Announcement

Collapse
No announcement yet.

RDC security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RDC security

    My CFO just asked me to setup RDC to his company computer. I mapped an external IP to his internal IP through the firewall. Is there anything I can do to give it a little more security?

  • #2
    Re: RDC security

    Originally posted by Mudd View Post
    My CFO just asked me to setup RDC to his company computer. I mapped an external IP to his internal IP through the firewall. Is there anything I can do to give it a little more security?
    Yes. Get rid of the NATting and stick in a Point to Point VPN instead... or get LogMeIn working for him (www.logmein.com)


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: RDC security

      I do have a policy setup on the firewall in which NAT is not checked.

      Comment


      • #4
        Re: RDC security

        Originally posted by Mudd View Post
        My CFO just asked me to setup RDC to his company computer. I mapped an external IP to his internal IP through the firewall. Is there anything I can do to give it a little more security?
        Whoa! Is this 1 to 1 NAT? If so, I'm scared...

        What about the VPN solution that Stonelaughter suggested? I think a VPN is the best solution in this scenario. Or even port forwarding would be slightly better than 1 to 1 NAT (if that's what's going on).
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: RDC security

          I guess it would be port forwarding cause what I did was take a public IP that isn't assigned to anything, but when you RDC in and it hits the firewall, it maps that IP to the internal IP on the CFO machine and uses port 3389. Is this ok?

          Also, if I did go with VPN, would my CFO need a VPN router at his home?

          Comment


          • #6
            Re: RDC security

            I wouldnt go with the basic RDP port like the others said. You also dont need a site-site router either. Just turn on RRAS on your server and setup a PPTP VPN. I will post some links to help you.

            Howto Change RDP port: http://support.microsoft.com/kb/306759

            VPN: http://support.microsoft.com/kb/323415
            What do I know, I am only 26.

            Comment


            • #7
              Re: RDC security

              Originally posted by Mudd View Post
              I guess it would be port forwarding cause what I did was take a public IP that isn't assigned to anything, but when you RDC in and it hits the firewall, it maps that IP to the internal IP on the CFO machine and uses port 3389. Is this ok?

              Also, if I did go with VPN, would my CFO need a VPN router at his home?
              Hmmm, unless there's some miscommunication going on here it still kinda sounds like 1 to 1 NAT to me. So, any traffic on any port that hits that external IP address will be autoforwarded to your CFO? Or just traffic on port 3389? Concerning 1 to 1 NAT, If you've ever looked at the logs for the WAN port of a firewall, you'll see probably hundreds of weird scans and probes a day. If your CFO has any unpatched vulnerabilites, they will be exploited. If there are ever any "zero day" threats or some new exploit that comes along he'll get the muddy end of the stick (no pun on your name was intended... but it does sound amusing ). I hope that you're just forward the proper RDC ports to his machine.

              However that seems to be a waste of an entire public IP address just to be using for a few ports being forwarded to one machine. If you created a VPN server (using RRAS as GrantThomas suggested) you're CFO would not need any new software at all. Windows 2K, XP, and Vista can create a VPN connection no problem. You can even use the CMAK to create a little installer file that makes the connectoid for him. Not to mention, creting a VPN will allow other users to have access to the network from offsite (if you consider that to be a good thing ). Rest assured, word will get around that the CFO can access the network remotely and you will have other people ask you for the same ability.

              RRAS is relatively simple to set up, but it does have some user interface shortcomings. I just recently set one up without too many problems. You just need to open up the right ports and protocols on the firewall (if the server is not in a DMZ, but rather in the internal network). Don't forget to allow IP Protocol 47 (GRE).

              Let us know how it turns out,


              EDIT: More about the CMAK at this link.
              Last edited by Nonapeptide; 16th July 2008, 17:13.
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: RDC security

                Originally posted by GrantThomas View Post
                In simpliest terms, it is where you allow a tunnel between two or more sites to the internal LAN.

                OFFICE 1-----------Internal LAN-------------OFFICE2

                In your case you could use you house as one of the OFFICE'S.

                Since it can cause some confusing and complexity of keys I think you may be better off installing www.logmein.com on your workstation.
                Ok so, if I have a VPN firewall at the office, but my CFO does not, how does "site-site" work?

                Does it still involved a RRAS server?

                Comment


                • #9
                  Re: RDC security

                  Originally posted by Mudd View Post
                  Ok so, if I have a VPN firewall at the office, but my CFO does not, how does "site-site" work?

                  Does it still involved a RRAS server?
                  Mudd, for your situation use RRAS and use the windows VPN client to connect then use the IP/netbios name to connect to the remote computer.

                  I wouldnt bother setting up a site to site.
                  What do I know, I am only 26.

                  Comment


                  • #10
                    Re: RDC security

                    Ok RRAS is setup and seems to be working fine. It connects me to the network, but what can I do with this? Can I install a program on the remote machine and run it as if I was in the office on a client/server type setup?

                    Thanks

                    Comment


                    • #11
                      Re: RDC security

                      When you're using TS/RDP from home into the Office, you effectively ARE in the office. The desktop screen you see is the screen you would have if you were stood in the server room with the KVM screen and keyboard out. So - if you install an App (let's say it's Microsoft Office but that requires extra stuff to be done which I'll mention in a moment) then you will be using that app with access to network folders, printers and so on, in the office, as if you were sat at your desk.

                      Some apps will work without any special actions on a "Remote Administration" connection to the server. Microsoft Office, amongst others, will not. To use these power apps on a remote machine you must install Terminal Services and a terminal services licensing server (which should not be on a Terminal Services Server or on a Domain Controller). You also have to then switch the Terminal Services Server into Application Install mode, and install the application using appropriate Transform (MST) files. >>You can google all this stuff and you'll get Microsoft Articles galore about how to get this done<<. You then switch the Terminal Services Server back into Terminal Services mode, and start using the application remotely.

                      try using www.google.com/microsoft.html - it googles the Microsoft Knowledge Base and various other Microsoft sites as opposed to the whole Internet.


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: RDC security

                        Originally posted by Mudd View Post
                        Ok RRAS is setup and seems to be working fine. It connects me to the network, but what can I do with this? Can I install a program on the remote machine and run it as if I was in the office on a client/server type setup?

                        Thanks
                        I see what could be a gap in communication here. Let me ask a few questions first:
                        1. When you say "It connects me to the network" does that mean that you can successfully connect to the RRAS server from a XP machine outside of the network (that is to say: somewhere on the Internet) via a VPN connection that you created in XP with "New Connection Wizard" or the CMAK?
                          • If that is not what you mean, please explain what you mean a little bit more thoroughly
                        2. After you connect to the VPN from a client computer that is outside of the business network, can you ping computers that are on the business network?
                        3. Are you then using Remote Desktop to connect to a computer that is inside the business network from the computer that is outside of the network?


                        If you answered 'No' to any of those questions, then we're not quite where we need to be yet. If you answered 'yes' to each of those questions, then go re-read Stonelaughter's post.

                        It should also be noted that if you install an application on a remote machine (that is to say: a computer that is not on the business network) that needs to directly access a computer that is on the business network, a VPN will allow this. For instance, someone using Crystal Reports on their computer at home will not be able to query a database that is in the office. However, if you create a proper VPN that user will be able to use Crystal Reports at home.

                        Does this all make sense?
                        Last edited by Nonapeptide; 17th July 2008, 01:17.
                        Wesley David
                        LinkedIn | Careers 2.0
                        -------------------------------
                        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                        Vendor Neutral Certifications: CWNA
                        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                        Comment


                        • #13
                          Re: RDC security

                          Originally posted by Nonapeptide View Post
                          I see what could be a gap in communication here. Let me ask a few questions first:
                          1. When you say "It connects me to the network" does that mean that you can successfully connect to the RRAS server from a XP machine outside of the network (that is to say: somewhere on the Internet) via a VPN connection that you created in XP with "New Connection Wizard" or the CMAK?YES
                            • If that is not what you mean, please explain what you mean a little bit more thoroughly
                          2. After you connect to the VPN from a client computer that is outside of the business network, can you ping computers that are on the business network?YES
                          3. Are you then using Remote Desktop to connect to a computer that is inside the business network from the computer that is outside of the network?
                          I was, but I now created a VPN so I can have a more secure connection to my office network.

                          If you answered 'No' to any of those questions, then we're not quite where we need to be yet. If you answered 'yes' to each of those questions, then go re-read Stonelaughter's post.

                          It should also be noted that if you install an application on a remote machine (that is to say: a computer that is not on the business network) that needs to directly access a computer that is on the business network, a VPN will allow this. For instance, someone using Crystal Reports on their computer at home will not be able to query a database that is in the office. However, if you create a proper VPN that user will be able to use Crystal Reports at home.

                          Does this all make sense?
                          Yes, I have successfully created a VPN using RRAS and the new connection wizard logging into my domain so I have all the rights I would if I were at the office. Also, I installed Quickbooks here at home to test and it connected fine after mapping to the Quickbooks company file share. It's slow as hell but I guess in exchange for security thats the deal.

                          Anyway, thanks for all your guys help and suggestions. Good to know there are some good people out there that would take the time to help someone out.

                          Us I.T. junkies stick together. ROCK ON!

                          Comment


                          • #14
                            Re: RDC security

                            Originally posted by Mudd View Post
                            Yes, I have successfully created a VPN using RRAS and the new connection wizard logging into my domain so I have all the rights I would if I were at the office. Also, I installed Quickbooks here at home to test and it connected fine after mapping to the Quickbooks company file share. It's slow as hell but I guess in exchange for security thats the deal.

                            Anyway, thanks for all your guys help and suggestions. Good to know there are some good people out there that would take the time to help someone out.

                            Us I.T. junkies stick together. ROCK ON!
                            Mudd, any large file you open through VPN on your machine will be pretty slow, I would recommend using the VPN to connect to your office, and remote into your workstation at work, you may need to turn on remote desktop on your machine first, and use your quickbooks that way it will be much faster!
                            What do I know, I am only 26.

                            Comment


                            • #15
                              Re: RDC security

                              Originally posted by GrantThomas View Post
                              Mudd, any large file you open through VPN on your machine will be pretty slow, I would recommend using the VPN to connect to your office, and remote into your workstation at work, you may need to turn on remote desktop on your machine first, and use your quickbooks that way it will be much faster!
                              I will add to this; DO NOT, under any circumstances, try to open Excel or Access files on the "home" machine direct from a share in the office. Make a local copy, work on the file at home on the local drive, and then copy it back. Excel and Access are particularly vulnerable to latency issues over WAN links resulting in corrupted files, frozen machines during save/write operations and various other terrible problems.


                              Tom
                              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                              Anything you say will be misquoted and used against you

                              Comment

                              Working...
                              X