Protecting a remote PC using VPN connection for RDP

Posted on 2011-09-25
Medium Priority
Last Modified: 2013-08-29
Dear Experts,

I have search and found here some info about Remote desktop & Security.
The impression that I got is that normaly, hackers are not searching for remote destops PCs to attack them and install Virus...
And that normaly the RDP connection is secure enough.

I have also follwed the instruction at the following link:
And changed the listening port from default 3389 to something else, and the other tips in this link.

But, Still, I would like to ask :
Assuming that I have a PC (WinXPsp3) that is connected directlly to the public internet with a public static IP.
I would prefer to protect it as much as I can.
Can you please let me know if there is a recommended FIrewall Server application, that I can install on this PC, and it will allow me to connect to it in two steps:
1- First to initiate VPN connection to this PC.
2- Second will be to connect to it through Microsoft Remote Desktop.

Second option:
I think I saw somewere, that I can configure through the WInXP connection wizard a VPN connection, to make the PC to act as a Firewall.
The question is:
Assuming I have 2 Network cards on this PC, Can I configure the card that is currently configured with the public static IP to be the Incoming VPN connection,
and I will be able to connect in two steps as described above ?
(And I will have access to the PC as I would have connected directlly without the VPN ?)

Thanks a lot,

Question by:ynavon
LVL 18

Accepted Solution

jmeggers earned 1000 total points
ID: 36709635
No one has posted an answer so I'll give you my thoughts.

I believe the issue with RDP has more to do with the port being open and accessible, and it being left enabled by default on many PC builds, so it should be disabled whenever not needed, and changing the port number is also a good step.  

That said, any host directly connected to the Internet is at risk.  I don't know of a way you can make the host accept a VPN connection; hosts typically initiate VPN connections, but maybe there's a Microsoft approach to doing this.  There are host-based firewalls, including ones built into Windows; if this PC is directly connected to the Internet, no question that should be enabled.

My recommendation is to put the PC behind a hardware firewall (e.g., Cisco ASA 5505), with the public address moved to the firewall.  For Internet access, the host's IP would be NATed at the firewall, but the firewall would block connections to the PC that are initiated from the Internet.  The firewall could terminate a VPN connection that would allow access to the PC.  Small firewalls like that are several hundred dollars but not outrageous.  If money is an issue and you really want to go low-ball, look for a used PIX firewall.  I've seen them on Craigslist and Ebay for under $100.  They're end-of-sale now, so there won't be software upgrades or new features, but it will do the job.

Author Comment

ID: 36718761
Thank you very much for taking the time and write your feedback.
I am not looking to buy a hardware firewall.
I am wondering if someone is familiar on a software solution to allow incoming Vpn access.
So, only after i will establish VPN connection to this PC from a remote PC, only then it will allow me to open RDP to it.

Thanks a lot,
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 1000 total points
ID: 39145860
Are you talking about one single PC here with no private network?

If you have other hosts on a private network, then at least install a software firewall such as ZoneAlarm® Free Antivirus + Firewall 2013, on a PC with two network adapters as a dual-homed hardened baston host.  Have one adapter bound to the public IP and the second adapter a private IP.  All other devices on local network should have private IP's.  You could then install OpenVPN on the baston host which provides VPN access to your private LAN.  Your primary windows machine would then have RDP listening on the private network and will only be accessible via the VPN.  You should consider egress traffic implications (reverse shells, etc.) in your design process, which could be addressed somewhat using Squid Proxy, for example.

If it's just the single PC, then install the firewall product above, OpenVPN, and block all other inbound ports.  Install a second network adapter (could be Microsoft loopback adapter) and ensure RDP is bound to that NIC.  You could then VPN into the host and then RDP into the private address.  

If you don't want to mess with that, then block all inbound ports, disable RDP, and use TeamViewer to egress your firewall for remote desktop control.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question