Secure RDP connection from outside the network

I have also posted this question in the Windows Server group, but I am
not sure where it is a better fit. I am still fairly new to the
networking world so please be gentle. I need to setup a secure
connection to a Windows 2003 Server using RDP from outside the network.
The server is behind a firewall that I am learning was not configured
as securely as it should be. I am also fairly new to the network
security world, as well, so the same level of gentleness is
appreciated. I have been researching this topic for a few days and I
have found out that there are more than a few ways to skin this cat.
Like most people, I am looking for the cheapest or freeest solution but
do not want to compromise security.

I thank you for any suggestions you can offer.

Re: Secure RDP connection from outside the network

Matt wrote:
> I need to setup a secure
> connection to a Windows 2003 Server using RDP from outside the network.

Maybe, then you should implement an encrypted VPN or at least an SSH
tunnel.

Yours,
VB.
--
"Alles gehört allen, nur meins gehört mir."

Patricia Bednar über Kommunismus

Re: Secure RDP connection from outside the network

Thanks for the reply, Volker. VPN is not a very good option in this
case. I have a SonicWALL firewall, and when I tried to install the VPN
client on the remote computer, it had major conflicts with other VPN
clients installed. Can you explain the SSH option??

Thanks again for your help on this.

Matt Atkins


Volker Birk wrote:
> Maybe, then you should implement an encrypted VPN or at least an SSH
> tunnel.
>
> Yours,
> VB.
> --
> "Alles gehört allen, nur meins gehört mir."
>=20
> Patricia Bednar über Kommunismus

Re: Secure RDP connection from outside the network

Post removed (X-No-Archive: yes)

Re: Secure RDP connection from outside the network

Leythos wrote:

> Are you trying to access a W2003 server from another network or from
> another office?

This access is actually for a software vendor that is setting up their
application on the new server. They are not part of my network in any
way.

> You mention Sonic, why not setup a site-site IPSec tunnel between the
> locations and then set rules to only allow traffic that is required.

See above.

> If you are doing a client/laptop to the W2003 server, then do the same
> as above, setup IPSec/PPTP client VPN into the Sonic and then rules to
> allow traffic through the VPN.

We already tried installing SonicWALL's VPN but I am not comfortable
with that solution. They are wanting to use one janky laptop that has
a few other VPN clients installed on it. The clients are conflicting
with one another, and quite frankly, I don't feel safe with the fact
that they will be supporting this new application from an old laptop
that just needed to be rebuilt. Their Network Engineer said that the
easiest and most reliable way would be RDP.

> Don't open the RPC ports for any reason to the world.

Are there any other viable solutions besides VPN?


Thanks for the reply.

Re: Secure RDP connection from outside the network

Matt wrote:
> Their Network Engineer said that the easiest and most reliable way
> would be RDP.

It he's pretty right. A fixed port, traverses NAT and pretty secure
encryption.

>> Don't open the RPC ports for any reason to the world.

Why RPC? This isn't needed in any such scenario.

Re: Secure RDP connection from outside the network

Post removed (X-No-Archive: yes)

Re: Secure RDP connection from outside the network

Matt wrote:
> Can you explain the SSH option??

http://www.cygwin.com/

or

http://sshwindows.sourceforge.net/
http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_ user_op=view_page&PAGE_id=12&MMN_position=22:22

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

Re: Secure RDP connection from outside the network

Sebastian Gottschalk wrote:
> Matt wrote:
> > Their Network Engineer said that the easiest and most reliable way
> > would be RDP.
> It he's pretty right. A fixed port, traverses NAT and pretty secure
> encryption.

In modern derivates. Older ones are terrible. So my suggestion keeps to
be SSH to tunnel. Have a look on the negotiation and the difficult
configuration not to support older derivates.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de