Announcement

Collapse
No announcement yet.

Securely access Win2008R2 Remote Desktop over internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securely access Win2008R2 Remote Desktop over internet

    Hi All,

    I've just successfully setup ADSL2+ internet connection in my customer's remote site and I need to support and monitor one custom database application in that Windows Server 2008R2 Std. instance, I wonder what is the best way to achieve this without using 3rd party appliance or hardware ?

    Shall I just install Terminal Server Gateway (TSG) role in that server using self sign SSL certificate ? (access to that server using IP address).

    Any kind of comments would be greatly appreciated.

    Thanks

  • #2
    Re: Securely access Win2008R2 Remote Desktop over internet

    Personally I would never open RDP ports to the internet. Generally speaking we use VPNs for remote support and RDP from there. PPTP is reasonably secure, or you can use L2TP or SSTP if you have a CA and appropriate clients connecting. IPSec maybe an option if you have a Cisco router or similar as your edge device.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Securely access Win2008R2 Remote Desktop over internet

      We use remote desktop and have IPSec configured on the local security policy to only allow from the internal lan and our office IP which is static.


      Normally before configuring IPSec we ensure we have an alternate means of access or physical access to the machine then do this:

      Code:
      1)	services.msc -> Make sure IPSec Service is enabled and running
      2)	Administrative Tools -> Domain Controller Security Policy -> IP Security Policies on Active Directory (domain.local)
      NB: On non-SBS I think you have to use Local Security Policy as the Domain Controller isn't there. I don't have a 2008 machine to check right now
      3)	Right click on blank space in right window -> Manage IP filter lists and filter actions
      	a.	Manage Filter Actions -> Add:  Name= Deny, Action= Block (In SBS the Allow rule is already there however in 2008 Standard you have to also add a second action with the name allow and action permit)
      	b.	Manage IP Filter Lists ->	Add: Name= Allow Terminal Services
      		i.	Click Add
      			1.	Ensure Mirrored box is checked
      			2.	Source= A specific IP Address (Enter your IP here)
      			3.	Destination= My IP Address
      			4.	Protocol Type= TCP; From any port; To= 3389
      		ii.	Add (repeat for each local network adapter and specify subnet instead of IP)
      	c.	Manage IP Filter Lists -> Add: Name= Deny Terminal Services
      		i.	Click Add
      			1.	Uncheck Mirrored box
      			2.	Source= Any
      			3.	Destination= My IP Address
      			4.	Protocol Type= TCP; From any port; To= 3389
      4)	OK out back to main Policy window
      5)	Right click on blank space in right window -> Create IP Security Policy
      	a.	Name= Terminal Services
      	b.	Uncheck Activate the default response rule
      Properties will automatically launch
      	c.	Click Add
      		i.	Do not specify tunnel
      		ii.	All network connections
      		iii.	Select Allow Terminal Services filter list
      		iv.	Select Permit filter action
      		v.	OK
      	d.	Click Add
      		i.	Do not specify tunnel
      		ii.	All network connections
      		iii.	Select Deny Terminal Services filter list
      		iv.	Select Deny filter action
      		v.	OK
      6)	Right click Terminal Services and click "Assign"
      
      None of the configuration will be applied until you click assign, at that point you will be locked out if you got it wrong!
      Last edited by beddo; 6th April 2010, 09:41.

      Comment


      • #4
        Re: Securely access Win2008R2 Remote Desktop over internet

        From remote, personally I would go for a VPN connectivity.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Securely access Win2008R2 Remote Desktop over internet

          Thanks to All for the reply.

          From what I understand is that TSG can securely publish the RDP port SSL secured using port 443. But I don't know if this is the way to go for server monitoring from remote location with minimal hardware investment (no Cisco hardware or 3rd party implementation).

          Comment

          Working...
          X