• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4716
  • Last Modified:

How to use Remote Desktop to remotely connect directly to a workstation

Hi  Experts,

I am able to use Remote Desktop to remotely connect our Server (using a service like dyndns.org).

But I would like to remotely connect to one of the Workstations, e.g. with an IP like 192.168.1.10.

Is it possible to do this?

Regards,
Leigh
0
LeighWardle
Asked:
LeighWardle
  • 8
  • 7
  • 2
  • +6
1 Solution
 
HenschelCommented:
What are you using for a firewall? Typically you can assign a DMZ address on the firewall that corresponds with the address of the firewall/router and a port (RDP in this case). The DMZ rule essentially redirects traffic destined for the router/firewall address and the port you define to the internal RDP Client.

There is a good article for setting up Remote Desktop Web Connections @ http://www.microsoft.com/windowsxp/using/networking/expert/northrup_03may16.mspx

If you wanted to make it a little more secure, or setup multiple private IP Clients, there are instructions for changing the RDP Listening Port @
http://support.microsoft.com/kb/306759

Changing from the default port is a good idea to prevent someone from easily scanning your router for RDP Connections.

Hope that gets you started.



0
 
dis1931Commented:
Hello LeighWardle,

Depends, I have used it at home and configured my router to forward this traffic to my workstation that had a 192.168.xxx.xxx address.  However, dyndns.org needs to point to a real externally accessible address.  If you have an public internet address to use then you can set that up to use dyndns.org and then configure your firewall to pass this traffic to the internal address.

So it depends on your firewall configuration and whether you have another address to use.

Alternatively, since you can connect to the Server...if it is an internal server then you should be on the same network as the workstation and you could remote desktop from it to the workstation...

Regards,

dis1931
0
 
cottsakCommented:
ur router is prob forwarding all traffic to ur server now including the port 3389 traffic for the RDP connection. simply pick another port like 13389 (for example) and forward that port on ur router to ur internal 192.168.1.10 address. make sure for the forwarding entry that the external port is 13389 and the internal port (to the local address) is 3389. this way, when u connect to ur same dyndns.org address but with the new port (eg. myserver.dyndns.org:13389) using RDP, the connection will be with ur other internal computer.
peace
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
dis1931Commented:
It makes sense to do it that way if you are limited for addresses.  I work for a larger company and that is considered bad practice but certainly nothing wrong with it except it can get a little confusing after tons of devices but it sounds like this will only be for a couple of devices
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Since this is a Small Business Server environment, you would connect to the desktops directly using Remote Web Workplace.

For deatails about RWW, please see http://sbsurl.com/rww

Workstations must have been joined properly to the domain in order for RWW to work though.  This means that you joined all workstations to the domain using IE going to http://<servername>/connectcomputer.  If you didn't use this method, correct it by following the steps I've outlined here:  http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 
Cláudio RodriguesFounder and CEOCommented:
You can always connect to the server and while on it, simply go to RUN and launch MSTSC. Then type the internal IP of any of the PCs and you will connect to it. RDP over RDP. :-)
Works great.

Claudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
0
 
tmoonCommented:
Why not RDP into Server (secure) and bounce around using VNC on the inside?  Would be secure since you are already "inside" the LAN.
0
 
LeighWardleAuthor Commented:
I haven't tested this solution yet, but it looks the easiest for me to implement.
Thanks to the other experts for their contributions.

Regards,
Leigh
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I realy need to point out that the solution you accepted would not only open your network to unecessary security risks, but would definitely cause additional management efforts over the long term.  If you don't use the built-in Remote Web Workplace, you should at the very least take tsmvp's recommendation and RDP first to the server and then to a workstation.  (see http://sbsurl.com/m.jpg for an example of how this might look).

Jeff
TechSoEasy
0
 
cottsakCommented:
TechSoEasy,
for completeness, would be able to point out the specific "unecessary security risks" in my suggestion?

Leigh,
if you feel you need more security, the next easiest option i think would be to set up a VPN server on your server. this is quite easy to do, just google it up. i use this method. it makes it easier to connect to any local system (provided its configured to do so).
i'd also like to point out that i have tried tsmvp's method too and i feel that you might get frustrated with working this way - (1) navigation nested RDP sessions is difficult due to the fact that the control bar overlaps itself in successive sessions (annoying) and (2) the more RDP sessions you have nested, the usability lag increases exponentially. in short - dont nest RDP sessions. use VPN then RDP to the local address.
Peace
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The security risks are such that RDP directly into XP has been known to be fallable to DoS Attacks.  While the previously discovered vulnerability has been patched (http://www.microsoft.com/technet/security/advisory/904797.mspx) there is always the potential for others... and having to watch the status of each workstation's patch/update status is just another level of effort/complication that doesn't need to exist.

Jeff
TechSoEasy
0
 
LeighWardleAuthor Commented:
Hi cottsak and Jeff,

Thanks for your additional comments.

Although my question was posed in terms of Remote Desktop, I will probably use UltraVNC.
My two motivations are:

1) I also need to remotely connect to a Windows 2000 Pro workstation.  I understand there isn't Remote Desktop host software for Windows 2000 Pro.

2) It's easy to use end-to-end encryption using the MSRC4 Plugin available from http://msrc4plugin.home.comcast.net/index.html

Wouldn't end-to-end encryption satisfy the security concerns?

Regards,
Leigh
0
 
cottsakCommented:
Jeff,
i think the likelihood of the web server hosting RWW being exploited via DoS (or another kind of attack) is many times more likely than RDP being re-targeted for exploit via DoS. a web server responds to so much more than RDP and so to boil this all down, it's not really a security risk, at least in relative terms.
also, it should be noted that "having to watch the status of each workstation's patch/update status" is not only not complicated but part of the standard job description of a studious Admin.
no software is ever perfect, it must constantly be updated.
Peace

0
 
cottsakCommented:
Leigh,
VNC works too.
i'd like to point out that the current version of RDP already uses 128bit RC4 encryption (like the MSRC4 Plugin) so you're not 'adding' security strength with this plugin. it's well known that the RC4 cipher has been cracked but the AES has not to date [side channels dont count]. i'd suggest the AESV2 Plugin is u must use VNC and you want useable security strength.
Peace
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Remote Web Workplace provides End-to-End encryption by default without the need to install any additional software.  That's because it runs over port 443 using SSL.

If you are needing to connect to a Windows 2000 Pro workstation, then you would need a separate remote destop solution for that, and VNC works just fine, as does LogMeIn Free, which is what I use for the random Win2K desktops that still exist.

cottsak... you're missing the point, which may be due to you not working with SBS on a regular basis.  SBS includes a number of things which make administration of a small business network easier and less complicated, and therefore MORE secure.  Your comment regarding the "liklihood of a web server hosting RWW being exploited via DoS" shows that you don't truly understand how RWW works, and that it uses a PROXY port (4125).  You can review the details of how this works here:  http://sbsurl.com/rww

Jeff
TechSoEasy
0
 
tmoonCommented:
or VPN into the inside and RDP / VNC using private addresses... kind of like a man in the middle attack being prevented by one sides nearsightedness ;)
0
 
cottsakCommented:
VPN secures the connection at a single point and provides the most flexibility.
you should always try not to have a direct remote connection to any internal computer, so some sort of secured VPN; gateway; proxy (for my RWW friend) is suggested.

i have not used the RWW solution, but for convenience and fast setup it seems handy if it's available. the only reason i'd suggest to steer clear of it would be the fact that its an ActiveX beast which means it requires the notoriously insecure and flawed Internet Explorer (but i wont enter THAT debate! lol).

for sure, use VNC but use it thru a VPN (or some sort).
Peace
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
cottsak... thanks for the somewhat support of what I was trying to say.  just FYI, ActiveX technology can be used to create an insecure situation, but the use of known ActiveX plug-ins is not in and of itself insecure.
0
 
cottsakCommented:
TechSoEasy,

"but the use of known ActiveX plug-ins is not in and of itself insecure"
granted, but the use of IE is and of itself insecure (comparatively).

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
The use of IE is not insecure (comparatively).  It has the potential to be less secure because it offers significantly more for the end-user by way of Activex controls.  There is ALWAYS a trade-off between security and functionality... because the MOST secure computer is one that's unplugged.  But that particular configuration is quite difficult to use for much of anything except keeping the door to the server room from swinging shut when the wind blows.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You might be interested in reading an article describing "Good Enough Security" which was written a couple years ago and is rather pertinent to this discussion:  http://sbsurl.com/security
0
 
cottsakCommented:
TechSoEasy,
thanx for the linkage. i'll keep that in mind. id prefer not to debate IE vs [other browsers]. i think we can agree to disagree on this one?
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
You can set the RDP on the workstation to a different port and connect that way.  I have a client that has 1 server and 5 workstations.  The Server uses 3389 and the workstations use 9999, 9998,9997,9996 and 9995.  I have a port forward rule in the router/firewall to each box.  I connect RDP to the particular port to get to the machine I want.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
samccarthy,

Setting a workstation to use a different port is not more secure than using RWW, which proxies the connection and is ultimately much more secure.  Any port scanner can find an open port and attempt to gain access via RDP if you change the port.  But using RWW stealths port 4125, and only allows a connection once authenticated.  You might want to review this as outlined here:  http://sbsurl.com/rww

Jeff
TechSoEasy
0
 
juanferminCommented:
If opening ports up is an issue, I like to use LogMeIn Free, or If I need to print remotely then LogMeIn Pro or IT Reach.  It connects using a 256 bit connection (unlike VNC) and is just as fast and responsive as Remote Desktop.

Also, if you have Windows Small Business Server, you can use Remote web workplace, which uses secured connections, though it can only work with Internet Explorer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 8
  • 7
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now