Solved

Remote desktop access using SSL to Windows XP workstations

Posted on 2011-02-16
12
775 Views
Last Modified: 2012-05-11
We have numerous Windows XP Pro PCs attached to our network. Each PC has had its RDP listening port set to a unique port number and remote access is enabled. On the network router each of those ports is forwarded to it's respective PC on the LAN. The remote users put in the static public WAN address then the port number and they can attach to their respective PCs in the office using Windows Remote Desktop.

After a security audit for PCI compliance (credit card security) we have been instructed to use SSL for RDP in order to be complaint. How can this be done.?

What is the easiest way to do that in this scenario?
0
Comment
Question by:mjyoundt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 2
12 Comments
 
LVL 25

Expert Comment

by:RobMobility
ID: 34906389
Hi,

SSL means forcing TLS connections (i.e. encrypted) to your XP Workstations.

Regards,


RobMobility.
0
 
LVL 5

Expert Comment

by:danubian
ID: 34906421
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34906434
Hi,

Are your XP clients running SP3 - this includes an updated RDP client that supports NLA.

Regards,


RobMobility.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 25

Expert Comment

by:RobMobility
ID: 34907032
Hi,

I don't believe that you can enforce SSL connections for XP to XP, only TLS (SSL) for XP to Windows 2003. You might be able to enforce 128 bit RC4 encryption:

This might be of assistance: http://www.mobydisk.com/techres/securing_remote_desktop.html

You could look at establishing a an RDP connection VIA SSH or using VNC over SSH instead?

Regards,


RobMobility.
0
 
LVL 25

Accepted Solution

by:
RobMobility earned 250 total points
ID: 34907045
Hi,

This might help you with RDP over SSH:

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34907699
Hi,

I can confirm that you can run RDP over an SSH connection (using AES encryption, for example) - I've just done this to an XP VM - took about 5 minutes to install an SSH server on the XP client, configure it, configure a Putty connection and connect.

The above guide use used.

Regards,


RobMobility.
0
 

Author Closing Comment

by:mjyoundt
ID: 34916680
Provided solution was helpful but I needed additional info to successfully accomplish my task
0
 

Author Comment

by:mjyoundt
ID: 34916696
In order to rollout putty to the remote users, can I pre-configure the connection info in a file?
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34916767
4.27 Storing configuration in a file
PuTTY does not currently support storing its configuration in a file instead of the Registry. However, you can work around this with a couple of batch files.

You will need a file called (say) PUTTY.BAT which imports the contents of a file into the Registry, then runs PuTTY, exports the contents of the Registry back into the file, and deletes the Registry entries. This can all be done using the Regedit command line options, so it's all automatic. Here is what you need in PUTTY.BAT:

@ECHO OFF
regedit /s putty.reg
regedit /s puttyrnd.reg
start /w putty.exe
regedit /ea new.reg HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
copy new.reg putty.reg
del new.reg
regedit /s puttydel.reg
This batch file needs two auxiliary files: PUTTYRND.REG which sets up an initial safe location for the PUTTY.RND random seed file, and PUTTYDEL.REG which destroys everything in the Registry once it's been successfully saved back to the file.

Here is PUTTYDEL.REG:

REGEDIT4
 
[-HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
Here is an example PUTTYRND.REG file:

REGEDIT4
 
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
"RandSeedFile"="a:\\putty.rnd"
You should replace a:\putty.rnd with the location where you want to store your random number data. If the aim is to carry around PuTTY and its settings on one floppy, you probably want to store it on the floppy.


--------------------------------------------------------------------------------
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34916798
Hi,

Settings are in HKCU > Software > SimonTatham > Putty > connectionname (where this is what you have previously saved).

You can then export and import this key into the HKCU of the machines you want to modify.

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34926578
Hi,

The alternative would be to configure incoming connections on each XP machine and then RDP to them once you have established a VPN to the client? The VPN would be using PPTP over 128 Bit encryption.

I would suggest that you configure a static range for IP address assignement to the VPN client when connected - you can then change the firewall to accept incoming connections only from that IP address range (scope)?.

Turtorial here:

http://www.onecomputerguy.com/networking/xp_vpn_server.htm

Hope this helps:

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34926601
Hi again,

Just following on, if you set the IP address assignment on the end point (the server) to say 10.10.1.10 to 10.10.1.20, then that machine will get an IP address of 10.10.1.10 and your client will get 10.10.1.11.

When using mstsc.exe (RDP client) you'd enter in 10.10.1.10 as the maching you're RDP'ing to rather than it's physical IP address.

When you establish the VPN connection, you'd use the physical IP address of the host.

Remember, if a firewall client is running, you need to allow remote desktop from the 10.10.1.0 scope only, otherwise someone may try to connect to the machine from another address.

Regards,


RobMobility.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cloning computer 13 106
Sporadic connectivity issues 6 89
"Ensure their internet protocol supports SHA-2 certificate" ?? 5 82
Updates for XP? 26 101
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question