Flaubert
join:2004-12-06
Los Angeles, CA
| The most secure way to use Windows Remote Desktop I've been reading up on how to secure a Remote desktop connection to a XP Pro SP2 server.
I am already able to use that connection from inside my network with no problem.
If I want to use that connection from outside my network (Hotspots, Friends etc....) what is the best way to secure it.
I've read that ssh would do it because it would create an encrypted tunnel from the client to the server.
I've also heard that using Anonymizer would also encrypt all traffic.
I don't really care to hide my IP can anonymizer be used ONLY for encryption and not IP stealthing?
Can I use PuTTy to access RDC without installer a ssh server on the server?
I would greatly appreciate the help of someone who's solved the same problem successfully.
Thanks in advance | |
|
 
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
 ·SureWest Internet
| Re: The most secure way to use Windows Remote Desk I use RD over SSH tunnel. To do that you need an ssh server on the LAN to access RD using Putty. Install either on server or another computer.
Some argue that RD is secure enough, and if you want to do it that way then just configure your router to forward port 3389 to your WinXP Pro box. Otherwise you'll need to forward port 22 to your ssh server. If ssh server is on your XP Pro box, then no additional setup with Putty is required. If you have a separate ssh server, then you'll need to setup port forwarding in Putty. | |
|
 | Flaubert
join:2004-12-06
Los Angeles, CA
| Re: The most secure way to use Windows Remote Desk What kind of ssh server (preferably free) should I install?
I didn't quite understand the port forwarding part of your answer. I know that I have to forward Port 3389 to the server's IP address. What about port 22? Do I need to forward that one too if I install an ssh server on the RDC server? | |
|
| | Flaubert
join:2004-12-06
Los Angeles, CA
| Re: The most secure way to use Windows Remote Desk So you're saying:
a- Install CopSsh on the server.
b-Install Tunnelier on the client.
c -Forward only port 22 to my private IP ??
Sorry if I seem a little slow but there are a couple of things I need explained:
The parameters you've entered in Tunnelier
under "Host" and "Port"
On the "Login" tab:
I am not on a Domain, so should I just enter my Wan ip on there if I connect from outside my Llan?
On the Options tab:
Do I have to enter the same parameters as yours?
And also, could you be a little more specific on how to create those 2048 bit public/private keys?
I tried reading your openbsd link but I didn't understand it.
Thanks anyway for your help so far. I know a lot more than when I started this thread.... | |
|
| | | seezar
Premium
join:2001-07-01
Rochester, NY
 ·ViaTalk
3 edits | Re: The most secure way to use Windows Remote Desk said by Flaubert  :So you're saying: a- Install CopSsh on the server. b-Install Tunnelier on the client. c -Forward only port 22 to my private IP ?? Sorry if I seem a little slow but there are a couple of things I need explained: The parameters you've entered in Tunnelier under "Host" and "Port" On the "Login" tab: I am not on a Domain, so should I just enter my Wan ip on there if I connect from outside my Llan? On the Options tab: Do I have to enter the same parameters as yours? And also, could you be a little more specific on how to create those 2048 bit public/private keys? I tried reading your openbsd link but I didn't understand it. Thanks anyway for your help so far. I know a lot more than when I started this thread.... OK, I just set this up and it appears to work very well.
I installed CopSSH on my windows server. CopSSH is pretty cool, its basically OpenSSH with kind of a front end to make it easier to administer. After installing CopSSH I had to go in and 'activate' one of the accounts on the windows server. Once that account is activated I can now SSH to that windows server using that account.
I used PuTTY as a client. I put in the IP of the windows server to connect to. In the tunnel section of PuTTY I put i n a source port of 3390 and a destination of the IP address of the windows server and a destination port of 3389.
So now when I SSH to the windows server, I login with the account I activated. Then I run the remote desktop client. in the connect to box I put in localhost:3390 (3390 was the port I specific as the source). Then I am able to login to the windows server.
So basically, from the outside all you need to do is forward port 22 (or whatever port you are going to SSH to)to the IP of the windows server.
With it setup this way you can go into windows firewall on the server and remove access to remote desktop on port 3389 and make sure you allow access to port 22. | |
|
| | | | Flaubert
join:2004-12-06
Los Angeles, CA
| Re: The most secure way to use Windows Remote Desk On the server I have software and hardware firewall.
The hardware part I can take care of by forwarding port 22 to my private ip
Now, will the connection get past Norton Internet Security 2006?
I guess if I enter CopSsh as a legitimate app in the list of trusted apps in NIS 2006 I should be Ok ?!!!
On the client side I will have only software firewall. I guess I will do the same thing for PuTTy.
Now How do I set up those public/private keys....? | |
|
| | | 
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit | said by Flaubert :So you're saying: a- Install CopSsh on the server. b-Install Tunnelier on the client. c -Forward only port 22 to my private IP ?? Sorry if I seem a little slow but there are a couple of things I need explained: The parameters you've entered in Tunnelier under "Host" and "Port" On the "Login" tab: I am not on a Domain, so should I just enter my Wan ip on there if I connect from outside my Llan? On the Options tab: Do I have to enter the same parameters as yours? And also, could you be a little more specific on how to create those 2048 bit public/private keys? I tried reading your openbsd link but I didn't understand it. Thanks anyway for your help so far. I know a lot more than when I started this thread.... This page has general help with ssh-keygen. Look at the page up to the part about changing permissions. The rest does NOT pertain to CopSSH/Tunnelier.
»theillustratednetwork.mvps.org/R···Key.html
The page was created for OpenSSH for Windows and PuTTY, so the rest really does not pertain to CopSSH and Tunnelier. If you do use PuTTY, which is a very good option IMHO, as seezar did, then most still pertains, ie. the part about converting the key file to a format PuTTY understands. Note the file paths are different than shown for CopSSH as are the location of the key files. Also note the default key generated by ssh-keygen is now a 2048-bit RSA key.
If you do use CopSSH also note that the change I made in the sshd_config file for use with OpenSSH for Windows, ie. the StrictModes option, should be left as the default value yes.
I suggest you get the SSH link up using a password first. Once you have the basic tunnel setup and RDP working through the tunnel you can look at configuring and using a private/public key pair. Use a strong password.
As far as server host addressing is concerned, I use a free service from No-IP.com (»www.no-ip.com) to map a fully qualified domain name to my ISP DHCP assigned IP address. That works very well for me.
Note the default initial authentication method is for a password versus the key as I have mine configured for.
The options page is the default except for the fact that I point to a customized .RDP file for the initial Remote Desktop connection to my PC Ashtabula, ie. the entry in the Parameters window.
I can't speak to how to configure NIS 2006 other than to say it must pass TCP Port 22 (or whatever port you have CopSSH listening on).
--
"When all else fails, read the instructions..." | |
|
| | | | seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| Re: The most secure way to use Windows Remote Desk This thread has been a tremendous help, thank you SoonerAl for your contribution. The FAQ on this site talks about remote desktop, »Windows Based Remote Connections but is a bit lacking in some of the specifics.
Flaubert, I'd do as SonnerAl suggested and just get it setup with password authentication first. Once you grasp that you can then try setting it up with a public key. That is my next step. | |
|
| | | | | Flaubert
join:2004-12-06
Los Angeles, CA | Re: The most secure way to use Windows Remote Desk I think I'm all set I'll try all this this sunday and keep you posted.
I'm still a little bit worried about those private keys, it doesn't look too simple.
thanks anyway for all this help ..... | |
|
| | | | | | Flaubert
join:2004-12-06
Los Angeles, CA | Re: The most secure way to use Windows Remote Desk I was just looking at the link posted above about Windows remote connections and it looks like there's a way of encrypting the traffic between the client.
What gives? | |
|
| | | | | | | seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| Re: The most secure way to use Windows Remote Desk said by Flaubert :I was just looking at the link posted above about Windows remote connections and it looks like there's a way of encrypting the traffic between the client. What gives? Windows remote desktop in itself does encrypt the traffic on its own. SSH just provides an additional layer of security. | |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
4 edits |  Re: The most secure way to use Windows Remote Desktop
»www.itefix.no/phpws/index.php?mo···on=22:22
I also use Tunnelier as the client. Tunnelier can be configured to automatically launch a RDP session when the SSH tunnel is established if you want.
»www.bitvise.com/tunnelier.html
In my case I also use a 2048-bit private/public RSA key pair (with strong pass phrase) for authentication versus a password (strong or otherwise) and a listening port other than the default TCP Port 22. Now to be clear the latter measure is NOT a standalone deterrent/security measure, but it does not hurt either...
»www.openbsd.org/cgi-bin/man.cgi?···ektion=1
»forums.bitvise.com/index.php?sho···0&p=1581
The screen shots illustrate how I have Tunnelier configured to access my home LAN and my two XP Pro boxes...
»theillustratednetwork.mvps.org/LAN/LAN.jpg
...via the SSH tunnel. In my case the CopSSH server runs on the PC Ashtabula. The rest of the Tunnelier configurables are the defaults.
I also created and saved two .RDP files to customize the Remote Desktop experience for each PC. When I connect with the SSH tunnel the RDP link to my main desktop, ie. Ashtabula, automatically launches. I have to click on the NormanRDP desktop icon to initiate the RDP connection to the other PC...
For SSH all you need to do is to forward TCP Port 22 through any firewall/router at your home. All other traffic goes through the tunnel. No other ports need to be opened on the firewall/router...
»theillustratednetwork.mvps.org/R···nel.html
--
"When all else fails, read the instructions..." | |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
1 edit | Re: The most secure way to use Windows Remote Desk Funny this topic is posted today. Earlier I was starting to research how to you SSH in conjunction with remote desktop.
If I understand correctly, in a configuration where the machine you want to use remote desktop on is behind a NAT router and you use SSH to tunnel in you only have to have port 22 on a SSH server listening from the WAN. This makes it nice if you have multiple windows boxes on that network you want to have access to. Instead of having to open multiple ports on the WAN, 3389, 3390, etc.. you just have to have 22 open.
I've yet to try this out yet but thats how I understand it to work. If I'm incorrect someone please advise.
Here is a guide on the subject (there is also one posted on this site but the main search page is undergoing maintenance):
»theillustratednetwork.mvps.org/R···SSH.html
Edit: looks like SoonerAl already clarified what I said and posted the same link  | |
|
seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| Well, I got it setup with private/public key and its working fine. Once you understand how it works its really not that complicated to get it all setup. You'll just have to make sure you remove the private key from the server and keep a copy of it with you as your client machines will need that file in order to connect.
I have a USB thumb drive that I plan to keep the private key on in case I need it. | |
|
jig
join:2001-01-05
Hacienda Heights, CA
| sorry to interject:
1) ssh provides a secure authentication (start up phase), and a simpler firewall configuration (one port from WAN). it might add some encryption to the stream itself once it's up and running, but it probably is a negligible increase in security at that point since the RDP stream is already encrypted. i would be surprised if the RDP authentication procedure is even AS secure as current ssh.
2) is the public/private key passing really more secure (against packet sniffing) for authentication than just a strong password?
i'm wary of limiting my connection to me having to carry a large key around in my pocket. i can't memorize it, but i can lose it in a way that gives access to another... | |
|
| seezar
Premium
join:2001-07-01
Rochester, NY
·ViaTalk
| Re: The most secure way to use Windows Remote Desktop said by jig :i'm wary of limiting my connection to me having to carry a large key around in my pocket. i can't memorize it, but i can lose it in a way that gives access to another... Even if someone gets access to the private key, it still doesnt automatically mean someone has access, they still have to know the password as well. | |
|
| | DavidJWood
Premium
join:2001-10-12
UK
| Re: The most secure way to use Windows Remote Desktop As seezar says, use a passphrase on the private key, so even if found it's useless.
The only time I have private keys without passphrases is when one machine needs to connect to another automatically. In that case, I lock down the permissions on the public key end so as to make the key essentially useless to anyone who gets hold of it (at the moment, I'm only using rsync in this way, so I prohibit ptys and only allow the domains including the server that needs to rsync to authenticate using that key).
David | |
|
AMD Phreak
Premium
join:2003-12-14 | Sorry to revive an old post and not to threadjack but what about using this method for VPN? I am having issues with that. Any help? | |
|
| 
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS |  Re: The most secure way to use Windows Remote Desk
| |
|
| |
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit | Re: The most secure way to use Windows Remote Desk
I simply think its safer to use a SSH tunnel (or VPN if that floats your boat) with a private/public key pair encrypted with a strong pass phrase to safe guard the link. Personally I have more confidence in the integrity of the link that way.
I think it comes down to what you feel comfortable with...
--
"When all else fails, read the instructions..." | |
|
| | Shootist
Premium
join:2003-02-10
Decatur, GA
| said by Anav :Lets go back to the original question, no one here seems to use RD by itself. Is it not secure? If that is all one has, what precautions/practices should one exercise????? I RDC to my home PC from work all the time and don't use any other tunnel. I do use the Z5 firewall rules to block all other IP's except a select few which I know I'll be using to connect with on port 3389.
--
Shooter Ready--Stand By BEEP ******** | |
|
| | YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| This article describes one vulnerability to Windows Remote Desktop. It sounds real, but an attacker would have to be pretty determined to get anywhere with it.
»www.xatrix.org/article.php?s=1943
I don't think there's any practical problem with using RDP over a clear channel (unless you are worried about targeted corporate espionage...). But taken from a system perspective, why would you want to? A better system design is to use a VPN-capable firewall to protect you from snooping and your inner equipment from the internet. You could use straight RDP, but it's better to have a secure entre into your lan through one path instead of opening one-off paths with firewall rules for protocol-specific ports. | |
|
| | | Raphion
join:2000-10-14
Samsara
| Re: The most secure way to use Windows Remote Desk said by YqE41k24 :This article describes one vulnerability to Windows Remote Desktop. It sounds real, but an attacker would have to be pretty determined to get anywhere with it. » www.xatrix.org/article.php?s=1943I don't think there's any practical problem with using RDP over a clear channel (unless you are worried about targeted corporate espionage...). But taken from a system perspective, why would you want to? A better system design is to use a VPN-capable firewall to protect you from snooping and your inner equipment from the internet. You could use straight RDP, but it's better to have a secure entre into your lan through one path instead of opening one-off paths with firewall rules for protocol-specific ports. I read about a worse exploit that allows total decryption of the whole RDP session. »www.oxid.it/downloads/rdp-gbu.pdf (Sorry it's a PDF) And it's built right into a program called Cain&Able, so you don't even have to work much at all to use it.
As to why I would like to be able to use something simple like RDP; I really don't have the knowledge to setup or administer any of those VPN firewall things. I've looked at some, and all I get for it is a headache.
I wouldn't leave anything like in service all the time either. I would only open the ports for it at my gateway router when the rare occasion comes that I'll actually need it. | |
|
| | | | YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| Re: The most secure way to use Windows Remote Desk Thank you for the link. I skimmed through the article and this discussion
»groups.google.com/group/microsof···deddc08e
I don't like the looks of the Cain&Able program. Anyways... you would have to work to use this RDP attack. You need to position yourself and the environment such that the RDP client initiates a connection to you instead of the real RDP server. That's why in the link above, they say that this exploit is more viable with DNS than without. This isn't the kind of attack you'd run into at a coffee shop or public internet (unless you think the ISP is hosting the attack). This attack is also not specific to the RDP protocol. SSH would have the same vulnerability, for instance, were it not the fact that each server generates and publishes its own certificate.
Here are some "famous last words".
I wouldn't leave anything like in service all the time either. This is how holes often appear in networks. Somebody opens up a port for a special case, gets distracted, and the port remains open. It would be better, IMHO, to set up a VPN which you can leave active and secure. If you can understand the RDP attacks and open/close ports, you shouldn't have any trouble setting up a VPN these days. | |
|
| | | | | Raphion
join:2000-10-14
Samsara
1 edit | Re: The most secure way to use Windows Remote Desk said by YqE41k24 :That's why in the link above, they say that this exploit is more viable with DNS than without. This isn't the kind of attack you'd run into at a coffee shop or public internet (unless you think the ISP is hosting the attack). Why wouldn't it be easy to run on a coffee shop network? MITM attacks are extremely easy on a WiFi network. All you have to do is ARP poison both the target and the gateway, and then you have every bit of the target's IP traffic running through your machine, and can do whatever you want with it. I've done that on my own network, and it's childsplay.
[edit] I suppose a well run network would have guards in place to make MITM less easy, like kicking a client that sends out excessive ARPs. But I wouldn't expect to see anything like that in a small network like a hotel or hotspot, where they dole out private IP's to everyone via a SOHO DSL router. Though it would be a nice idea. | |
|
| | | | | | |
AMD Phreak
Premium
join:2003-12-14
1 edit | I frequently use RDP without external methods of tunneling. I too am under the impression that it is plenty secure. some things that I stress are picking passwords that are very secure, such as using pass-phrases rather than passwords. I find its much easier for myself or a user to remember a phrase rather than a word. | |
|
Komputerguy
join:2001-03-29
Melbourne, FL
| I actually also do the ssh tunneling thing but I went even a step further and also implemented port knocking to turn on and off the SSH server. I've run into one problem, though. I had to resort to using nmap to do the knocking because I had finer control on how the tcp connections were made. For instance all of the other utilities I used would make multiple connections for each attempt to contact a particular port which would mess up the knocking sequence. This seemed to work fine for a while but recently for some reason I am now having a similar problem with nmap and it also seems like the order that the ports are being contacted on the receiving end is different than on the sending end. I'm giving a pretty reasonable several second delay between knocks which I think would be more than enough to ensure there not to be a problem like this, so I'm kind of baffled. I'm now looking for a different utility to do the knocking. Does anyone have any suggestions?
--
What can possibly go wrong? | |
|
|
AMD Phreak
Premium
join:2003-12-14 | Re: The most secure way to use Windows Remote Desk I have a brother that uses port knocking to access his home network. He had to write a script to perform the sequence as they are only milliseconds apart. | |
|
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| Another reason I like using a SSH tunnel is that once the tunnel is connected I can grab files off of my PC without using Remote Desktop. Both Tunnelier or WinSCP, both free, offer that functionality...
»winscp.net/eng/index.php
Also, WebDrive allows mapping of drives through a SSH tunnel.
»www.webdrive.com/index.php?pg=./···ve/index
Unfortunately I have not been able to get it to work yet, but I will...:)
--
"When all else fails, read the instructions..." | |
|
Raphion
join:2000-10-14
Samsara
| Is it possible to change the port used by RDP?
I'm going to want to try RDP from some insecure WiFi soon, as VPN seems way over my head. I plan to do all my online tasks from my home computer over RDP as a lazy man's workaround. I'd feel a bit more secure about it if I could change the port to something obscure so as to keep the hax0rz from trying the door as much.
Second question; how long would be long enough for a purely random mixed case password? | |
|
|
See 12 replies to this post |
|
|
|
|
