• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

Protecting a remote PC using VPN connection for RDP

Dear Experts,

I have search and found here some info about Remote desktop & Security.
The impression that I got is that normaly, hackers are not searching for remote destops PCs to attack them and install Virus...
And that normaly the RDP connection is secure enough.

I have also follwed the instruction at the following link:
http://www.mobydisk.com/techres/securing_remote_desktop.html
And changed the listening port from default 3389 to something else, and the other tips in this link.

But, Still, I would like to ask :
Assuming that I have a PC (WinXPsp3) that is connected directlly to the public internet with a public static IP.
I would prefer to protect it as much as I can.
Can you please let me know if there is a recommended FIrewall Server application, that I can install on this PC, and it will allow me to connect to it in two steps:
1- First to initiate VPN connection to this PC.
2- Second will be to connect to it through Microsoft Remote Desktop.

Second option:
I think I saw somewere, that I can configure through the WInXP connection wizard a VPN connection, to make the PC to act as a Firewall.
The question is:
Assuming I have 2 Network cards on this PC, Can I configure the card that is currently configured with the public static IP to be the Incoming VPN connection,
and I will be able to connect in two steps as described above ?
(And I will have access to the PC as I would have connected directlly without the VPN ?)

Thanks a lot,
ynavon


0
ynavon
Asked:
ynavon
2 Solutions
 
jmeggersSr. Network and Security EngineerCommented:
No one has posted an answer so I'll give you my thoughts.

I believe the issue with RDP has more to do with the port being open and accessible, and it being left enabled by default on many PC builds, so it should be disabled whenever not needed, and changing the port number is also a good step.  

That said, any host directly connected to the Internet is at risk.  I don't know of a way you can make the host accept a VPN connection; hosts typically initiate VPN connections, but maybe there's a Microsoft approach to doing this.  There are host-based firewalls, including ones built into Windows; if this PC is directly connected to the Internet, no question that should be enabled.

My recommendation is to put the PC behind a hardware firewall (e.g., Cisco ASA 5505), with the public address moved to the firewall.  For Internet access, the host's IP would be NATed at the firewall, but the firewall would block connections to the PC that are initiated from the Internet.  The firewall could terminate a VPN connection that would allow access to the PC.  Small firewalls like that are several hundred dollars but not outrageous.  If money is an issue and you really want to go low-ball, look for a used PIX firewall.  I've seen them on Craigslist and Ebay for under $100.  They're end-of-sale now, so there won't be software upgrades or new features, but it will do the job.
0
 
ynavonAuthor Commented:
Hello,
Thank you very much for taking the time and write your feedback.
But,
I am not looking to buy a hardware firewall.
I am wondering if someone is familiar on a software solution to allow incoming Vpn access.
So, only after i will establish VPN connection to this PC from a remote PC, only then it will allow me to open RDP to it.

Thanks a lot,
Ynavon
0
 
Giovanni HewardCommented:
Are you talking about one single PC here with no private network?

If you have other hosts on a private network, then at least install a software firewall such as ZoneAlarm® Free Antivirus + Firewall 2013, on a PC with two network adapters as a dual-homed hardened baston host.  Have one adapter bound to the public IP and the second adapter a private IP.  All other devices on local network should have private IP's.  You could then install OpenVPN on the baston host which provides VPN access to your private LAN.  Your primary windows machine would then have RDP listening on the private network and will only be accessible via the VPN.  You should consider egress traffic implications (reverse shells, etc.) in your design process, which could be addressed somewhat using Squid Proxy, for example.

If it's just the single PC, then install the firewall product above, OpenVPN, and block all other inbound ports.  Install a second network adapter (could be Microsoft loopback adapter) and ensure RDP is bound to that NIC.  You could then VPN into the host and then RDP into the private address.  

If you don't want to mess with that, then block all inbound ports, disable RDP, and use TeamViewer to egress your firewall for remote desktop control.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now