Announcement

Collapse
No announcement yet.

open RDP port

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • open RDP port

    hello
    i ve at work a modem router cisco model 2610, i wish to open port 3389 to my windows 2003 server (for my home use). But i dont know how to do it.

    the address router is : 192.168.8.100
    the 2003 server : 192.168.8.57

    I opened a telnet session on the routeur and did :
    ip nat inside source static tcp 192.168.8.57 3389 interface dialer0 3389 => it dosen't work.

    thank's

  • #2
    Re: open RDP port

    Hi milo974,

    Thanks for your post!

    Could you post your router's config without the passwords please? I am having trouble understanding your current configuration.

    Thanks,
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: open RDP port

      hello, i ve got a Router : cisco 2600XM series
      so, here is my config :

      ################################################## #
      Current configuration : 2195 bytes
      !
      version 12.3
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname dsl-fw
      !
      boot-start-marker
      boot-end-marker
      !
      enable password ----------
      !
      username -------- privilege 15 password 0 ----------
      username -------- privilege 15 password 0 ----------
      aaa new-model
      !
      !
      aaa session-id common
      ip subnet-zero
      !
      !
      ip inspect name FW1 tcp
      ip inspect name FW1 udp
      ip inspect name FW1 ftp
      ip inspect name FW1 rtsp
      !
      ip audit notify log
      ip audit po max-events 100
      ip domain name cdr974.com
      ip name-server 80.10.246.2
      ip name-server 80.10.246.129
      ip ssh authentication-retries 2
      no ftp-server write-enable
      !
      xsm
      xsm vdm
      xsm edm
      xsm history vdm
      xsm history edm
      !
      !
      crypto isakmp policy 10
      authentication pre-share
      crypto isakmp key ------------ address ---------------
      !
      !
      crypto ipsec transform-set myset esp-3des esp-md5-hmac
      crypto mib topn interval 60
      !
      crypto map myvpn 10 ipsec-isakmp
      set peer --------------
      set transform-set myset
      match address 101
      !
      !
      !
      !
      !
      !
      interface ATM0/0
      no ip address
      no atm ilmi-keepalive
      pvc 8/35
      encapsulation aal5mux ppp dialer
      dialer pool-member 175
      !
      dsl operating-mode auto
      !
      interface FastEthernet0/0
      ip address 192.168.8.100 255.255.255.0
      ip nat inside
      ip inspect FW1 in
      duplex auto
      speed auto
      !
      interface Dialer0
      bandwidth 512
      ip address negotiated
      ip nat outside
      encapsulation ppp
      dialer pool 175
      ppp authentication chap pap callin
      ppp chap hostname ft
      ppp chap password 0 -------------
      ppp pap sent-username fti/--------- password 0 -----------
      crypto map myvpn
      !
      ip nat inside source list 175 interface Dialer0 overload
      ip nat inside source static tcp 192.168.8.100 22 interface Dialer0 22
      ip nat inside source static tcp 192.168.8.57 3389 interface Dialer0 3389
      ip classless
      ip route 0.0.0.0 0.0.0.0 Dialer0
      ip http server
      ip http secure-server
      !
      access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
      access-list 175 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
      access-list 175 permit ip 192.168.8.0 0.0.0.255 any
      !
      !
      !
      line con 0
      line aux 0
      line vty 0 4
      exec-timeout 300 0
      password ----------
      line vty 5 15
      password -----------
      !
      !
      !
      end

      #################################################

      thank's.

      Comment


      • #4
        Re: open RDP port

        Hi Milo,

        Thanks for your post!

        You have here IPSEC/CRYPTO VPN, NAT, and IOS Firewall (ip inspect). These features, all together, make things complex. I'm not saying you're doing anything wrong by using them all together - it is just something to keep in mind.

        What I see here is that you added the NAT entry for RDP but what you are missing is allowing RDP in through the firewall.

        You are using the IOS Firewall (ip inspect command). This monitors traffic coming from your LAN and it opens up reverse dynamic ACL's to allow the return traffic to come back in.

        Normally, there is an ACL on the internet facing interface that denies everything, then the dynamic firewall entires open up ports on that ACL to allow only the return traffic.

        In my opinion, you need an ACL that denies everything except the VPN traffic and, your RDP traffic.

        Here is an example of how to configure IOS FW from Cisco:
        http://cisco.com/en/US/products/sw/s...80094110.shtml

        Based on that example, I think you would have something like:

        int dialer0
        ip access-group 111 in


        !--- Access list 111 controls what can come from the outside world
        !
        access-list 111 permit crypto vpn traffic ! EDIT THIS
        access-list 111 pemit RDP traffic ! EDIT THIS
        !

        access-list 111 permit icmp any 195.95.95.0 0.0.0.255 echo
        access-list 111 permit icmp any 195.95.95.0 0.0.0.255 echo-reply
        access-list 111 permit icmp any 195.95.95.0 0.0.0.255 packet-too-big
        access-list 111 permit icmp any 195.95.95.0 0.0.0.255 time-exceeded
        access-list 111 permit icmp any 195.95.95.0 0.0.0.255 traceroute
        access-list 111 permit icmp any 195.95.95.0 0.0.0.255 unreachable

        !--- This deny is the default.
        !
        access-list 111 deny ip any any
        David Davis - Petri Forums Moderator & Video Training Author
        Train Signal - The Global Leader in IT Video Training
        TrainSignalTraining.com - Free IT Training Products
        Personal Websites: HappyRouter.com & VMwareVideos.com

        Comment


        • #5
          Re: open RDP port

          I thought opening 3389 & forwarding it to a server was a security risk because the traffic to that port wouldn't be encryted, so what we have to do is firstly join the VPN when we are at home, then use RDP to the server's local IP address, so we never need to open 3389 on the firewall and we can still RDP from home.

          If I'm wrong, I'd love to know because it would be a lot easier for our setups if I just opened port 3389 and RDP'd from home directly to the office public IP address.

          I'd be grateful if you could correct/clarify my thinking.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: open RDP port

            Yes, Paul is right, unencrypted RDP is a security risk and VPN would be more secure.

            Thanks
            David Davis - Petri Forums Moderator & Video Training Author
            Train Signal - The Global Leader in IT Video Training
            TrainSignalTraining.com - Free IT Training Products
            Personal Websites: HappyRouter.com & VMwareVideos.com

            Comment


            • #7
              Re: open RDP port

              Originally posted by daviddavis View Post
              Yes, Paul is right, unencrypted RDP is a security risk and VPN would be more secure.

              Thanks
              AFAIK RDP can be encrypted. Even can be used with certificates so the source can be verified.

              So i dont agree that it is per definition a security risk.
              Please give points where appropriate

              <I dont create ready scripts for you, but I'm willing to point you in the right direction>

              Comment


              • #8
                Re: open RDP port

                And I believe it is encrypted by default for WXP going against W2K3. Need to search for previous posts...

                EDIT: Post was http://forums.petri.com/showthread.php?t=13456
                Last edited by rvalstar; 19th March 2007, 20:57.
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Re: open RDP port

                  I ran a simple test with a network sniffer to see if I could glean the password when logging onto a TS using RDP on a forwarded port with no VPN at all. Although the username was in clear text, there was no obvious way I could see the password in the packets that were sniffed. I'm no hacker so this is a simple experiment, but worth saying anyway.

                  Oh, and this was XP against 2003.
                  Best wishes,
                  PaulH.
                  MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                  Comment


                  • #10
                    Re: open RDP port

                    Good job putting the sniffer on the case. I'm surprised the username was cleartext. I recall quoting another post / MS link a while back on security levels for Remote Desktop. I'm tied up with other things at the moment. You been able to find that and see if there is a way to elevate the security level (several as I recall)?
                    Cheers,

                    Rick

                    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                    2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                    Comment


                    • #11
                      Re: open RDP port

                      Yes, I read that link you posted, for which many thanks. I didn't understand all of it, so I like to leave it a while and read it again to see if more stuff soaks into my tiny brain. But I concluded the same as you, i.e. that RDP is encrypted by default on XP -> Server2003 and you don't need a certificate installed (but you can use a cert if you want to verify source). Equally, I respect daviddavis' post too. Silver23 implies that you need a certificate, but I guess it depends on how secure is "secure".

                      What I think I'd better do now, is sniff some more traffic after I've logged in. I too was surprised to see the username in the sniffer output, so I'll type some unique text into Notepad over RDP and search the sniffer output to see if the text got encrypted. I'm fired up with curiosity!
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment


                      • #12
                        Re: open RDP port

                        I do apologise to Milo974 becuase I have one off topic.

                        To clarify what Rick and I have been questioning, as far as I can tell with my limited hacking attempts and a bit of further reading, I can say that a default setup of an XP Pro PC using RDP to a public IP address whose port 3389 has been opened up to direct that traffic onto the TS Server 2003, is encrypted already. I cannot say "how" secure it is.

                        However, to identify the source is the right one, you need to install a certificate.

                        If you want to be confident of security, use a VPN and a certificate, but for occasional control over a machine for admin tasks, the traffic is encrypted by default.
                        Best wishes,
                        PaulH.
                        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                        Comment

                        Working...
                        X