Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Protecting a remote PC using VPN connection for RDP

Posted on 2011-09-25
Medium Priority
Last Modified: 2013-08-29
Dear Experts,

I have search and found here some info about Remote desktop & Security.
The impression that I got is that normaly, hackers are not searching for remote destops PCs to attack them and install Virus...
And that normaly the RDP connection is secure enough.

I have also follwed the instruction at the following link:
And changed the listening port from default 3389 to something else, and the other tips in this link.

But, Still, I would like to ask :
Assuming that I have a PC (WinXPsp3) that is connected directlly to the public internet with a public static IP.
I would prefer to protect it as much as I can.
Can you please let me know if there is a recommended FIrewall Server application, that I can install on this PC, and it will allow me to connect to it in two steps:
1- First to initiate VPN connection to this PC.
2- Second will be to connect to it through Microsoft Remote Desktop.

Second option:
I think I saw somewere, that I can configure through the WInXP connection wizard a VPN connection, to make the PC to act as a Firewall.
The question is:
Assuming I have 2 Network cards on this PC, Can I configure the card that is currently configured with the public static IP to be the Incoming VPN connection,
and I will be able to connect in two steps as described above ?
(And I will have access to the PC as I would have connected directlly without the VPN ?)

Thanks a lot,

Question by:ynavon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Accepted Solution

jmeggers earned 1000 total points
ID: 36709635
No one has posted an answer so I'll give you my thoughts.

I believe the issue with RDP has more to do with the port being open and accessible, and it being left enabled by default on many PC builds, so it should be disabled whenever not needed, and changing the port number is also a good step.  

That said, any host directly connected to the Internet is at risk.  I don't know of a way you can make the host accept a VPN connection; hosts typically initiate VPN connections, but maybe there's a Microsoft approach to doing this.  There are host-based firewalls, including ones built into Windows; if this PC is directly connected to the Internet, no question that should be enabled.

My recommendation is to put the PC behind a hardware firewall (e.g., Cisco ASA 5505), with the public address moved to the firewall.  For Internet access, the host's IP would be NATed at the firewall, but the firewall would block connections to the PC that are initiated from the Internet.  The firewall could terminate a VPN connection that would allow access to the PC.  Small firewalls like that are several hundred dollars but not outrageous.  If money is an issue and you really want to go low-ball, look for a used PIX firewall.  I've seen them on Craigslist and Ebay for under $100.  They're end-of-sale now, so there won't be software upgrades or new features, but it will do the job.

Author Comment

ID: 36718761
Thank you very much for taking the time and write your feedback.
I am not looking to buy a hardware firewall.
I am wondering if someone is familiar on a software solution to allow incoming Vpn access.
So, only after i will establish VPN connection to this PC from a remote PC, only then it will allow me to open RDP to it.

Thanks a lot,
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 1000 total points
ID: 39145860
Are you talking about one single PC here with no private network?

If you have other hosts on a private network, then at least install a software firewall such as ZoneAlarm® Free Antivirus + Firewall 2013, on a PC with two network adapters as a dual-homed hardened baston host.  Have one adapter bound to the public IP and the second adapter a private IP.  All other devices on local network should have private IP's.  You could then install OpenVPN on the baston host which provides VPN access to your private LAN.  Your primary windows machine would then have RDP listening on the private network and will only be accessible via the VPN.  You should consider egress traffic implications (reverse shells, etc.) in your design process, which could be addressed somewhat using Squid Proxy, for example.

If it's just the single PC, then install the firewall product above, OpenVPN, and block all other inbound ports.  Install a second network adapter (could be Microsoft loopback adapter) and ensure RDP is bound to that NIC.  You could then VPN into the host and then RDP into the private address.  

If you don't want to mess with that, then block all inbound ports, disable RDP, and use TeamViewer to egress your firewall for remote desktop control.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question