Solved

How to enable secure Remote Desktop access from the internet using Windows 2008 ?

Posted on 2009-05-15
14
584 Views
Last Modified: 2012-05-07
To All Windows Server Expert,

I wonder if Windows Server 2008 does have the capability for me to secure port 3389 that i open for remote desktop using internet.

What security measure should i put in place to allow me securely access my Windows Server 2008 from home.

Thanks.
0
Comment
Question by:jjoz
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 6

Accepted Solution

by:
MikeGGG earned 100 total points
ID: 24393790
you can, of course, use remote desktop over internet, but it is not recommended due to lack of security.

but you can, for example:
- use VPN
- use 3rd party commercial software which will secure communication between your PC and remote server, for example TeamViewer or VNC Enterprise.
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 100 total points
ID: 24393947
Get a look at this great article on securing RDP:
http://www.mobydisk.com/techres/securing_remote_desktop.html

If you are really concerned, you can setup an IPSEC tunnel with certificates issued for the end-points.
0
 
LVL 1

Author Comment

by:jjoz
ID: 24394611
Thanks for the reply mike,
I'll have a look into using TightVNC Enterprise.

Paka,
using IPSEC tunnel with certificate, is it possible for me to use my current SSL certificate ?
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 100 total points
ID: 24394940
The link I provided will prevent all but the most determined hackers.  It is usually best to stand up an Enterprise CA to issue IPSEC certs (mainly for ease of implementation and because you control the crypto).  I've seen articles on how to do it with third party certs, but the success on these implementations are pretty low.  

Although it's a little older, this is one of the better guides on how to setup a certificate based tunnel.  

Note:  You want to be very careful in implementing this tunnel because doing improperly can result in total loss of access to your server over the wire...



0
 
LVL 1

Author Comment

by:jjoz
ID: 24395474
wow, that sounds scary for the wrong configuration ;-|

but that's a good idea to setup an enterprise CA service for the Windows 2008 server and then importing the .cer file into my workstation which will access the server.

I'll try that over the weekend and see how it goes.
0
 
LVL 22

Expert Comment

by:Paka
ID: 24395608
If you think that's scary, we went with a smartcard authenticated session riding on a certificate encrypted tunnel!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24398241

The new Terminal Services Gateway feature, introduced in Server 2008, is what you need. This enables users to launch sessions via an encrypted HTTPS channel to the Server 2008 box, which then proxies them to the back-end Terminal Server.

A TS Gateway can be deployed directly on the Terminal Server, or as it is intended, it can be deployed on a dedicated server into the DMZ.

-Matt
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:jjoz
ID: 24432483
wow, that is very great idea in utilizing the built in features of Windows Server 2008.

If I'd like to implement it into a virtualized box, can I deploy it together with the ISA Server 2006 Std ?

HomeProject.jpg
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 300 total points
ID: 24435224

TS Gateway will sit on any machine, virtual or physical. Provided the machine has access to the network to route Terminal Server session traffic you will not have a problem.

It also integrates nicely with ISA Server 2006. There is a good article at http://technet.microsoft.com/en-us/magazine/cc742827.aspx which details exactly what you need to configure to get this working.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24437660
thanks Matt,

I shall now run Windows Server 2008 Std. x86 TS Gateway + ISA Server 2006 so that i can securely publish my port 389 to the ADSL2+ modem.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 300 total points
ID: 24445248

Bear in mind TS Gateway should have port 443 published, because it uses the HTTPS protocol through to the TSG server. You should not publish 3389 and should most definitely not open 389 to the Internet.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24446611
OK, so it is quite simple then for this matter,

port 443 (as the RDP published by the ISA Server will be going through this port)
port 80 - website
port 25 - mail traffic

yes, it all make sense.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 300 total points
ID: 24457507

That looks correct to me. Once the TSG is installed and configured, it is then simply a case of setting the address of the TSG on the 'Advanced' tab of the RDP Client when making a connection.

You need to ensure you have a trusted third-party SSL certificate published for the TSG (this may be done in ISA, but having never worked in ISA I cannot say for sure). http://technet.microsoft.com/en-us/magazine/cc742827.aspx which I posted before sums it up nicely.

-Matt
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 31581854
Thanks for the response guys.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now