How to enable secure Remote Desktop access from the internet using Windows 2008 ?

To All Windows Server Expert,

I wonder if Windows Server 2008 does have the capability for me to secure port 3389 that i open for remote desktop using internet.

What security measure should i put in place to allow me securely access my Windows Server 2008 from home.

Thanks.
LVL 1
jjozAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
MikeGGGConnect With a Mentor Commented:
you can, of course, use remote desktop over internet, but it is not recommended due to lack of security.

but you can, for example:
- use VPN
- use 3rd party commercial software which will secure communication between your PC and remote server, for example TeamViewer or VNC Enterprise.
0
 
PakaConnect With a Mentor Commented:
Get a look at this great article on securing RDP:
http://www.mobydisk.com/techres/securing_remote_desktop.html

If you are really concerned, you can setup an IPSEC tunnel with certificates issued for the end-points.
0
 
jjozAuthor Commented:
Thanks for the reply mike,
I'll have a look into using TightVNC Enterprise.

Paka,
using IPSEC tunnel with certificate, is it possible for me to use my current SSL certificate ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
PakaConnect With a Mentor Commented:
The link I provided will prevent all but the most determined hackers.  It is usually best to stand up an Enterprise CA to issue IPSEC certs (mainly for ease of implementation and because you control the crypto).  I've seen articles on how to do it with third party certs, but the success on these implementations are pretty low.  

Although it's a little older, this is one of the better guides on how to setup a certificate based tunnel.  

Note:  You want to be very careful in implementing this tunnel because doing improperly can result in total loss of access to your server over the wire...



0
 
jjozAuthor Commented:
wow, that sounds scary for the wrong configuration ;-|

but that's a good idea to setup an enterprise CA service for the Windows 2008 server and then importing the .cer file into my workstation which will access the server.

I'll try that over the weekend and see how it goes.
0
 
PakaCommented:
If you think that's scary, we went with a smartcard authenticated session riding on a certificate encrypted tunnel!
0
 
tigermattCommented:

The new Terminal Services Gateway feature, introduced in Server 2008, is what you need. This enables users to launch sessions via an encrypted HTTPS channel to the Server 2008 box, which then proxies them to the back-end Terminal Server.

A TS Gateway can be deployed directly on the Terminal Server, or as it is intended, it can be deployed on a dedicated server into the DMZ.

-Matt
0
 
jjozAuthor Commented:
wow, that is very great idea in utilizing the built in features of Windows Server 2008.

If I'd like to implement it into a virtualized box, can I deploy it together with the ISA Server 2006 Std ?

HomeProject.jpg
0
 
tigermattConnect With a Mentor Commented:

TS Gateway will sit on any machine, virtual or physical. Provided the machine has access to the network to route Terminal Server session traffic you will not have a problem.

It also integrates nicely with ISA Server 2006. There is a good article at http://technet.microsoft.com/en-us/magazine/cc742827.aspx which details exactly what you need to configure to get this working.

-Matt
0
 
jjozAuthor Commented:
thanks Matt,

I shall now run Windows Server 2008 Std. x86 TS Gateway + ISA Server 2006 so that i can securely publish my port 389 to the ADSL2+ modem.
0
 
tigermattConnect With a Mentor Commented:

Bear in mind TS Gateway should have port 443 published, because it uses the HTTPS protocol through to the TSG server. You should not publish 3389 and should most definitely not open 389 to the Internet.

-Matt
0
 
jjozAuthor Commented:
OK, so it is quite simple then for this matter,

port 443 (as the RDP published by the ISA Server will be going through this port)
port 80 - website
port 25 - mail traffic

yes, it all make sense.
0
 
tigermattConnect With a Mentor Commented:

That looks correct to me. Once the TSG is installed and configured, it is then simply a case of setting the address of the TSG on the 'Advanced' tab of the RDP Client when making a connection.

You need to ensure you have a trusted third-party SSL certificate published for the TSG (this may be done in ISA, but having never worked in ISA I cannot say for sure). http://technet.microsoft.com/en-us/magazine/cc742827.aspx which I posted before sums it up nicely.

-Matt
0
 
jjozAuthor Commented:
Thanks for the response guys.
0
All Courses

From novice to tech pro — start learning today.