Solved

Do I Need a VPN to do Remote Desktop?

Posted on 2007-03-27
7
574 Views
Last Modified: 2013-11-15
Are VPN's truly necessary to do remote desktop through the Internet?
0
Comment
Question by:HKComputer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 1

Accepted Solution

by:
runxctry earned 200 total points
ID: 18803123
It is not necessary.  You can do a remote desktop without a VPN.  

It is a little complex to sniff the remote desktop traffic, and obtain valuable data from it.  So if random script kiddies are your concern, I wouldn't worry too much.  

That being said, if security is a concern, you WILL want to set up a VPN connection between the two computers.  Windows XP has a VPN utility built in.  Click network connections, new network connection, and follow the wizard.

If you are running Windows 2003 Server as the server, take the following steps to secure the connection:

====
FROM http://www.windowsecurity.com/articles/Windows_Terminal_Services.html

Using Encryption

You can use encryption to protect the data that travels between the terminal server and the terminal services client. If you fear unauthorized interception of the data as it travels between the two, you should enable encryption. RSA RC4 encryption is used; encryption can be set to one of the following three levels:

    * High: encrypts both the data sent from client to server and the data sent from server to client using a 128 bit key.
    * Medium: encrypts both the data sent from client to server and the data sent from server to client using a 56 bit key if the client is a Windows 2000 or above client, or a 40 bit key if the client is an earlier version.
    * Low: encrypts only the data sent from client to server, using either a 56 or 40 bit key, depending on the client version. Useful to protect usernames and passwords sent from client to server.

To change the encryption level, you must be an administrator. In Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

   1. In the left console pane, select Connections.
   2. In the right details pane, right click RDP-TCP and select Properties.
   3. Click the General tab.
   4. Under Encryption level, select the desired level in the drop down box and click OK.
====


0
 
LVL 9

Expert Comment

by:rshooper76
ID: 18803793
You don't nbeed a VPN to do RDP as long as you have a way to get to the computer that you want to connect to.  If you are behind a firewall, then you may need to port forward port 3389(RDP).  What a VPN will do for you is allow someone to get into the local network from anywhere on the internet.  I hope this helps.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18805078
Yeah. I wasn't very descriptive in my original post. I want to run an  RDP session to an XP Pro computer that sits behind a router. I will perform the necessary port forwarding to make it work.

I was a little concerned about security but I wanted to know how risky it really is to run RDP through the Internet.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Assisted Solution

by:alexyala
alexyala earned 200 total points
ID: 18807533
RDP itself has a lot of known vulnerabilities.
The best practice is to VPN into the network via VPN, then run RDP client to connect to your XP Pro computer.
This way you have a piece of mind that there is no security breach.

Surely, punching a hole in your router/firewall will allow you to connect to your computer. But if you have to do it this way, you need to at least change the port of the listening RDP.  See http://support.microsoft.com/kb/306759
To connect via different port you can use the command line mstsc /v:<servername/ip address>:<port number>
For example, change the listening port of your Windows XP pro to 33389, then you need to open the TCP port 33389 on your router/firewall to forward to your PC IP address on port 33389. From external source you connect using mstsc /v:/v:<servername>:33389 OR run mstsc, in the computer field type in your <server name/IP address>:33389

I hope this helps.
Good luck.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18807685
That is very much what I was looking for. I'm a little opposed to running a VPN because I'm having trouble finding an affordable VPN solution for a single RDP connection into a small peer to peer network. I see so many VPN appliances available but I don't really understand how I can keep it simple an affordable, yet have a good solid VPN. If someone has some advice on this I'd listen. :)

As a side question, when a Server OS hosts several RDP connections, do all RDP sessions take place on the same port?
0
 

Assisted Solution

by:alexyala
alexyala earned 200 total points
ID: 18812526
Surely there are some cheap VPN solutions, but you really would like to consider a solution that is reliable, robust and supported.

As the answer to your side question, when you change the listening port number for RDP for a server, it will affect all sessions. For example, if you change the port number to 33389 on the server, all the local workstations will need to be changed as well to 33389.

As an alternative (if supported by your router/firewall), you can set the incoming port to 33389 on the external, but translate the port number to 3389 to the LAN IP address (your server). This way, you don't have to change how the local workstation connect to the server.
0
 
LVL 9

Assisted Solution

by:rshooper76
rshooper76 earned 100 total points
ID: 18820393
There are a lot of people that have open RDP ports.  I would not personally dp this, but it is done.  You can get a Linksys VPN solution for a little over $100.00 if you relly want to do RDP over VPN.  Changing the port like alexyala says can help with security, however the port is still open, and thus the risk is still there.  Don't get me wrong you are reducing the risk, but you are not eliminating it.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
All of the resources available today make learning a new digital media easier than ever-- if you know where to begin. This is a clear, simple guide to a few of the basic digital art mediums and how to begin learning them on your own.
The viewer will learn common shortcuts with easy ways to remember them. The viewer will then learn where to find all of the keyboard shortcuts, how to create/change them, and how to speed up their workflow.
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question