?
Solved

Protecting a remote PC using VPN connection for RDP

Posted on 2011-09-25
5
Medium Priority
?
340 Views
Last Modified: 2013-08-29
Dear Experts,

I have search and found here some info about Remote desktop & Security.
The impression that I got is that normaly, hackers are not searching for remote destops PCs to attack them and install Virus...
And that normaly the RDP connection is secure enough.

I have also follwed the instruction at the following link:
http://www.mobydisk.com/techres/securing_remote_desktop.html
And changed the listening port from default 3389 to something else, and the other tips in this link.

But, Still, I would like to ask :
Assuming that I have a PC (WinXPsp3) that is connected directlly to the public internet with a public static IP.
I would prefer to protect it as much as I can.
Can you please let me know if there is a recommended FIrewall Server application, that I can install on this PC, and it will allow me to connect to it in two steps:
1- First to initiate VPN connection to this PC.
2- Second will be to connect to it through Microsoft Remote Desktop.

Second option:
I think I saw somewere, that I can configure through the WInXP connection wizard a VPN connection, to make the PC to act as a Firewall.
The question is:
Assuming I have 2 Network cards on this PC, Can I configure the card that is currently configured with the public static IP to be the Incoming VPN connection,
and I will be able to connect in two steps as described above ?
(And I will have access to the PC as I would have connected directlly without the VPN ?)

Thanks a lot,
ynavon


0
Comment
Question by:ynavon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 1000 total points
ID: 36709635
No one has posted an answer so I'll give you my thoughts.

I believe the issue with RDP has more to do with the port being open and accessible, and it being left enabled by default on many PC builds, so it should be disabled whenever not needed, and changing the port number is also a good step.  

That said, any host directly connected to the Internet is at risk.  I don't know of a way you can make the host accept a VPN connection; hosts typically initiate VPN connections, but maybe there's a Microsoft approach to doing this.  There are host-based firewalls, including ones built into Windows; if this PC is directly connected to the Internet, no question that should be enabled.

My recommendation is to put the PC behind a hardware firewall (e.g., Cisco ASA 5505), with the public address moved to the firewall.  For Internet access, the host's IP would be NATed at the firewall, but the firewall would block connections to the PC that are initiated from the Internet.  The firewall could terminate a VPN connection that would allow access to the PC.  Small firewalls like that are several hundred dollars but not outrageous.  If money is an issue and you really want to go low-ball, look for a used PIX firewall.  I've seen them on Craigslist and Ebay for under $100.  They're end-of-sale now, so there won't be software upgrades or new features, but it will do the job.
0
 

Author Comment

by:ynavon
ID: 36718761
Hello,
Thank you very much for taking the time and write your feedback.
But,
I am not looking to buy a hardware firewall.
I am wondering if someone is familiar on a software solution to allow incoming Vpn access.
So, only after i will establish VPN connection to this PC from a remote PC, only then it will allow me to open RDP to it.

Thanks a lot,
Ynavon
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 1000 total points
ID: 39145860
Are you talking about one single PC here with no private network?

If you have other hosts on a private network, then at least install a software firewall such as ZoneAlarm® Free Antivirus + Firewall 2013, on a PC with two network adapters as a dual-homed hardened baston host.  Have one adapter bound to the public IP and the second adapter a private IP.  All other devices on local network should have private IP's.  You could then install OpenVPN on the baston host which provides VPN access to your private LAN.  Your primary windows machine would then have RDP listening on the private network and will only be accessible via the VPN.  You should consider egress traffic implications (reverse shells, etc.) in your design process, which could be addressed somewhat using Squid Proxy, for example.

If it's just the single PC, then install the firewall product above, OpenVPN, and block all other inbound ports.  Install a second network adapter (could be Microsoft loopback adapter) and ensure RDP is bound to that NIC.  You could then VPN into the host and then RDP into the private address.  

If you don't want to mess with that, then block all inbound ports, disable RDP, and use TeamViewer to egress your firewall for remote desktop control.
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month15 days, 6 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question