Solved

How to enable secure Remote Desktop access from the internet using Windows 2008 ?

Posted on 2009-05-15
14
582 Views
Last Modified: 2012-05-07
To All Windows Server Expert,

I wonder if Windows Server 2008 does have the capability for me to secure port 3389 that i open for remote desktop using internet.

What security measure should i put in place to allow me securely access my Windows Server 2008 from home.

Thanks.
0
Comment
Question by:jjoz
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 6

Accepted Solution

by:
MikeGGG earned 100 total points
ID: 24393790
you can, of course, use remote desktop over internet, but it is not recommended due to lack of security.

but you can, for example:
- use VPN
- use 3rd party commercial software which will secure communication between your PC and remote server, for example TeamViewer or VNC Enterprise.
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 100 total points
ID: 24393947
Get a look at this great article on securing RDP:
http://www.mobydisk.com/techres/securing_remote_desktop.html

If you are really concerned, you can setup an IPSEC tunnel with certificates issued for the end-points.
0
 
LVL 1

Author Comment

by:jjoz
ID: 24394611
Thanks for the reply mike,
I'll have a look into using TightVNC Enterprise.

Paka,
using IPSEC tunnel with certificate, is it possible for me to use my current SSL certificate ?
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 100 total points
ID: 24394940
The link I provided will prevent all but the most determined hackers.  It is usually best to stand up an Enterprise CA to issue IPSEC certs (mainly for ease of implementation and because you control the crypto).  I've seen articles on how to do it with third party certs, but the success on these implementations are pretty low.  

Although it's a little older, this is one of the better guides on how to setup a certificate based tunnel.  

Note:  You want to be very careful in implementing this tunnel because doing improperly can result in total loss of access to your server over the wire...



0
 
LVL 1

Author Comment

by:jjoz
ID: 24395474
wow, that sounds scary for the wrong configuration ;-|

but that's a good idea to setup an enterprise CA service for the Windows 2008 server and then importing the .cer file into my workstation which will access the server.

I'll try that over the weekend and see how it goes.
0
 
LVL 22

Expert Comment

by:Paka
ID: 24395608
If you think that's scary, we went with a smartcard authenticated session riding on a certificate encrypted tunnel!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24398241

The new Terminal Services Gateway feature, introduced in Server 2008, is what you need. This enables users to launch sessions via an encrypted HTTPS channel to the Server 2008 box, which then proxies them to the back-end Terminal Server.

A TS Gateway can be deployed directly on the Terminal Server, or as it is intended, it can be deployed on a dedicated server into the DMZ.

-Matt
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:jjoz
ID: 24432483
wow, that is very great idea in utilizing the built in features of Windows Server 2008.

If I'd like to implement it into a virtualized box, can I deploy it together with the ISA Server 2006 Std ?

HomeProject.jpg
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 300 total points
ID: 24435224

TS Gateway will sit on any machine, virtual or physical. Provided the machine has access to the network to route Terminal Server session traffic you will not have a problem.

It also integrates nicely with ISA Server 2006. There is a good article at http://technet.microsoft.com/en-us/magazine/cc742827.aspx which details exactly what you need to configure to get this working.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24437660
thanks Matt,

I shall now run Windows Server 2008 Std. x86 TS Gateway + ISA Server 2006 so that i can securely publish my port 389 to the ADSL2+ modem.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 300 total points
ID: 24445248

Bear in mind TS Gateway should have port 443 published, because it uses the HTTPS protocol through to the TSG server. You should not publish 3389 and should most definitely not open 389 to the Internet.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24446611
OK, so it is quite simple then for this matter,

port 443 (as the RDP published by the ISA Server will be going through this port)
port 80 - website
port 25 - mail traffic

yes, it all make sense.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 300 total points
ID: 24457507

That looks correct to me. Once the TSG is installed and configured, it is then simply a case of setting the address of the TSG on the 'Advanced' tab of the RDP Client when making a connection.

You need to ensure you have a trusted third-party SSL certificate published for the TSG (this may be done in ISA, but having never worked in ISA I cannot say for sure). http://technet.microsoft.com/en-us/magazine/cc742827.aspx which I posted before sums it up nicely.

-Matt
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 31581854
Thanks for the response guys.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now