Sign in to follow this  
ddrueding

How secure is a RDC/Terminal Server?

Recommended Posts

As usual, I'm commiting myself to a project a bit beyond my current understanding...

I'm about to expose a workstation to the internet on the port used for RDC (3389??) I plan to do this by redirecting traffic on this port from the webserver to his workstation. So the boss of the company can open up Remote Desktop Connection, type in "www.mycompany.com" and be prompted to login to his machine.

1. How secure is the username/password login for protecting the PC?

2. Would requiring a VPN connection help?

3. Would you do it?

4. What would you suggest?

I've worked with hardware VPN solutions, and I've worked with leased lines. I understand that nothing over the web is impregnable, but this isn't a bank...it's a small business that wants some connectivity from home.

The knowledge I've gained from this forum (the only one I'm even a member of) has been invaluable in my business and personal growth. I greatly appreciate Eugene and Davin for making it available and for the many helpful members for making it what it is.

Share this post


Link to post
Share on other sites

I also feel it would be safer, but it's also more difficult to maintain (this will actually include multiple people connecting via multiple external IPs from possibly multiple external locations each.....a little complication gets expensive in a hurry (I ain't cheap :lol: ).

But at the same time...their data should be kept safe from most attacks.

I guess the questions would be:

What kind of security is profided by RDC itself?

and

Is this enough?

Share this post


Link to post
Share on other sites

I know that the user/password are not sent in clear text. Past that I can't say how good the security is. That probably means it is pretty poor.

Its better than telnet. There ought to be a better way to do all of this without giving that much access.

If you are sure that you want to give out remote desktop connections, I would suggest at least VPN.

Also make sure the users do not have many rights with the accounts they are being given.

Share this post


Link to post
Share on other sites

what I do :

terminalservice connection over ssh

just run an ssh server on the webserver/firewall, and do a portforward over ssh

Share this post


Link to post
Share on other sites

I wouldn't have the port open on the internet. AFAIK there were vulnerabilities to Windows Terminal Services. Woth multiple connections at the same times you will most probably also run into NAT problems.

SSH was already mentioned. If they want only access to their desktop it may be a good solution.

For access to the whole network VPN is the way to go.

Should not be that difficult. The VPN Server (the firewall in most cases) must support road warriors. (FreeS/WAN)

cya

ralf

Share this post


Link to post
Share on other sites

Easiest and secure is simply add a rule in the router to only allow access on port 3389 from your boss' ip address.

This will lock out all others and give him easy access to his desktop.

Don't waste the time or money for vpn if you only have one user trying to remotely connect.

:) :roll:

Share this post


Link to post
Share on other sites

Guys,

Thanks for the info so far.

Jaredblank: I have AFAIK 3 users who need this treatment with 1-3 external locations each...many of which are PPPoE DSL lines (can't open up for a changing IP)

der_halt: What are the NAT problems you are forseeing? I was slightly concerned, but the router/firewall is probably going to be a Win2k Srv running MS Internet Security and Acceleration Server (firewall/proxy/web chaching) and should be able to handle it.

ddx/der_halt: SSH.....heard about it, never used it. If all I were doing were a port forward on the firewall, how would the client side adapt to this? What special configuration is required?

This is a small company that is tight with their money, they don't mind forking out a bit for hardware, but they hate reccuring labor charges. I was hoping that the client side could be as simple as: download RDC from MS, key in IP, done. Otherwise I'll be spending time at people's homes (not fun)

Share this post


Link to post
Share on other sites

if it's win2k, you'll want to up the encryption to 128bit

xp's 'remote desktop' rdp/terminal services are said to be 128bit by default, but i haven't found anything CONCLUSIVE on it.

i still forward my rdp sessions through ssh just to be safe.

Share this post


Link to post
Share on other sites
der_halt: What are the NAT problems you are forseeing? I was slightly concerned, but the router/firewall is probably going to be a Win2k Srv running MS Internet Security and Acceleration Server (firewall/proxy/web chaching) and should be able to handle it.

VPN is the way to go then. As the w2k server will be exposed to the internet anyway, also use it as a VPN Server. It can use the active directory user database. The clients need only their login/pw (be sure to allow remote login for the user accounts), the IP they use is not of importance in the(ir) pptp protocol.

NAT could make problems. If you are lucky, it is sufficient to change the ports for rdp on the client side (think it is possible) and just map them to the standard ports. (for example: a client that tries to connect on TCP 4000 is forwarded to IP: 192.168.5.10 port 3389, 4001 to IP: 192.168.5.11 port 3389 etc.)

With some protocols (sorry don't know what's the case with rdp :( ) you need special masquerading modules (don't know whether there exist any for rdp or w2k server) that make NAT possible for that protocol, because it is not always possible to simply change the IP Header information in the packet. Especially with protocols that have security in mind, there may be IP information that is encrypted etc. That's why VPNs are almost always terminated at the firewall.

This is a small company that is tight with their money, they don't mind forking out a bit for hardware, but they hate reccuring labor charges. I was hoping that the client side could be as simple as: download RDC from MS, key in IP, done. Otherwise I'll be spending time at people's homes (not fun)

To set up a VPN with MS w2k server is really easy. It is the routing&ra service. But be sure to use secure passwords for the users that are allowed to connect (disable for all other users!). And really force them to change passwords (group policies). When you are at it disable local login on the w2k server, that is the router, for all accounts except administrator.

And so on.. ;)

cya

ralf

Share this post


Link to post
Share on other sites

My biggest concern with VPN is the time required to set up the client end.

What is this forwarding over ssh thing? what does it entail on the client/server sides?

Share this post


Link to post
Share on other sites

The client side of the VPN is like 4 minutes (maximum). Just "Make new connection" -> "Connect to private network ..." -> IP of VPN server

(for w2k). It can get more complicated though, if there is a firewall/router on the client side.

Don't think you will set up ssh that fast ;)

cya

ralf

Share this post


Link to post
Share on other sites
The client side of the VPN is like 4 minutes (maximum). Just "Make new connection" ->  "Connect to private network ..." -> IP of VPN server 

(for w2k). It can get  more complicated though, if there is a firewall/router on the client side.

Don't think you will set up ssh that fast ;)

VPN gets much more complex, however on a 9x client that doesn't have VPN support installed......:(

Server-side stuff isn't a problem I don't really care how difficult it is.....but I don't want to drive 20+ miles to some of their homes.

Can someone point me to info regarding SSH configuration?

Share this post


Link to post
Share on other sites
Server-side stuff isn't a problem I don't really care how difficult it is.....but I don't want to drive 20+ miles to some of their homes.

If you want to ensure that the software is set up properly don't rely on non-technical people to do it.

So you have two options:

1) Go to the machine and be certain to be paid for driving time.

2) Have the machine come to you.

Share this post


Link to post
Share on other sites

it is still more simple as ssh ;)

http://www.admin.ias.edu/itg/net/vpn98.html

or with more pictures:

http://www.noc.ucf.edu/VPN/win98_vpn.htm

and now don't try to tell me they still use win95?! Imean that procedure is so damn simple, they should be able to do this?

Don't worry, it is my last try to convince you of the great advantages a vpn offers over ssh ;)

cya

ralf

Share this post


Link to post
Share on other sites
it is still more simple as ssh ;)
Don't worry, it is my last try to convince you of the great advantages a vpn offers over ssh ;)

Sorry, a bit confused....you still reccomend VPN over SSH? Even though SSH is more simple?

Thanks, Cliptin.....I'll chack that out later ;)

Share this post


Link to post
Share on other sites
it is still more simple as ssh ;)
Don't worry, it is my last try to convince you of the great advantages a vpn offers over ssh ;)

Sorry, a bit confused....you still reccomend VPN over SSH? Even though SSH is more simple?

Maybe my English got a bit confused there?!

What I meant: IMO a VPN is easier to implement as there is already a VPN server (running). The client side is also not very difficult to set up.

The less services run on a server the better.

cya

ralf

Share this post


Link to post
Share on other sites

der_halt,

Got it, thanks :D

However, does anyone care to enlighten me on the steps for implementing SSH? Any links would be appreciated.

Thanks in advance,

David

Share this post


Link to post
Share on other sites

Alright, I've heard from several source I trust that SSH isn't a good idea. And I'm already in the process of setting up the VPN server, but I'd still like to know more about SSH......help?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this