Securing Windows server 2003 Remote Desktop access for access through the internet

[albertwt]

Hi All,

I have configured Windows Server 2003 Web Edition in my DMZ, i can access it from my local LAN in the office through remote desktop.

Now, I'm wondering if I'd like to access the server through remote desktop from the internet how can i do it securely ?

is there anything that I should use eg. install a certificate or SSL secured, etc to make it safe ?

thanks,

Albert.

[ajbritton]

I will be interested to see what people say about this.

I hear conflicting opinions about the security of RDP. According to Microsoft, of course, it is secure but I've also heard that it is susceptible to a so-called man-in-the-middle attack.

One way to increase the security would be to tunnel in over SSH. You would need to run SSH software on the server (e.g. openSSH) and something simple like PuTTy from wherever you need to connect. You use PuTTy to establish an SSL session to the server then tunnel RDP through it. I'm sure someone else can explain the intricacies better than I.

http://www.softwaresecretweapons.com...desktopoverssh

[powdarrmonkey]

RDP is susceptible to attack, yes - brute force and MITM. I would much rather create a proper VPN and connect to that, then RDP through it (following the usual best practises, of course).

[FN-GM]

Tom from smootheall has some good advice about this.

Have you looked at server 2008 remote access? This kind of thing is supported allot better. I can't go into it much as I am on my iPhone.

[albertwt]

I will be interested to see what people say about this.

I hear conflicting opinions about the security of RDP. According to Microsoft, of course, it is secure but I've also heard that it is susceptible to a so-called man-in-the-middle attack.

One way to increase the security would be to tunnel in over SSH. You would need to run SSH software on the server (e.g. openSSH) and something simple like PuTTy from wherever you need to connect. You use PuTTy to establish an SSL session to the server then tunnel RDP through it. I'm sure someone else can explain the intricacies better than I.

Software Secret Weapons: Windows Remote Desktop Over SSH

Hi There,

yes, I was thinking to setup some sort of digital Certificate authentication process (sort of token) to authenticate who is logged in to the windows server from the internet.

but i'm not quite sure how to do it.

[Michael]

I suppose you could change the port RDP uses. You can do this in the registry

Type in RDP as follows: 192.168.0.5:12345 (for example).

[ezzauk]

In the past iv created a vpn connection in ISA, then rdp in to what ever server you needed to.

[Midget]

I agree with ezz, I would never open up RDP to the world. only VPN access should be open.

[albertwt]

Hi All,

Thanks for your responses, I've found guide from Microsoft:

Code:

http://support.microsoft.com/default.aspx/kb/895433

but somehow in both my XP Client and Windows Server 2003 Remote Desktop application (mstsc) version 6, i could not see the security tab ?

therefore from the above link, i am stuck in "Step 2: Configure authentication on the client computer"

Has anyone succeeded yet ?

Yes we do have a VPN using CISCO, but this Windows Server 2003 Web Edition box will be sitting in the DMZ and it will be accessed by our new contractors from different country to perform remote management access and we only want to isolate what he can access only within that box.


I wonder if this is possible ?

[EduTech]

Our LEA have blocked ports 3389 and 1723 as they say thier insecure and we have to use their crappy Cisco VPN

[Michael]

Our LEA have blocked ports 3389 and 1723 as they say thier insecure

That's probably their official line which is just ridiculous to be honest. You can Remote Desktop once you're connected to VPN.

[EduTech]

That's probably their official line which is just ridiculous to be honest. You can Remote Desktop once you're connected to VPN.

I say i have just replied to your PM, we are actually under Sandwell but yes this is a general policy. I Spoke to Synetrix about this and they cant see why the VPN port would be a problem but the LEA guy thinks it is

It's not line i am going to make that change to every user in AD so everyone can VPN onto the site lol!!

Just a reason for us to pay them 50 - 100 pound per VPN user! and then a cost every year so they can test the security!

I can see OpenVPN being setup! lol

James.

[albertwt]

Hi There Edutech,

I thought that by changing the default port 3389 into something else would be fine ?

You can move the terminal services port from 3389 to another port by changing the registry key at

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

You will then need to specify the port when you connect to your system. Connect with something like "my.computerathome.com:1234" instead of "my.computerathome.com"

It's just too much efforts for the user to download the VPN Client, then set the profile and such...

[powdarrmonkey]

Hi There Edutech,

I thought that by changing the default port 3389 into something else would be fine ?

One day, I will introduce you to my friend the port scanner.

In the meantime, just moving the service to another port doesn't give you any kind of security, except again opportunism I suppose. Hiding things doesn't make them any less vulnerable.

[EduTech]

Yeah i know you can change the port RDP uses, but i didn't reall want to mess around with that lol i think i will result in OpenVPN its only for us anyway. staff with have to wait until we get SUN VDI