+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows Server 2000/2003 Thread, Securing Windows server 2003 Remote Desktop access for access through the internet in Technical; Hi All, I have configured Windows Server 2003 Web Edition in my DMZ, i can access it from my local ...
  1. #1

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question Securing Windows server 2003 Remote Desktop access for access through the internet

    Hi All,

    I have configured Windows Server 2003 Web Edition in my DMZ, i can access it from my local LAN in the office through remote desktop.

    Now, I'm wondering if I'd like to access the server through remote desktop from the internet how can i do it securely ?

    is there anything that I should use eg. install a certificate or SSL secured, etc to make it safe ?

    thanks,

    Albert.

  2. #2
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    I will be interested to see what people say about this.

    I hear conflicting opinions about the security of RDP. According to Microsoft, of course, it is secure but I've also heard that it is susceptible to a so-called man-in-the-middle attack.

    One way to increase the security would be to tunnel in over SSH. You would need to run SSH software on the server (e.g. openSSH) and something simple like PuTTy from wherever you need to connect. You use PuTTy to establish an SSL session to the server then tunnel RDP through it. I'm sure someone else can explain the intricacies better than I.

    http://www.softwaresecretweapons.com...desktopoverssh
    Last edited by ajbritton; 10th August 2009 at 06:47 AM. Reason: Added link to RDP over SSH

  3. Thanks to ajbritton from:

    albertwt (10th August 2009)

  4. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    RDP is susceptible to attack, yes - brute force and MITM. I would much rather create a proper VPN and connect to that, then RDP through it (following the usual best practises, of course).

  5. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,234
    Thank Post
    894
    Thanked 1,780 Times in 1,534 Posts
    Blog Entries
    12
    Rep Power
    462
    Tom from smootheall has some good advice about this.

    Have you looked at server 2008 remote access? This kind of thing is supported allot better. I can't go into it much as I am on my iPhone.

  6. #5

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Quote Originally Posted by ajbritton View Post
    I will be interested to see what people say about this.

    I hear conflicting opinions about the security of RDP. According to Microsoft, of course, it is secure but I've also heard that it is susceptible to a so-called man-in-the-middle attack.

    One way to increase the security would be to tunnel in over SSH. You would need to run SSH software on the server (e.g. openSSH) and something simple like PuTTy from wherever you need to connect. You use PuTTy to establish an SSL session to the server then tunnel RDP through it. I'm sure someone else can explain the intricacies better than I.

    Software Secret Weapons: Windows Remote Desktop Over SSH
    Hi There,

    yes, I was thinking to setup some sort of digital Certificate authentication process (sort of token) to authenticate who is logged in to the windows server from the internet.

    but i'm not quite sure how to do it.

  7. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    I suppose you could change the port RDP uses. You can do this in the registry

    Type in RDP as follows: 192.168.0.5:12345 (for example).

  8. Thanks to Michael from:

    albertwt (19th August 2009)

  9. #7
    ezzauk's Avatar
    Join Date
    Jul 2007
    Location
    Redditch
    Posts
    109
    Thank Post
    18
    Thanked 10 Times in 10 Posts
    Rep Power
    17
    In the past iv created a vpn connection in ISA, then rdp in to what ever server you needed to.

  10. Thanks to ezzauk from:

    albertwt (19th August 2009)

  11. #8
    Midget's Avatar
    Join Date
    Oct 2006
    Location
    In a Server Room cutting through a forest of Cat5e
    Posts
    1,298
    Thank Post
    5
    Thanked 59 Times in 49 Posts
    Rep Power
    40
    I agree with ezz, I would never open up RDP to the world. only VPN access should be open.

  12. Thanks to Midget from:

    albertwt (19th August 2009)

  13. #9

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question

    Hi All,

    Thanks for your responses, I've found guide from Microsoft:

    Code:
    http://support.microsoft.com/default.aspx/kb/895433
    but somehow in both my XP Client and Windows Server 2003 Remote Desktop application (mstsc) version 6, i could not see the security tab ?

    therefore from the above link, i am stuck in "Step 2: Configure authentication on the client computer"

    Has anyone succeeded yet ?

    Yes we do have a VPN using CISCO, but this Windows Server 2003 Web Edition box will be sitting in the DMZ and it will be accessed by our new contractors from different country to perform remote management access and we only want to isolate what he can access only within that box.


    I wonder if this is possible ?

  14. #10

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Our LEA have blocked ports 3389 and 1723 as they say thier insecure and we have to use their crappy Cisco VPN

  15. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    Our LEA have blocked ports 3389 and 1723 as they say thier insecure
    That's probably their official line which is just ridiculous to be honest. You can Remote Desktop once you're connected to VPN.

  16. #12

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Quote Originally Posted by Michael View Post
    That's probably their official line which is just ridiculous to be honest. You can Remote Desktop once you're connected to VPN.
    I say i have just replied to your PM, we are actually under Sandwell but yes this is a general policy. I Spoke to Synetrix about this and they cant see why the VPN port would be a problem but the LEA guy thinks it is

    It's not line i am going to make that change to every user in AD so everyone can VPN onto the site lol!!

    Just a reason for us to pay them 50 - 100 pound per VPN user! and then a cost every year so they can test the security!

    I can see OpenVPN being setup! lol

    James.

  17. #13

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Hi There Edutech,

    I thought that by changing the default port 3389 into something else would be fine ?

    You can move the terminal services port from 3389 to another port by changing the registry key at

    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
    You will then need to specify the port when you connect to your system. Connect with something like "my.computerathome.com:1234" instead of "my.computerathome.com"

    It's just too much efforts for the user to download the VPN Client, then set the profile and such...

  18. #14

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by albertwt View Post
    Hi There Edutech,

    I thought that by changing the default port 3389 into something else would be fine ?
    One day, I will introduce you to my friend the port scanner.

    In the meantime, just moving the service to another port doesn't give you any kind of security, except again opportunism I suppose. Hiding things doesn't make them any less vulnerable.

  19. Thanks to powdarrmonkey from:

    albertwt (19th August 2009)

  20. #15

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,074
    Thank Post
    160
    Thanked 937 Times in 731 Posts
    Blog Entries
    3
    Rep Power
    275
    Yeah i know you can change the port RDP uses, but i didn't reall want to mess around with that lol i think i will result in OpenVPN its only for us anyway. staff with have to wait until we get SUN VDI

  21. Thanks to EduTech from:

    albertwt (19th August 2009)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Remote Desktop Access to a Windows 200 Server
    By Grommit in forum Windows
    Replies: 8
    Last Post: 28th July 2011, 11:32 PM
  2. Remote Access to LAN PCs over Internet
    By Asif in forum Network and Classroom Management
    Replies: 15
    Last Post: 5th September 2009, 08:56 PM
  3. Blocking internet access on windows explorer
    By ltunstall in forum Windows
    Replies: 7
    Last Post: 14th April 2008, 10:45 AM
  4. Windows 2003 Server Restricted Access
    By deepusurana in forum Windows
    Replies: 19
    Last Post: 12th October 2007, 09:39 AM
  5. Replies: 15
    Last Post: 2nd May 2007, 05:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •