Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

REMOTE DESKTOP SECURITY QUESTION! 500 POINTS!

Hello,

I have setup Remote Desktop so that I can access my server from home.  Many people have told me that this is not a secure option.  They have told me to use VNC or VPN tunneling.  I have no idea how to use these features to improve the security.

My server is a Windows Server 2003.


Can someone please provide me some knowledge on what to use to improve security and also offer STEP-BY-STEP instructions on how to implement these features?

Thank You
0
NAPSR
Asked:
NAPSR
  • 22
  • 19
  • 7
  • +2
1 Solution
 
2hypeCommented:
I would say that Remote Desktop is a secure way of connecting to your server from home.  The Data sent between your home machine and server is encrypted.  

To get the most security, I would create a VPN bettween your server at work and your computer at home.  Once you connected to your work vpn, Use remote Desktop to access your server.
0
 
herbusCommented:
Might need a little more info before we can help out... is the server you want to access behind a firewall or gateway..?  If so, what firewall hardware, or if you have a gateway PC what OS and firewall software is it running..?

We need to determine how to get you into your servers network,.. the remote bit once we get you connected will be the easy bit...
0
 
rindiCommented:
I think what you heard about vnc for security,you have probably missheard. VNC is a free "Terminal Server" software, similar to remote desktop. VPN on the other hand is what you need to get a secure connection. A lot of firewall devices have a VPN integrated. So you would just need to set that up, download the software necessary to connect to it from your home PC and off you go. Once connected, your home PC will appear to be directly connected to your work network, only a lot slower, of course.

Check products from linksys, sonicwall or cisco, they have VPN products.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Naser GabajE&P Software Implementation SpecialistCommented:
As for me The best Software to deployee for remote connection is Netsupport manager
Read about it here:
http://www.netsupportmanager.com

VPN is stands for (Vertual Private Network) it means you will use a public media (Internet) to connect to a remote user, and because Internet is full intruders and viruses, then you need to secure your transmitted data between you and the other party, that's why they implement the VPN which means in the other word (Network inside Network) because of the encryption, Tunneling.
the data when it's leaving your pc throught the internet it becomes encrypted, and then when it reaches the other party it becomes decrypted in order to make it being readable.

Here is a link about how VPN works:
http://computer.howstuffworks.com/vpn.htm

Step by step VPN configuration:
http://www.microsoft.com/serviceproviders/whitepapers/configur_vpn_solution.asp

Also Download this (you may find it Uncomplete Presentation 92%) form this link, sorry the link is not exist any more but i brought it back to you from Webarchiving
http://web.archive.org/web/20000916154926/www.firstvpn.com/papers/flash/ra_vpn.swf
http://web.archive.org/web/20030622060805/www.firstvpn.com/home/home.asp

I hope this helped.

Regards

Naser
0
 
NAPSRAuthor Commented:
Thank you all for your input.

I have a few basic questions:

I just setup the VPN on my server.  At home, I have to login to the internet and then double-click the VPN connection and enter the username and password which means that now I am connected to my work network.

After doing this at my home computer, do I just open the remote desktop connection and then connect to my desktop at work?

How have I made this secure?   I am still accessing the general internet or do I just access the VPN connection ONLY and then try the remote desktop connection?

Please help..

Thanks

0
 
2hypeCommented:
Now that you are connected to your Lan just type your server name or Server's Local IP Address into the Remote Desktop Connection and connect to it.

You have made it secure by connecting to the server through your VPN.  A VPN is a secure Method (encryption etc..) of connecting to your work.  Sense you are connecting to your server with the RDC through the VPN your RDC Session is using the security of your VPN.
0
 
rindiCommented:
Yes, once the VPN is connected, you can connect remotely to your desktop, as long as you have setup the work PC so as to allow that through its firewall.
How secure you have made it depends on how secure the rest of your systems are. It also depends on the VPN you are using. They don't all use the same settings and neither do they use the same encryption levels. If you close your system so that when you aren't on the internet and only those ports you really need are open then the system is pretty secure. Of course you will also have to make sure your system is clean of virii and other malware.
0
 
NAPSRAuthor Commented:
ok..so I do not connect to the internet using my ISP but rather only connect to my server using VPN?

In other words, at my house, I use a dial-up modem connection and enter the phone number of my server and then connect to it.


Is there a way I can connect using VPN via the interenet and not use a dial-up connection?

Thanks
0
 
Naser GabajE&P Software Implementation SpecialistCommented:
-->>After doing this at my home computer, do I just open the remote desktop connection and then connect to my desktop at work?

Yes that's all.

-->>How have I made this secure?   I am still accessing the general internet or do I just access the VPN connection ONLY and then try the remote desktop connection?

Yes, just access VPN connection just after you login to the Internet, because The VPN will take care of your security (Encryption/decryption) for the data transmitted from and to your network, exactly the same way i explained to you in my last post.

0
 
rindiCommented:
As long as you are connected to the internet, no matter what you use to connect to it (dial-up, broadband etc), you can use vpn.
0
 
2hypeCommented:
Yes,  Go through Routing and Remote Access Wizard to create a vpn.  Open your ports on your firewall to allow the VPN Traffic to come through.

When you go to your XP Machine at home create a new connection.  Create a connection using the new connection wizard.  Select "Virtual Private Network Connection" when creating the network connection.  Enter your servers IP Address for the server to connect to.
0
 
NAPSRAuthor Commented:
Thank you all for the info.

Lets say I am at the library, can I still use VPN?  Or do I only have to use it where I can make a phone connection?  Do I use the server phone number?  Wouldn't this lead to extra phone charges?

Can you please tell me what ports I have to open on the linksys firewall and also is there any other particular settings I need to enter i nthe Routing and Remote Access area on the server?


I am using TightVNC (http://tightvnc.com) to access my desktop at work since I use Windows XP home and not XP professional.  I was able to access it from my house last night via the internet.  Now can I also use this software via the VPN?

Thanks
0
 
rindiCommented:
What you need is the client software to connect to the vpn. If you don't have that in your library, you won't be able to connect, but as long as you do have that client and if you are using a privat / public key system, and you have those keys, then you can connect.
0
 
2hypeCommented:
You can configure your VPN connection to allow connections through the Internet Rather than Dialing with a phone line into VPN Connection.  You can connect to your VPN anywhere you wish to as long as you have an Internet connection and as long as you have rights on the machine to create a VPN Network Connection.  Personally I would not connect to my VPN through a Public Library but it is definatly could.

Setting up to allow VPN connections on the server through Routing and Remote Access is pretty straight forward just follow the instructions.

Here is a link to create the client connection to the VPN Server. http://www.windowsnetworking.com/articles_tutorials/Client_Based_VPN_via_PPTP.html

Here is a link regarding what ports to open
http://www.tomsnetworking.com/Sections-article49-page1.php
0
 
NAPSRAuthor Commented:
Ok...

At work, I have 2 separate internet connections.  So on my server, I enabled VPN and on my client computer on the separate dsl internet connection, I created a Virtual Private Network connection.  I opened port 1723 on my linksys firewall router.

I was able to successfully login!!!

Now on my client computer...since I am connected to my work server via the VPN, I can just open up Remote Desktop Connection and access my server desktop.


PLEASE TELL ME WHICH SCENARIO IS CORRECT:

SCENARIO 1 (on client computer at home):

1. Connected to AOL internet connection
2. Opened up Remote Desktop Connection
3. Accessed server desktop


SCENARIO 2 (on client computer at home):

1. Connected to AOL internet connection
2. Logged into Virtual Private Network
3. Opened up Remote Desktop Connection
4. Accessed server desktop


SCENARIO 3 (on client computer at home):

1. DID NOT MAKE INTERNET CONNECTION WITH AOL
2. Logged into Virtual Private Network
3. Opened up Remote Desktop Connection
4. Accessed server desktop


Please tell me which scenario above is better.

Thanks

0
 
2hypeCommented:
Scenario 2
0
 
NAPSRAuthor Commented:
Thanks...in order to use VPN, do I have to use just one port, port 1723, for remote desktop connection and for TightVNC (http://tightvnc.com)?

Thanks
0
 
2hypeCommented:
If you are connecting with Remote Desktop Connection or Tight VNC through the VPN you will not need to open up any ports.

If you choose to access remote Desktop Connection or Tight VNC without connecting through the VPN you will have to open up ports 3389 and 5800/5900 (I think this is what Tight VNC uses)
0
 
NAPSRAuthor Commented:
Just incase I am not able to using VPN while I am traveling, it is good that I have these ports open right?  Or does this defeat the purpose of having the VPN?

Thank you for taking the time to help me.
0
 
2hypeCommented:
a VPN is just a secure method of connecting you to your workplace network.  A VPN allows you to Files/Resources on your local network from home.

If you choose to open the ports and choose to connect without going through the VPN you are just choosing a less secure method of connecting to your server.  It will work fine though.
0
 
NAPSRAuthor Commented:
"If you are connecting with Remote Desktop Connection or Tight VNC through the VPN you will not need to open up any ports."


I closed port 3389 which is for remote desktop connection and then I logged onto VPN and tried to access the remote desktop connection but it would not work.
0
 
rindiCommented:
If you have a software firewall on one or both the PCs you'll have to open those Ports. You probably wouldn't be able to logon even if you were inside the lan...
0
 
2hypeCommented:
What address are you typing into the Remote Desktop Client.  When Connected through the VPN enuse you are access the server by its Name (ex Server) or by its Local Area Network IP Address (Not the Public Internet IP Address).  

EX.  If your servers IP Address on the LAN was 192.168.0.1 that is the address you would enter in the remote desktop client.
0
 
NAPSRAuthor Commented:
So I do need to open port 3389 for remote desktop and port 5590 for tightVNC?  If it safe to open those ports while using VPN?  

After I connect using VPN, should i be able to access the server's window explorer files?  If so, can you please tell me how to do it?

Thanks
0
 
2hypeCommented:
You only need to open 3389 and 5590 if you plan on access your server without going through the VPN.

Yes,  You should be able to access the servers files.  Once connected can you go \\Servername?  or \\192.168.0.1 (the servers IP Address)?  Does it list the Servers Shares?  If you go to My Network Places do your network computers appear?
0
 
NAPSRAuthor Commented:
2hype,

Thanks!!  That worked!  I used the local IP address and was able to login using both Remote Desktop Connection and the TightVNC software.

I went ahead and closed remote desktop and tightVNC ports on the router.  

 
0
 
NAPSRAuthor Commented:
I went into My Network Places...but I don't see it anywhere.  I went under "Web Client Network" but it says that there is no network connection.

Please help!
Thanks
0
 
2hypeCommented:
to get name resoultion to work you have 2 options.

Option #1
Manually edit your LMHost file on your window xp machine and add the ComputerNames/IPaddress of your computers on your domain.
http://support.microsoft.com/?kbid=314108

Option #2
Otherwise you could install WINS on your server at your LAN.  Configure your clients to point to the WINS Server. (just add WINS to your DHCP options and enter your servers IP Address).  The XP Client will then look to your WINS Server for Name Resolution.
0
 
NAPSRAuthor Commented:
Hi,


I setup the VPN at home on windows 98 and am using remote desktop connection and tightvnc though this connection.  I was able to do it successfully!!

But this morning, I came into the office and noticed that none of the desktop client could retrieve their emails from the server.  I had to restart each of the desktop to be able to retrieve emails again.

When I restarted the server, it told me that "one or more clients had not logged off.." and I know for sure that I logged off of the VPN last night.

Does this have something to do with IP Default Gateway or Routing Table?

Can you please help..
Thanks

0
 
NAPSRAuthor Commented:
Should I not use VPN on windows 98 at all and go back to opening separate ports for RDC and tightVNC?

Please help!!
0
 
rindiCommented:
Are you sure you logged of from your VNC server and not only from your VNC session? Did you click on the start button and select logoff? or did you just end the connection?
0
 
NAPSRAuthor Commented:
When I use tightVNC, I use it to login to my desktop computer at work and not the server.  I just closed the browser that showed the remote desktop of my work computer.  I did not do a start, logoff.
0
 
2hypeCommented:
You got quite a few posts going on.

When it says users are still connected, I would assume that it was refering to your remote Desktop Connection.  Was your Remote Desktop Session Disconnected or Ended.  Were any of the users on the Lan accessing anything from the server, that might of caused the warning of the users connected.  I usaully get that error when I reboot my servers as well.

Connecting to your Server through VPN should not affect your clients on your LAN in regards to accessing there outlook express.  Try connecting to your VPN again and see if it affects your users Outlook Express.

What error was there outlook express getting?

If your real concerned about security I would connect through the VPN to use my RDC and VNC.
0
 
2hypeCommented:
Ahhh

It gave you the users logged on because you didnt go Start --> Log off your Remoted Desktop Session.  Therefore your Session was still active.

To Properly End your session you should Logoff
0
 
NAPSRAuthor Commented:
But I ended my internet connection so I noticed last night that it also disconnected the VPN connection.  For the remote desktop connection, there is a "X" on the top tab and when I clicked that, a message popped up telling me that I was exiting the remote desktop connection.
0
 
2hypeCommented:
When you click the "X" on the top you are just closing the remote desktop windows.  To actually Log off the session you need to go Start --> Logoff.

To see what I mean.  Connect to the server with remote desktop.  Open My computer and the click the "X" on the top of the window.  Log back onto the Remote Desktop Connection with the same username.  When you logon it you will notice my computer is still open because you never ended the session.
0
 
NAPSRAuthor Commented:
Someone told me that I should try the following:

Yes on Client Uncheck "use default gateway on remote network" .  Go to your vpn connection properties ==> Networking tab ==> Tcp/IP properties ==> advanced

Right Click My Computer on Server -.> Manage -> RAS (right CLick -> Property) -> check Router, select LAN and Demmand Dial Routing
and Remote Access Server shoul be checked.
Under Ip Tab enable all and create static pool



Do you agree?
0
 
2hypeCommented:
I agree with below.

"Yes on Client Uncheck "use default gateway on remote network" .  Go to your vpn connection properties ==> Networking tab ==> Tcp/IP properties ==> advanced"

What is the problem we are trying to troubleshoot?
0
 
NAPSRAuthor Commented:
The problem is:

I setup VPN and RAS on my server which uses Windows Server 2003.  The server is behind a router so I opened port 1723 and allowed PPTP packets to pass through.  At home I have a Windows 98 machine.  I use Remote Desktop Connection to access my server desktop and TightVNC to access my office desktop.  From my windows 98 computer, I logged into the VPN connection successfully.  After I did that, I accessed my server desktop using Remote Desktop Connection and accessed my office desktop using TightVNC.  I was successful in doing both from my windows 98 machine.

When I came to work this morning, I noticed that employees on the work network could not access or send emails onsite.  Their outlook express applications would not make a connection to the server to send or receive emails.  I restarted the server and the router but still the same problem.  Then I restarted each employees desktop and that solved the problem.

I need to know why this happened and how I can prevent this from happening again.  I did some research and found out it might have something to do with the default gateway or the IP Routing Table.

I am afraid to login through VPN again due to the email problems it might cause.

Please help!!

Thanks
0
 
2hypeCommented:
I cant think of a reason that clients would loose access to outlook.  If its not a big issue, I would connect to the VPN and see if the Outlook problem happens again or if it was a fluke that it happend the next day.  

I could see the default gateway being an issue if it was the client connecting to the VPN having issues with the Email problem.  

Creating a VPN connection should of had no impact on the LAN especially just impacting outlook express.
0
 
NAPSRAuthor Commented:
"Yes on Client Uncheck "use default gateway on remote network" .  Go to your vpn connection properties ==> Networking tab ==> Tcp/IP properties ==> advanced"


Earlier you suggested that I do the above task.  Will it help with my problem?  Are there any disadvantages to it?

Thanks for your help.
0
 
2hypeCommented:
I would say that it wont help you with the outlook problem.  

The Uncheck Default Gateway on remote network is telling it that when you go on the internet use your ISP's Default gateway for internet access rather than your Default Gateway at your work.
0
 
NAPSRAuthor Commented:
Hi 2hype,

I came back this morning and I did not login to the VPN last night and one of the employees computers had the same issue.  The error number was 0X800CCC0F.  I looked it up on microsoft's website and they have a variety of possible causes.  Could it be that when that person's outlook express was trying to retrieve emails, the server was too busy to answer.  Would this cause it to give that error?  Once the server was not busy anymore, I thought that the error message would go away but I had to restart that employees computer to fix the problem.

Thanks.
0
 
2hypeCommented:
Did any other Employee's have issues with connection to the email.  Is the Email Server on your LAN.  Could you ping the Email server from the workstations having diffuclty.  It sounds like a problem with the Outlook Express not being able to contact the Email Server.
0
 
NAPSRAuthor Commented:
Only one employee's computer had that problem.  My desktop connected successfully.  We have only one server which acts as the web and mail server and it is on our LAN.  I didn't try pinging it but just restarted it.  


"It sounds like a problem with the Outlook Express not being able to contact the Email Server."

It maybe be that the server was too busy so it could not connect.  But when the server was not busy, wouldn't the outlook express client be able to connect and not show that error anymore?  
0
 
2hypeCommented:
Are there any Event Viewer Errors on the Server?

Are there any Event Viewer Errors on the Workstation?
0
 
NAPSRAuthor Commented:
Where can I find the event viewer error on a windows xp home edition workstation?
0
 
2hypeCommented:
Not to familar with Home Edition, If its not located in Control Panel Administrative tools, I probally does not exist
0
 
rindiCommented:
Maybe you have to start in safemode to find those extra features
0
 
NAPSRAuthor Commented:
I have another internet connection here and I am going to try to login using VPN into remote dekstop connection and tightvnc.  I will see if i get any errors.  
0
 
NAPSRAuthor Commented:
I connected to the VPN and one of the employees could not send or receive emails!!  Same problem!!

I am just going to not use VPN.  I will be out of town next week and cannot afford to have the email problem occuring again.  I will just open the ports for remote desktop connection and tightvnc.  Since the username and password is sent encrypted, I don't think I will have to worry too much about security.

Any suggestions is appreciated.

0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 22
  • 19
  • 7
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now