Solved

Protecting a remote PC using VPN connection for RDP

Posted on 2011-09-25
5
293 Views
Last Modified: 2013-08-29
Dear Experts,

I have search and found here some info about Remote desktop & Security.
The impression that I got is that normaly, hackers are not searching for remote destops PCs to attack them and install Virus...
And that normaly the RDP connection is secure enough.

I have also follwed the instruction at the following link:
http://www.mobydisk.com/techres/securing_remote_desktop.html
And changed the listening port from default 3389 to something else, and the other tips in this link.

But, Still, I would like to ask :
Assuming that I have a PC (WinXPsp3) that is connected directlly to the public internet with a public static IP.
I would prefer to protect it as much as I can.
Can you please let me know if there is a recommended FIrewall Server application, that I can install on this PC, and it will allow me to connect to it in two steps:
1- First to initiate VPN connection to this PC.
2- Second will be to connect to it through Microsoft Remote Desktop.

Second option:
I think I saw somewere, that I can configure through the WInXP connection wizard a VPN connection, to make the PC to act as a Firewall.
The question is:
Assuming I have 2 Network cards on this PC, Can I configure the card that is currently configured with the public static IP to be the Incoming VPN connection,
and I will be able to connect in two steps as described above ?
(And I will have access to the PC as I would have connected directlly without the VPN ?)

Thanks a lot,
ynavon


0
Comment
Question by:ynavon
5 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
ID: 36709635
No one has posted an answer so I'll give you my thoughts.

I believe the issue with RDP has more to do with the port being open and accessible, and it being left enabled by default on many PC builds, so it should be disabled whenever not needed, and changing the port number is also a good step.  

That said, any host directly connected to the Internet is at risk.  I don't know of a way you can make the host accept a VPN connection; hosts typically initiate VPN connections, but maybe there's a Microsoft approach to doing this.  There are host-based firewalls, including ones built into Windows; if this PC is directly connected to the Internet, no question that should be enabled.

My recommendation is to put the PC behind a hardware firewall (e.g., Cisco ASA 5505), with the public address moved to the firewall.  For Internet access, the host's IP would be NATed at the firewall, but the firewall would block connections to the PC that are initiated from the Internet.  The firewall could terminate a VPN connection that would allow access to the PC.  Small firewalls like that are several hundred dollars but not outrageous.  If money is an issue and you really want to go low-ball, look for a used PIX firewall.  I've seen them on Craigslist and Ebay for under $100.  They're end-of-sale now, so there won't be software upgrades or new features, but it will do the job.
0
 

Author Comment

by:ynavon
ID: 36718761
Hello,
Thank you very much for taking the time and write your feedback.
But,
I am not looking to buy a hardware firewall.
I am wondering if someone is familiar on a software solution to allow incoming Vpn access.
So, only after i will establish VPN connection to this PC from a remote PC, only then it will allow me to open RDP to it.

Thanks a lot,
Ynavon
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 250 total points
ID: 39145860
Are you talking about one single PC here with no private network?

If you have other hosts on a private network, then at least install a software firewall such as ZoneAlarm® Free Antivirus + Firewall 2013, on a PC with two network adapters as a dual-homed hardened baston host.  Have one adapter bound to the public IP and the second adapter a private IP.  All other devices on local network should have private IP's.  You could then install OpenVPN on the baston host which provides VPN access to your private LAN.  Your primary windows machine would then have RDP listening on the private network and will only be accessible via the VPN.  You should consider egress traffic implications (reverse shells, etc.) in your design process, which could be addressed somewhat using Squid Proxy, for example.

If it's just the single PC, then install the firewall product above, OpenVPN, and block all other inbound ports.  Install a second network adapter (could be Microsoft loopback adapter) and ensure RDP is bound to that NIC.  You could then VPN into the host and then RDP into the private address.  

If you don't want to mess with that, then block all inbound ports, disable RDP, and use TeamViewer to egress your firewall for remote desktop control.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VPN Problems 3 53
azure vpn connection 3 44
Sync Azure AD to a local AD Server 4 37
Windows 10 VPN? 6 46
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now