?
Solved

Do I Need a VPN to do Remote Desktop?

Posted on 2007-03-27
7
Medium Priority
?
583 Views
Last Modified: 2013-11-15
Are VPN's truly necessary to do remote desktop through the Internet?
0
Comment
Question by:HKComputer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 1

Accepted Solution

by:
runxctry earned 800 total points
ID: 18803123
It is not necessary.  You can do a remote desktop without a VPN.  

It is a little complex to sniff the remote desktop traffic, and obtain valuable data from it.  So if random script kiddies are your concern, I wouldn't worry too much.  

That being said, if security is a concern, you WILL want to set up a VPN connection between the two computers.  Windows XP has a VPN utility built in.  Click network connections, new network connection, and follow the wizard.

If you are running Windows 2003 Server as the server, take the following steps to secure the connection:

====
FROM http://www.windowsecurity.com/articles/Windows_Terminal_Services.html

Using Encryption

You can use encryption to protect the data that travels between the terminal server and the terminal services client. If you fear unauthorized interception of the data as it travels between the two, you should enable encryption. RSA RC4 encryption is used; encryption can be set to one of the following three levels:

    * High: encrypts both the data sent from client to server and the data sent from server to client using a 128 bit key.
    * Medium: encrypts both the data sent from client to server and the data sent from server to client using a 56 bit key if the client is a Windows 2000 or above client, or a 40 bit key if the client is an earlier version.
    * Low: encrypts only the data sent from client to server, using either a 56 or 40 bit key, depending on the client version. Useful to protect usernames and passwords sent from client to server.

To change the encryption level, you must be an administrator. In Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

   1. In the left console pane, select Connections.
   2. In the right details pane, right click RDP-TCP and select Properties.
   3. Click the General tab.
   4. Under Encryption level, select the desired level in the drop down box and click OK.
====


0
 
LVL 9

Expert Comment

by:rshooper76
ID: 18803793
You don't nbeed a VPN to do RDP as long as you have a way to get to the computer that you want to connect to.  If you are behind a firewall, then you may need to port forward port 3389(RDP).  What a VPN will do for you is allow someone to get into the local network from anywhere on the internet.  I hope this helps.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18805078
Yeah. I wasn't very descriptive in my original post. I want to run an  RDP session to an XP Pro computer that sits behind a router. I will perform the necessary port forwarding to make it work.

I was a little concerned about security but I wanted to know how risky it really is to run RDP through the Internet.
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 

Assisted Solution

by:alexyala
alexyala earned 800 total points
ID: 18807533
RDP itself has a lot of known vulnerabilities.
The best practice is to VPN into the network via VPN, then run RDP client to connect to your XP Pro computer.
This way you have a piece of mind that there is no security breach.

Surely, punching a hole in your router/firewall will allow you to connect to your computer. But if you have to do it this way, you need to at least change the port of the listening RDP.  See http://support.microsoft.com/kb/306759
To connect via different port you can use the command line mstsc /v:<servername/ip address>:<port number>
For example, change the listening port of your Windows XP pro to 33389, then you need to open the TCP port 33389 on your router/firewall to forward to your PC IP address on port 33389. From external source you connect using mstsc /v:/v:<servername>:33389 OR run mstsc, in the computer field type in your <server name/IP address>:33389

I hope this helps.
Good luck.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18807685
That is very much what I was looking for. I'm a little opposed to running a VPN because I'm having trouble finding an affordable VPN solution for a single RDP connection into a small peer to peer network. I see so many VPN appliances available but I don't really understand how I can keep it simple an affordable, yet have a good solid VPN. If someone has some advice on this I'd listen. :)

As a side question, when a Server OS hosts several RDP connections, do all RDP sessions take place on the same port?
0
 

Assisted Solution

by:alexyala
alexyala earned 800 total points
ID: 18812526
Surely there are some cheap VPN solutions, but you really would like to consider a solution that is reliable, robust and supported.

As the answer to your side question, when you change the listening port number for RDP for a server, it will affect all sessions. For example, if you change the port number to 33389 on the server, all the local workstations will need to be changed as well to 33389.

As an alternative (if supported by your router/firewall), you can set the incoming port to 33389 on the external, but translate the port number to 3389 to the LAN IP address (your server). This way, you don't have to change how the local workstation connect to the server.
0
 
LVL 9

Assisted Solution

by:rshooper76
rshooper76 earned 400 total points
ID: 18820393
There are a lot of people that have open RDP ports.  I would not personally dp this, but it is done.  You can get a Linksys VPN solution for a little over $100.00 if you relly want to do RDP over VPN.  Changing the port like alexyala says can help with security, however the port is still open, and thus the risk is still there.  Don't get me wrong you are reducing the risk, but you are not eliminating it.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
This post contains step-by-step instructions for setting up alerting in Percona Monitoring and Management (PMM) using Grafana.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question