Solved

Remote desktop access using SSL to Windows XP workstations

Posted on 2011-02-16
12
767 Views
Last Modified: 2012-05-11
We have numerous Windows XP Pro PCs attached to our network. Each PC has had its RDP listening port set to a unique port number and remote access is enabled. On the network router each of those ports is forwarded to it's respective PC on the LAN. The remote users put in the static public WAN address then the port number and they can attach to their respective PCs in the office using Windows Remote Desktop.

After a security audit for PCI compliance (credit card security) we have been instructed to use SSL for RDP in order to be complaint. How can this be done.?

What is the easiest way to do that in this scenario?
0
Comment
Question by:mjyoundt
  • 9
  • 2
12 Comments
 
LVL 25

Expert Comment

by:RobMobility
ID: 34906389
Hi,

SSL means forcing TLS connections (i.e. encrypted) to your XP Workstations.

Regards,


RobMobility.
0
 
LVL 5

Expert Comment

by:danubian
ID: 34906421
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34906434
Hi,

Are your XP clients running SP3 - this includes an updated RDP client that supports NLA.

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34907032
Hi,

I don't believe that you can enforce SSL connections for XP to XP, only TLS (SSL) for XP to Windows 2003. You might be able to enforce 128 bit RC4 encryption:

This might be of assistance: http://www.mobydisk.com/techres/securing_remote_desktop.html

You could look at establishing a an RDP connection VIA SSH or using VNC over SSH instead?

Regards,


RobMobility.
0
 
LVL 25

Accepted Solution

by:
RobMobility earned 250 total points
ID: 34907045
Hi,

This might help you with RDP over SSH:

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34907699
Hi,

I can confirm that you can run RDP over an SSH connection (using AES encryption, for example) - I've just done this to an XP VM - took about 5 minutes to install an SSH server on the XP client, configure it, configure a Putty connection and connect.

The above guide use used.

Regards,


RobMobility.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Closing Comment

by:mjyoundt
ID: 34916680
Provided solution was helpful but I needed additional info to successfully accomplish my task
0
 

Author Comment

by:mjyoundt
ID: 34916696
In order to rollout putty to the remote users, can I pre-configure the connection info in a file?
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34916767
4.27 Storing configuration in a file
PuTTY does not currently support storing its configuration in a file instead of the Registry. However, you can work around this with a couple of batch files.

You will need a file called (say) PUTTY.BAT which imports the contents of a file into the Registry, then runs PuTTY, exports the contents of the Registry back into the file, and deletes the Registry entries. This can all be done using the Regedit command line options, so it's all automatic. Here is what you need in PUTTY.BAT:

@ECHO OFF
regedit /s putty.reg
regedit /s puttyrnd.reg
start /w putty.exe
regedit /ea new.reg HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
copy new.reg putty.reg
del new.reg
regedit /s puttydel.reg
This batch file needs two auxiliary files: PUTTYRND.REG which sets up an initial safe location for the PUTTY.RND random seed file, and PUTTYDEL.REG which destroys everything in the Registry once it's been successfully saved back to the file.

Here is PUTTYDEL.REG:

REGEDIT4
 
[-HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
Here is an example PUTTYRND.REG file:

REGEDIT4
 
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
"RandSeedFile"="a:\\putty.rnd"
You should replace a:\putty.rnd with the location where you want to store your random number data. If the aim is to carry around PuTTY and its settings on one floppy, you probably want to store it on the floppy.


--------------------------------------------------------------------------------
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34916798
Hi,

Settings are in HKCU > Software > SimonTatham > Putty > connectionname (where this is what you have previously saved).

You can then export and import this key into the HKCU of the machines you want to modify.

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34926578
Hi,

The alternative would be to configure incoming connections on each XP machine and then RDP to them once you have established a VPN to the client? The VPN would be using PPTP over 128 Bit encryption.

I would suggest that you configure a static range for IP address assignement to the VPN client when connected - you can then change the firewall to accept incoming connections only from that IP address range (scope)?.

Turtorial here:

http://www.onecomputerguy.com/networking/xp_vpn_server.htm

Hope this helps:

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34926601
Hi again,

Just following on, if you set the IP address assignment on the end point (the server) to say 10.10.1.10 to 10.10.1.20, then that machine will get an IP address of 10.10.1.10 and your client will get 10.10.1.11.

When using mstsc.exe (RDP client) you'd enter in 10.10.1.10 as the maching you're RDP'ing to rather than it's physical IP address.

When you establish the VPN connection, you'd use the physical IP address of the host.

Remember, if a firewall client is running, you need to allow remote desktop from the 10.10.1.0 scope only, otherwise someone may try to connect to the machine from another address.

Regards,


RobMobility.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now