Solved

Remote desktop access using SSL to Windows XP workstations

Posted on 2011-02-16
12
772 Views
Last Modified: 2012-05-11
We have numerous Windows XP Pro PCs attached to our network. Each PC has had its RDP listening port set to a unique port number and remote access is enabled. On the network router each of those ports is forwarded to it's respective PC on the LAN. The remote users put in the static public WAN address then the port number and they can attach to their respective PCs in the office using Windows Remote Desktop.

After a security audit for PCI compliance (credit card security) we have been instructed to use SSL for RDP in order to be complaint. How can this be done.?

What is the easiest way to do that in this scenario?
0
Comment
Question by:mjyoundt
  • 9
  • 2
12 Comments
 
LVL 25

Expert Comment

by:RobMobility
ID: 34906389
Hi,

SSL means forcing TLS connections (i.e. encrypted) to your XP Workstations.

Regards,


RobMobility.
0
 
LVL 5

Expert Comment

by:danubian
ID: 34906421
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34906434
Hi,

Are your XP clients running SP3 - this includes an updated RDP client that supports NLA.

Regards,


RobMobility.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 25

Expert Comment

by:RobMobility
ID: 34907032
Hi,

I don't believe that you can enforce SSL connections for XP to XP, only TLS (SSL) for XP to Windows 2003. You might be able to enforce 128 bit RC4 encryption:

This might be of assistance: http://www.mobydisk.com/techres/securing_remote_desktop.html

You could look at establishing a an RDP connection VIA SSH or using VNC over SSH instead?

Regards,


RobMobility.
0
 
LVL 25

Accepted Solution

by:
RobMobility earned 250 total points
ID: 34907045
Hi,

This might help you with RDP over SSH:

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34907699
Hi,

I can confirm that you can run RDP over an SSH connection (using AES encryption, for example) - I've just done this to an XP VM - took about 5 minutes to install an SSH server on the XP client, configure it, configure a Putty connection and connect.

The above guide use used.

Regards,


RobMobility.
0
 

Author Closing Comment

by:mjyoundt
ID: 34916680
Provided solution was helpful but I needed additional info to successfully accomplish my task
0
 

Author Comment

by:mjyoundt
ID: 34916696
In order to rollout putty to the remote users, can I pre-configure the connection info in a file?
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34916767
4.27 Storing configuration in a file
PuTTY does not currently support storing its configuration in a file instead of the Registry. However, you can work around this with a couple of batch files.

You will need a file called (say) PUTTY.BAT which imports the contents of a file into the Registry, then runs PuTTY, exports the contents of the Registry back into the file, and deletes the Registry entries. This can all be done using the Regedit command line options, so it's all automatic. Here is what you need in PUTTY.BAT:

@ECHO OFF
regedit /s putty.reg
regedit /s puttyrnd.reg
start /w putty.exe
regedit /ea new.reg HKEY_CURRENT_USER\Software\SimonTatham\PuTTY
copy new.reg putty.reg
del new.reg
regedit /s puttydel.reg
This batch file needs two auxiliary files: PUTTYRND.REG which sets up an initial safe location for the PUTTY.RND random seed file, and PUTTYDEL.REG which destroys everything in the Registry once it's been successfully saved back to the file.

Here is PUTTYDEL.REG:

REGEDIT4
 
[-HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
Here is an example PUTTYRND.REG file:

REGEDIT4
 
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY]
"RandSeedFile"="a:\\putty.rnd"
You should replace a:\putty.rnd with the location where you want to store your random number data. If the aim is to carry around PuTTY and its settings on one floppy, you probably want to store it on the floppy.


--------------------------------------------------------------------------------
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34916798
Hi,

Settings are in HKCU > Software > SimonTatham > Putty > connectionname (where this is what you have previously saved).

You can then export and import this key into the HKCU of the machines you want to modify.

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34926578
Hi,

The alternative would be to configure incoming connections on each XP machine and then RDP to them once you have established a VPN to the client? The VPN would be using PPTP over 128 Bit encryption.

I would suggest that you configure a static range for IP address assignement to the VPN client when connected - you can then change the firewall to accept incoming connections only from that IP address range (scope)?.

Turtorial here:

http://www.onecomputerguy.com/networking/xp_vpn_server.htm

Hope this helps:

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 34926601
Hi again,

Just following on, if you set the IP address assignment on the end point (the server) to say 10.10.1.10 to 10.10.1.20, then that machine will get an IP address of 10.10.1.10 and your client will get 10.10.1.11.

When using mstsc.exe (RDP client) you'd enter in 10.10.1.10 as the maching you're RDP'ing to rather than it's physical IP address.

When you establish the VPN connection, you'd use the physical IP address of the host.

Remember, if a firewall client is running, you need to allow remote desktop from the 10.10.1.0 scope only, otherwise someone may try to connect to the machine from another address.

Regards,


RobMobility.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ways to assess https/ssl websites 3 103
Redirect to HTTPS results in Infinite LOOP 4 138
SSL https .net web site force redirect 3 57
Need to disable SSL Cipher 7 154
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question