
>>
>>
>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>> news:eMA8jNyiFHA.1412@TK2MSFTNGP09.phx.gbl...
>>> Thanks Steve,
>>>
>>> Just to clarify my understanding: the "secure tunnel" you refer to -
>>> that's something that RDC creates automatically on my behalf? In other
>>> words, there are no special configurations or special connection
>>> settings I need to create on my laptop or the target PC? I only ask
>>> since I had seen some references in other postings to private VPN etc.,
>>> and I don't have any of that set up. I am just using the default
>>> installations of XP on both laptop and PC.
>>>
>>> If there are any special configuration steps I need in order to
>>> establish the "secure tunnel", could you elaborate on those?
>>>
>>> Many thanks!
>>> Mark
>>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:eIHF00kiFHA.2644@TK2MSFTNGP09.phx.gbl...
>>>> The secure tunnel is created before you enter your credentials and even
>>>> then your password is never sent over the network. However I would
>>>> never enter my credentials on a public kiosk computer or other
>>>> computer that I do not know is secure/clean. From your description it
>>>> sounds as if you are using your own laptop. --- Steve
>>>>
>>>>
>>>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>>>> news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
>>>>> Greetings experts!
>>>>>
>>>>> When I am using free public wireless hotspots such as coffee-houses,
>>>>> etc., the security warning indicates that the connection is not
>>>>> secure, and I understand that (essentially :)
>>>>>
>>>>> My question is: If I use an un-secured wireless network connection,
>>>>> then attempt to use Windows Remote Desktop Connection to connect to my
>>>>> PC at home, is the username and password I type into the Remote
>>>>> Desktop Connection settings encrypted or otherwise protected? Or am I
>>>>> at risk of hackers intercepting the login credentials I pass to RDC?
>>>>>
>>>>> Thanks!
>>>>
>>>>
>>>
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Correct, thanks Steve for the added info.

For anyone else reading, I also changed the default port that RDC listens on
so that hackers trying 3389 would fail.

Thanks!
Mark

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eWZCPk3iFHA.1232@TK2MSFTNGP15.phx.gbl...
> Thanks for that info Mike. In this case I believe the user is probably
> using XP Pro [home pc mentioned]. If that is the case he still could use
> local Group Policy to make sure default high encryption is enforced by
> going to computer configuration/administrative templates/Windows
> components/terminal services/encryption and security. --- Steve
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:uby9wV3iFHA.3692@TK2MSFTNGP09.phx.gbl...
>> Hi,
>>
>> If I may add, just double check on Terminal server that the Encryption
>> Level is set to at least High.
>>
>> For added security you could also add TLS to prevent e.g.
>> "man-in-the-middle" attacks...
>>
>> How to configure a Windows Server 2003 terminal server to use TLS for
>> server authentication
>> http://support.microsoft.com/?id=895433
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:%23b%23v05yiFHA.3656@TK2MSFTNGP09.phx.gbl...
>>> Remote Desktop establishes the tunnel before you logon. You do not have
>>> to do anything special. Just make sure you use real strong passwords on
>>> your computer as others most likely attempt to logon also when they see
>>> port 3389 TCP open on your computer. I would also enable auditing of
>>> logon events in Local Security Policy so that you can keep track of
>>> such. If you find an abuser you could try to configure your firewall or
>>> ipsec filter to block access from that persons public IP address. ---
>>> Steve
>>>
>>>
>>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>>> news:eMA8jNyiFHA.1412@TK2MSFTNGP09.phx.gbl...
>>>> Thanks Steve,
>>>>
>>>> Just to clarify my understanding: the "secure tunnel" you refer to -
>>>> that's something that RDC creates automatically on my behalf? In other
>>>> words, there are no special configurations or special connection
>>>> settings I need to create on my laptop or the target PC? I only ask
>>>> since I had seen some references in other postings to private VPN etc.,
>>>> and I don't have any of that set up. I am just using the default
>>>> installations of XP on both laptop and PC.
>>>>
>>>> If there are any special configuration steps I need in order to
>>>> establish the "secure tunnel", could you elaborate on those?
>>>>
>>>> Many thanks!
>>>> Mark
>>>>
>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>> news:eIHF00kiFHA.2644@TK2MSFTNGP09.phx.gbl...
>>>>> The secure tunnel is created before you enter your credentials and
>>>>> even then your password is never sent over the network. However I
>>>>> would never enter my credentials on a public kiosk computer or other
>>>>> computer that I do not know is secure/clean. From your description it
>>>>> sounds as if you are using your own laptop. --- Steve
>>>>>
>>>>>
>>>>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>>>>> news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
>>>>>> Greetings experts!
>>>>>>
>>>>>> When I am using free public wireless hotspots such as coffee-houses,
>>>>>> etc., the security warning indicates that the connection is not
>>>>>> secure, and I understand that (essentially :)
>>>>>>
>>>>>> My question is: If I use an un-secured wireless network connection,
>>>>>> then attempt to use Windows Remote Desktop Connection to connect to
>>>>>> my PC at home, is the username and password I type into the Remote
>>>>>> Desktop Connection settings encrypted or otherwise protected? Or am I
>>>>>> at risk of hackers intercepting the login credentials I pass to RDC?
>>>>>>
>>>>>> Thanks!
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.server.security,microsoft.public.windowsnt.terminalserver.connectivity,microsoft.public.windowsnt.terminalserver.protocols.rdp (More info?)

Microsoft just released an advisory that Terminal Services (RDP) are
vulnerable to a Denial of Service attack.
http://www.microsoft.com/technet/security/advisory/904797.mspx


This doesn't have anything to do with wireless, over which you are just as
secure as any other medium. However, you'll want to know about this.
Chris



"Mark Findlay" <mfindlay@speakeasy.org> wrote in message
news:esNQpM$iFHA.3436@tk2msftngp13.phx.gbl...
> Correct, thanks Steve for the added info.
>
> For anyone else reading, I also changed the default port that RDC listens
> on so that hackers trying 3389 would fail.
>
> Thanks!
> Mark
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:eWZCPk3iFHA.1232@TK2MSFTNGP15.phx.gbl...
>> Thanks for that info Mike. In this case I believe the user is probably
>> using XP Pro [home pc mentioned]. If that is the case he still could use
>> local Group Policy to make sure default high encryption is enforced by
>> going to computer configuration/administrative templates/Windows
>> components/terminal services/encryption and security. --- Steve
>>
>>
>> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
>> news:uby9wV3iFHA.3692@TK2MSFTNGP09.phx.gbl...
>>> Hi,
>>>
>>> If I may add, just double check on Terminal server that the Encryption
>>> Level is set to at least High.
>>>
>>> For added security you could also add TLS to prevent e.g.
>>> "man-in-the-middle" attacks...
>>>
>>> How to configure a Windows Server 2003 terminal server to use TLS for
>>> server authentication
>>> http://support.microsoft.com/?id=895433
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:%23b%23v05yiFHA.3656@TK2MSFTNGP09.phx.gbl...
>>>> Remote Desktop establishes the tunnel before you logon. You do not
>>>> have to do anything special. Just make sure you use real strong
>>>> passwords on your computer as others most likely attempt to logon also
>>>> when they see port 3389 TCP open on your computer. I would also enable
>>>> auditing of logon events in Local Security Policy so that you can keep
>>>> track of such. If you find an abuser you could try to configure your
>>>> firewall or ipsec filter to block access from that persons public IP
>>>> address. --- Steve
>>>>
>>>>
>>>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>>>> news:eMA8jNyiFHA.1412@TK2MSFTNGP09.phx.gbl...
>>>>> Thanks Steve,
>>>>>
>>>>> Just to clarify my understanding: the "secure tunnel" you refer to -
>>>>> that's something that RDC creates automatically on my behalf? In other
>>>>> words, there are no special configurations or special connection
>>>>> settings I need to create on my laptop or the target PC? I only ask
>>>>> since I had seen some references in other postings to private VPN
>>>>> etc., and I don't have any of that set up. I am just using the default
>>>>> installations of XP on both laptop and PC.
>>>>>
>>>>> If there are any special configuration steps I need in order to
>>>>> establish the "secure tunnel", could you elaborate on those?
>>>>>
>>>>> Many thanks!
>>>>> Mark
>>>>>
>>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>>> news:eIHF00kiFHA.2644@TK2MSFTNGP09.phx.gbl...
>>>>>> The secure tunnel is created before you enter your credentials and
>>>>>> even then your password is never sent over the network. However I
>>>>>> would never enter my credentials on a public kiosk computer or other
>>>>>> computer that I do not know is secure/clean. From your description it
>>>>>> sounds as if you are using your own laptop. --- Steve
>>>>>>
>>>>>>
>>>>>> "Mark Findlay" <mfindlay@speakeasy.org> wrote in message
>>>>>> news:%23ZSCsSkiFHA.500@TK2MSFTNGP09.phx.gbl...
>>>>>>> Greetings experts!
>>>>>>>
>>>>>>> When I am using free public wireless hotspots such as coffee-houses,
>>>>>>> etc., the security warning indicates that the connection is not
>>>>>>> secure, and I understand that (essentially :)
>>>>>>>
>>>>>>> My question is: If I use an un-secured wireless network connection,
>>>>>>> then attempt to use Windows Remote Desktop Connection to connect to
>>>>>>> my PC at home, is the username and password I type into the Remote
>>>>>>> Desktop Connection settings encrypted or otherwise protected? Or am
>>>>>>> I at risk of hackers intercepting the login credentials I pass to
>>>>>>> RDC?
>>>>>>>
>>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
 

knarx

Distinguished
Nov 15, 2006
1
0
18,510
Hi!

I found this thread searching the net for info on RDP encryption, you seem to have a lot of knowledge about this so I'll just fire away som questions and hope you'll have some answers.

1. I've heard that the RD encryption isn't activated until after you've logged in to the remote computer (thus sending login info uncrypted), this sounds quite strange (stupid even) and I wonder if there's any truth to it?

2. I'm on WinXP (both remote and local) and changed the "Set client connection encryption level" in the Group Policy editor to Enabled, is this something that only has to be done on the server? I also heard that default encryption is always activated in RD, but my (old (original)) group policy begged to differ...?

3. Even though I changed the group policy (and heard that this shouldn't have to be done since it's active by default) the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\fDisableEncryption is set to 1, what does this mean?

4. (The bonus question)
After reading this thread about connecting over unsecure wireless networks I just wonder: when RD connects to the server and activate the encryption I guess som key negotiation is done between the two sides. Wouldn't it be possibe to sniff this negotiation and get the needed info to decrypt all other data?

Ok, that's it. Grateful for any answer!

Best Regards
Kristoffer
 

fattony

Distinguished
Oct 16, 2006
609
0
18,990
the RDP encryption methods are for the duration of the RDP session, not for authentication

authentication is a different story, they have different algorithims and it's not an unecrypted / clear text password, it will use either kerberos or ntlm just like when you login to a workstation, it's encrypted

you could tighten up your wifi if you're worried about sniffers when you're entering credentials, but the default encryptions are pretty good and not easy to sniff

not to mention you can have certificates for authentication as well in terminal services
 

lethalduck

Distinguished
Nov 30, 2009
1
0
18,510
Greetings experts!

When I am using free public wireless hotspots such as coffee-houses, etc.,
the security warning indicates that the connection is not secure, and I
understand that (essentially :)

My question is: If I use an un-secured wireless network connection, then
attempt to use Windows Remote Desktop Connection to connect to my PC at
home, is the username and password I type into the Remote Desktop Connection
settings encrypted or otherwise protected? Or am I at risk of hackers
intercepting the login credentials I pass to RDC?

Thanks!


Yes, your asking for trouble. RDP is vulnerable to Man In The Middle attacks.
http://www.securiteam.com/windowsntfocus/5EP010KG0G.html

Steve said...
"The secure tunnel is created before you enter your credentials and even then
your password is never sent over the network."

How is the client authenticated if credentials are not passed over the network?
Once again check this...
http://www.securiteam.com/windowsntfocus/5EP010KG0G.html

If you find an
abuser you could try to configure your firewall or ipsec filter to block
access from that persons public IP address. --- Steve

A slightly better way would be to block all IP addresses except the ones you explicitly want to allow.
In saying this, IP addresses can be spoofed.

Mark stated... "For anyone else reading, I also changed the default port that RDC listens on
so that hackers trying 3389 would fail."

Hackers only searching for a specific port are not really hackers.
A packet sniffer will disclose an RDP session by the T.125 protocol.
Once an attacker has got access to your wired network or an unsecured wireless network,
All they need to do is run a packet sniffer, find out the IP addresses being used in the RDP session and launch a MITM attack.

The attack described above has been successfully implemented into the software Cain & Abel available at
http://www.oxid.it. From version 2.7 the program can now perform man-in-the-middle attacks against RDP
protocol sessions decrypting all the information that travels from client to server in both directions. The
program try also to recognize the keyboard activity at the client-side providing some kind of password
interception.