Flaubert
join:2004-12-06
Los Angeles, CA
| The most secure way to use Windows Remote Desktop
I've been reading up on how to secure a Remote desktop connection to a XP Pro SP2 server.
I am already able to use that connection from inside my network with no problem.
If I want to use that connection from outside my network (Hotspots, Friends etc....) what is the best way to secure it.
I've read that ssh would do it because it would create an encrypted tunnel from the client to the server.
I've also heard that using Anonymizer would also encrypt all traffic.
I don't really care to hide my IP can anonymizer be used ONLY for encryption and not IP stealthing?
Can I use PuTTy to access RDC without installer a ssh server on the server?
I would greatly appreciate the help of someone who's solved the same problem successfully.
Thanks in advance |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
 ·SureWest Internet
| Re: The most secure way to use Windows Remote Desk
I use RD over SSH tunnel. To do that you need an ssh server on the LAN to access RD using Putty. Install either on server or another computer.
Some argue that RD is secure enough, and if you want to do it that way then just configure your router to forward port 3389 to your WinXP Pro box. Otherwise you'll need to forward port 22 to your ssh server. If ssh server is on your XP Pro box, then no additional setup with Putty is required. If you have a separate ssh server, then you'll need to setup port forwarding in Putty. |
|
Flaubert
join:2004-12-06
Los Angeles, CA
| What kind of ssh server (preferably free) should I install?
I didn't quite understand the port forwarding part of your answer. I know that I have to forward Port 3389 to the server's IP address. What about port 22? Do I need to forward that one too if I install an ssh server on the RDC server? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
4 edits |  reply to Flaubert
Re: The most secure way to use Windows Remote Desktop
I use CopSSH as my SSH server on an XP Pro SP2 box. I like CopSSH because it is being actively maintained as new releases of OpenSSH become available.
»www.itefix.no/phpws/index.php?mo···on=22:22
I also use Tunnelier as the client. Tunnelier can be configured to automatically launch a RDP session when the SSH tunnel is established if you want.
»www.bitvise.com/tunnelier.html
In my case I also use a 2048-bit private/public RSA key pair (with strong pass phrase) for authentication versus a password (strong or otherwise) and a listening port other than the default TCP Port 22. Now to be clear the latter measure is NOT a standalone deterrent/security measure, but it does not hurt either...
»www.openbsd.org/cgi-bin/man.cgi?···ektion=1
»forums.bitvise.com/index.php?sho···0&p=1581
The screen shots illustrate how I have Tunnelier configured to access my home LAN and my two XP Pro boxes...
»theillustratednetwork.mvps.org/LAN/LAN.jpg
...via the SSH tunnel. In my case the CopSSH server runs on the PC Ashtabula. The rest of the Tunnelier configurables are the defaults.
I also created and saved two .RDP files to customize the Remote Desktop experience for each PC. When I connect with the SSH tunnel the RDP link to my main desktop, ie. Ashtabula, automatically launches. I have to click on the NormanRDP desktop icon to initiate the RDP connection to the other PC...
For SSH all you need to do is to forward TCP Port 22 through any firewall/router at your home. All other traffic goes through the tunnel. No other ports need to be opened on the firewall/router...
»theillustratednetwork.mvps.org/R···nel.html
--
"When all else fails, read the instructions..." |
|
seezar
Premium
join:2001-07-01
Rochester, NY
 ·ViaTalk
1 edit | reply to Flaubert
Re: The most secure way to use Windows Remote Desk
Funny this topic is posted today. Earlier I was starting to research how to you SSH in conjunction with remote desktop.
If I understand correctly, in a configuration where the machine you want to use remote desktop on is behind a NAT router and you use SSH to tunnel in you only have to have port 22 on a SSH server listening from the WAN. This makes it nice if you have multiple windows boxes on that network you want to have access to. Instead of having to open multiple ports on the WAN, 3389, 3390, etc.. you just have to have 22 open.
I've yet to try this out yet but thats how I understand it to work. If I'm incorrect someone please advise.
Here is a guide on the subject (there is also one posted on this site but the main search page is undergoing maintenance):
»theillustratednetwork.mvps.org/R···SSH.html
Edit: looks like SoonerAl already clarified what I said and posted the same link  |
|
Flaubert
join:2004-12-06
Los Angeles, CA
| reply to Flaubert
So you're saying:
a- Install CopSsh on the server.
b-Install Tunnelier on the client.
c -Forward only port 22 to my private IP ??
Sorry if I seem a little slow but there are a couple of things I need explained:
The parameters you've entered in Tunnelier
under "Host" and "Port"
On the "Login" tab:
I am not on a Domain, so should I just enter my Wan ip on there if I connect from outside my Llan?
On the Options tab:
Do I have to enter the same parameters as yours?
And also, could you be a little more specific on how to create those 2048 bit public/private keys?
I tried reading your openbsd link but I didn't understand it.
Thanks anyway for your help so far. I know a lot more than when I started this thread.... |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
3 edits | said by Flaubert  :So you're saying: a- Install CopSsh on the server. b-Install Tunnelier on the client. c -Forward only port 22 to my private IP ?? Sorry if I seem a little slow but there are a couple of things I need explained: The parameters you've entered in Tunnelier under "Host" and "Port" On the "Login" tab: I am not on a Domain, so should I just enter my Wan ip on there if I connect from outside my Llan? On the Options tab: Do I have to enter the same parameters as yours? And also, could you be a little more specific on how to create those 2048 bit public/private keys? I tried reading your openbsd link but I didn't understand it. Thanks anyway for your help so far. I know a lot more than when I started this thread.... OK, I just set this up and it appears to work very well.
I installed CopSSH on my windows server. CopSSH is pretty cool, its basically OpenSSH with kind of a front end to make it easier to administer. After installing CopSSH I had to go in and 'activate' one of the accounts on the windows server. Once that account is activated I can now SSH to that windows server using that account.
I used PuTTY as a client. I put in the IP of the windows server to connect to. In the tunnel section of PuTTY I put i n a source port of 3390 and a destination of the IP address of the windows server and a destination port of 3389.
So now when I SSH to the windows server, I login with the account I activated. Then I run the remote desktop client. in the connect to box I put in localhost:3390 (3390 was the port I specific as the source). Then I am able to login to the windows server.
So basically, from the outside all you need to do is forward port 22 (or whatever port you are going to SSH to)to the IP of the windows server.
With it setup this way you can go into windows firewall on the server and remove access to remote desktop on port 3389 and make sure you allow access to port 22. |
|
Flaubert
join:2004-12-06
Los Angeles, CA
| On the server I have software and hardware firewall.
The hardware part I can take care of by forwarding port 22 to my private ip
Now, will the connection get past Norton Internet Security 2006?
I guess if I enter CopSsh as a legitimate app in the list of trusted apps in NIS 2006 I should be Ok ?!!!
On the client side I will have only software firewall. I guess I will do the same thing for PuTTy.
Now How do I set up those public/private keys....? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit | reply to Flaubert
said by Flaubert :So you're saying: a- Install CopSsh on the server. b-Install Tunnelier on the client. c -Forward only port 22 to my private IP ?? Sorry if I seem a little slow but there are a couple of things I need explained: The parameters you've entered in Tunnelier under "Host" and "Port" On the "Login" tab: I am not on a Domain, so should I just enter my Wan ip on there if I connect from outside my Llan? On the Options tab: Do I have to enter the same parameters as yours? And also, could you be a little more specific on how to create those 2048 bit public/private keys? I tried reading your openbsd link but I didn't understand it. Thanks anyway for your help so far. I know a lot more than when I started this thread.... This page has general help with ssh-keygen. Look at the page up to the part about changing permissions. The rest does NOT pertain to CopSSH/Tunnelier.
»theillustratednetwork.mvps.org/R···Key.html
The page was created for OpenSSH for Windows and PuTTY, so the rest really does not pertain to CopSSH and Tunnelier. If you do use PuTTY, which is a very good option IMHO, as seezar did, then most still pertains, ie. the part about converting the key file to a format PuTTY understands. Note the file paths are different than shown for CopSSH as are the location of the key files. Also note the default key generated by ssh-keygen is now a 2048-bit RSA key.
If you do use CopSSH also note that the change I made in the sshd_config file for use with OpenSSH for Windows, ie. the StrictModes option, should be left as the default value yes.
I suggest you get the SSH link up using a password first. Once you have the basic tunnel setup and RDP working through the tunnel you can look at configuring and using a private/public key pair. Use a strong password.
As far as server host addressing is concerned, I use a free service from No-IP.com (»www.no-ip.com) to map a fully qualified domain name to my ISP DHCP assigned IP address. That works very well for me.
Note the default initial authentication method is for a password versus the key as I have mine configured for.
The options page is the default except for the fact that I point to a customized .RDP file for the initial Remote Desktop connection to my PC Ashtabula, ie. the entry in the Parameters window.
I can't speak to how to configure NIS 2006 other than to say it must pass TCP Port 22 (or whatever port you have CopSSH listening on).
--
"When all else fails, read the instructions..." |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| This thread has been a tremendous help, thank you SoonerAl for your contribution. The FAQ on this site talks about remote desktop, »Windows Based Remote Connections but is a bit lacking in some of the specifics.
Flaubert, I'd do as SonnerAl suggested and just get it setup with password authentication first. Once you grasp that you can then try setting it up with a public key. That is my next step. |
|
Flaubert
join:2004-12-06
Los Angeles, CA | I think I'm all set I'll try all this this sunday and keep you posted.
I'm still a little bit worried about those private keys, it doesn't look too simple.
thanks anyway for all this help ..... |
|
Flaubert
join:2004-12-06
Los Angeles, CA | I was just looking at the link posted above about Windows remote connections and it looks like there's a way of encrypting the traffic between the client.
What gives? |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| reply to Flaubert
Well, I got it setup with private/public key and its working fine. Once you understand how it works its really not that complicated to get it all setup. You'll just have to make sure you remove the private key from the server and keep a copy of it with you as your client machines will need that file in order to connect.
I have a USB thumb drive that I plan to keep the private key on in case I need it. |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| reply to Flaubert
said by Flaubert :I was just looking at the link posted above about Windows remote connections and it looks like there's a way of encrypting the traffic between the client. What gives? Windows remote desktop in itself does encrypt the traffic on its own. SSH just provides an additional layer of security. |
|
jig
join:2001-01-05
Hacienda Heights, CA
| reply to Flaubert
Re: The most secure way to use Windows Remote Desktop
sorry to interject:
1) ssh provides a secure authentication (start up phase), and a simpler firewall configuration (one port from WAN). it might add some encryption to the stream itself once it's up and running, but it probably is a negligible increase in security at that point since the RDP stream is already encrypted. i would be surprised if the RDP authentication procedure is even AS secure as current ssh.
2) is the public/private key passing really more secure (against packet sniffing) for authentication than just a strong password?
i'm wary of limiting my connection to me having to carry a large key around in my pocket. i can't memorize it, but i can lose it in a way that gives access to another... |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| said by jig :i'm wary of limiting my connection to me having to carry a large key around in my pocket. i can't memorize it, but i can lose it in a way that gives access to another... Even if someone gets access to the private key, it still doesnt automatically mean someone has access, they still have to know the password as well. |
|
DavidJWood
Premium
join:2001-10-12
UK
| As seezar says, use a passphrase on the private key, so even if found it's useless.
The only time I have private keys without passphrases is when one machine needs to connect to another automatically. In that case, I lock down the permissions on the public key end so as to make the key essentially useless to anyone who gets hold of it (at the moment, I'm only using rsync in this way, so I prohibit ptys and only allow the domains including the server that needs to rsync to authenticate using that key).
David |
|
AMD Phreak
Premium
join:2003-12-14 | reply to Flaubert
Re: The most secure way to use Windows Remote Desk
Sorry to revive an old post and not to threadjack but what about using this method for VPN? I am having issues with that. Any help? |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS |  Lets go back to the original question, no one here seems to use RD by itself. Is it not secure? If that is all one has, what precautions/practices should one exercise????? |
|
AMD Phreak
Premium
join:2003-12-14
1 edit | reply to Flaubert
I frequently use RDP without external methods of tunneling. I too am under the impression that it is plenty secure. some things that I stress are picking passwords that are very secure, such as using pass-phrases rather than passwords. I find its much easier for myself or a user to remember a phrase rather than a word. |
|
