Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to enable secure Remote Desktop access from the internet using Windows 2008 ?

Posted on 2009-05-15
14
Medium Priority
?
591 Views
Last Modified: 2012-05-07
To All Windows Server Expert,

I wonder if Windows Server 2008 does have the capability for me to secure port 3389 that i open for remote desktop using internet.

What security measure should i put in place to allow me securely access my Windows Server 2008 from home.

Thanks.
0
Comment
Question by:jjoz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 6

Accepted Solution

by:
MikeGGG earned 400 total points
ID: 24393790
you can, of course, use remote desktop over internet, but it is not recommended due to lack of security.

but you can, for example:
- use VPN
- use 3rd party commercial software which will secure communication between your PC and remote server, for example TeamViewer or VNC Enterprise.
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 400 total points
ID: 24393947
Get a look at this great article on securing RDP:
http://www.mobydisk.com/techres/securing_remote_desktop.html

If you are really concerned, you can setup an IPSEC tunnel with certificates issued for the end-points.
0
 
LVL 1

Author Comment

by:jjoz
ID: 24394611
Thanks for the reply mike,
I'll have a look into using TightVNC Enterprise.

Paka,
using IPSEC tunnel with certificate, is it possible for me to use my current SSL certificate ?
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 
LVL 22

Assisted Solution

by:Paka
Paka earned 400 total points
ID: 24394940
The link I provided will prevent all but the most determined hackers.  It is usually best to stand up an Enterprise CA to issue IPSEC certs (mainly for ease of implementation and because you control the crypto).  I've seen articles on how to do it with third party certs, but the success on these implementations are pretty low.  

Although it's a little older, this is one of the better guides on how to setup a certificate based tunnel.  

Note:  You want to be very careful in implementing this tunnel because doing improperly can result in total loss of access to your server over the wire...



0
 
LVL 1

Author Comment

by:jjoz
ID: 24395474
wow, that sounds scary for the wrong configuration ;-|

but that's a good idea to setup an enterprise CA service for the Windows 2008 server and then importing the .cer file into my workstation which will access the server.

I'll try that over the weekend and see how it goes.
0
 
LVL 22

Expert Comment

by:Paka
ID: 24395608
If you think that's scary, we went with a smartcard authenticated session riding on a certificate encrypted tunnel!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24398241

The new Terminal Services Gateway feature, introduced in Server 2008, is what you need. This enables users to launch sessions via an encrypted HTTPS channel to the Server 2008 box, which then proxies them to the back-end Terminal Server.

A TS Gateway can be deployed directly on the Terminal Server, or as it is intended, it can be deployed on a dedicated server into the DMZ.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24432483
wow, that is very great idea in utilizing the built in features of Windows Server 2008.

If I'd like to implement it into a virtualized box, can I deploy it together with the ISA Server 2006 Std ?

HomeProject.jpg
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1200 total points
ID: 24435224

TS Gateway will sit on any machine, virtual or physical. Provided the machine has access to the network to route Terminal Server session traffic you will not have a problem.

It also integrates nicely with ISA Server 2006. There is a good article at http://technet.microsoft.com/en-us/magazine/cc742827.aspx which details exactly what you need to configure to get this working.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24437660
thanks Matt,

I shall now run Windows Server 2008 Std. x86 TS Gateway + ISA Server 2006 so that i can securely publish my port 389 to the ADSL2+ modem.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1200 total points
ID: 24445248

Bear in mind TS Gateway should have port 443 published, because it uses the HTTPS protocol through to the TSG server. You should not publish 3389 and should most definitely not open 389 to the Internet.

-Matt
0
 
LVL 1

Author Comment

by:jjoz
ID: 24446611
OK, so it is quite simple then for this matter,

port 443 (as the RDP published by the ISA Server will be going through this port)
port 80 - website
port 25 - mail traffic

yes, it all make sense.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 1200 total points
ID: 24457507

That looks correct to me. Once the TSG is installed and configured, it is then simply a case of setting the address of the TSG on the 'Advanced' tab of the RDP Client when making a connection.

You need to ensure you have a trusted third-party SSL certificate published for the TSG (this may be done in ISA, but having never worked in ISA I cannot say for sure). http://technet.microsoft.com/en-us/magazine/cc742827.aspx which I posted before sums it up nicely.

-Matt
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 31581854
Thanks for the response guys.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question