Secure Remote Desktop

I'd like to connect to my home Vista machine from my work using remote
desktop. However, I'm quite concerned security and being able to access all
my personal files using just a password (even if it is a complex one).

How can I lock down remote desktop so that it is as close to being 100% hack
proof as humanly possible?

Thank you

> I'd like to connect to my home Vista machine from my work using remote
> desktop. However, I'm quite concerned security and being able to access
> all my personal files using just a password (even if it is a complex one).
>
> How can I lock down remote desktop so that it is as close to being 100%
> hack proof as humanly possible?

Alan Jarvi has put togther some good info on configuring and securing RDP,
here:
http://theillustratednetwork.mvps.o...mendations.html

Some of Alan's XP info is also useful for Vista:
http://theillustratednetwork.mvps.o...leshooting.html

I have RDP'ed into my home machine from work for a few years now. The most
important issue I have found is just making sure my Internet Router at home
is well-secured. I have port forwarding enabled in the router, so I RDP to
my public IP address, and the router forwards the traffic to my desktop
machine (based on the RDP Port number). As a security measure - possibly
excessive, but like you I'm paranoid - I changed the RDP Port from 3389 to
another number. The router emails me the firewall logs, and I occasionally
grep them for port activity on my customised RDP port. Just to make sure
nothing untoward has happened.

So far, I don't think I've been compromised ... or if they have, they're
beeing very discreet about it :-)

You can get some background info on RDP client security at the Terminal
Services Team blog:
http://blogs.msdn.com/ts/archive/ta...de/default.aspx

Hope it helps,
--
Andrew McLaren
amclar (at) optusnet dot com dot au

also a solution for remoting your home computer which this is a pricy
solution but pretty secure



is buying a hardware vpn router setting up a vpn and using a software such
as Symantec pcanywere this is probably the most secure way to do it.




"Andrew McLaren" <andrew@fakeaddress.com> wrote in message
news:55029AF2-2B9F-4E9B-80CC-FDC7C00D8617@microsoft.com...
>> I'd like to connect to my home Vista machine from my work using remote
>> desktop. However, I'm quite concerned security and being able to access
>> all my personal files using just a password (even if it is a complex
>> one).
>>
>> How can I lock down remote desktop so that it is as close to being 100%
>> hack proof as humanly possible?
>
> Alan Jarvi has put togther some good info on configuring and securing RDP,
> here:
>
> http://theillustratednetwork.mvps.o...mendations.html
>
> Some of Alan's XP info is also useful for Vista:
>
> http://theillustratednetwork.mvps.o...leshooting.html
>
> I have RDP'ed into my home machine from work for a few years now. The most
> important issue I have found is just making sure my Internet Router at
> home is well-secured. I have port forwarding enabled in the router, so I
> RDP to my public IP address, and the router forwards the traffic to my
> desktop machine (based on the RDP Port number). As a security measure -
> possibly excessive, but like you I'm paranoid - I changed the RDP Port
> from 3389 to another number. The router emails me the firewall logs, and I
> occasionally grep them for port activity on my customised RDP port. Just
> to make sure nothing untoward has happened.
>
> So far, I don't think I've been compromised ... or if they have, they're
> beeing very discreet about it :-)
>
> You can get some background info on RDP client security at the Terminal
> Services Team blog:
> http://blogs.msdn.com/ts/archive/ta...de/default.aspx
>
> Hope it helps,
> --
> Andrew McLaren
> amclar (at) optusnet dot com dot au
>

Thanks for the links, they were a good read and worth implementing.

For work, I have a token which displays a 9 digit number that changes every
60 seconds. During the login process on a remote desktop session, I need to
enter the current number on the token to successfully login. This number is
only valid for 60 seconds before it expires.

Is there any kind of soft token that can be installed on my home and office
machine that would mirror this hardware token?


"Andrew McLaren" <andrew@fakeaddress.com> wrote in message
news:55029AF2-2B9F-4E9B-80CC-FDC7C00D8617@microsoft.com...
>> I'd like to connect to my home Vista machine from my work using remote
>> desktop. However, I'm quite concerned security and being able to access
>> all my personal files using just a password (even if it is a complex
>> one).
>>
>> How can I lock down remote desktop so that it is as close to being 100%
>> hack proof as humanly possible?
>
> Alan Jarvi has put togther some good info on configuring and securing RDP,
> here:
>
> http://theillustratednetwork.mvps.o...mendations.html
>
> Some of Alan's XP info is also useful for Vista:
>
> http://theillustratednetwork.mvps.o...leshooting.html
>
> I have RDP'ed into my home machine from work for a few years now. The most
> important issue I have found is just making sure my Internet Router at
> home is well-secured. I have port forwarding enabled in the router, so I
> RDP to my public IP address, and the router forwards the traffic to my
> desktop machine (based on the RDP Port number). As a security measure -
> possibly excessive, but like you I'm paranoid - I changed the RDP Port
> from 3389 to another number. The router emails me the firewall logs, and I
> occasionally grep them for port activity on my customised RDP port. Just
> to make sure nothing untoward has happened.
>
> So far, I don't think I've been compromised ... or if they have, they're
> beeing very discreet about it :-)
>
> You can get some background info on RDP client security at the Terminal
> Services Team blog:
> http://blogs.msdn.com/ts/archive/ta...de/default.aspx
>
> Hope it helps,
> --
> Andrew McLaren
> amclar (at) optusnet dot com dot au
>

that's a expensive technology and I don't believe they offer a hardware
version of this. Personally speaking I think u would be perfectly fine
with setting up a vpn at home.



"-1" <amy@amy.com> wrote in message news:3GApi.4905$fJ5.1503@pd7urf1no...
> Thanks for the links, they were a good read and worth implementing.
>
> For work, I have a token which displays a 9 digit number that changes
> every 60 seconds. During the login process on a remote desktop session, I
> need to enter the current number on the token to successfully login. This
> number is only valid for 60 seconds before it expires.
>
> Is there any kind of soft token that can be installed on my home and
> office machine that would mirror this hardware token?
>
>
> "Andrew McLaren" <andrew@fakeaddress.com> wrote in message
> news:55029AF2-2B9F-4E9B-80CC-FDC7C00D8617@microsoft.com...
>>> I'd like to connect to my home Vista machine from my work using remote
>>> desktop. However, I'm quite concerned security and being able to access
>>> all my personal files using just a password (even if it is a complex
>>> one).
>>>
>>> How can I lock down remote desktop so that it is as close to being 100%
>>> hack proof as humanly possible?
>>
>> Alan Jarvi has put togther some good info on configuring and securing
>> RDP, here:
>>
>> http://theillustratednetwork.mvps.o...mendations.html
>>
>> Some of Alan's XP info is also useful for Vista:
>>
>> http://theillustratednetwork.mvps.o...leshooting.html
>>
>> I have RDP'ed into my home machine from work for a few years now. The
>> most important issue I have found is just making sure my Internet Router
>> at home is well-secured. I have port forwarding enabled in the router, so
>> I RDP to my public IP address, and the router forwards the traffic to my
>> desktop machine (based on the RDP Port number). As a security measure -
>> possibly excessive, but like you I'm paranoid - I changed the RDP Port
>> from 3389 to another number. The router emails me the firewall logs, and
>> I occasionally grep them for port activity on my customised RDP port.
>> Just to make sure nothing untoward has happened.
>>
>> So far, I don't think I've been compromised ... or if they have, they're
>> beeing very discreet about it :-)
>>
>> You can get some background info on RDP client security at the Terminal
>> Services Team blog:
>> http://blogs.msdn.com/ts/archive/ta...de/default.aspx
>>
>> Hope it helps,
>> --
>> Andrew McLaren
>> amclar (at) optusnet dot com dot au
>>
>
>

If I understand VPN correctly, it is a tunnel that prevents people from
viewing the information that is encrypted within the tunnel.

The weakenss with this method is at the ends of the tunnel which are
protected by username/password.

That's where my concern is that someone could discover my server and brute
force a u/p. I know the article on one of the other threads had some
suggestions on securing this, but if I could find a 2 factor solution, that
would give me peace of mind.

"noaim" <newsgroups@myspacerep.net> wrote in message
news:%23u7cbhnzHHA.464@TK2MSFTNGP02.phx.gbl...
> that's a expensive technology and I don't believe they offer a hardware
> version of this. Personally speaking I think u would be perfectly fine
> with setting up a vpn at home.
>
>
>
> "-1" <amy@amy.com> wrote in message news:3GApi.4905$fJ5.1503@pd7urf1no...
>> Thanks for the links, they were a good read and worth implementing.
>>
>> For work, I have a token which displays a 9 digit number that changes
>> every 60 seconds. During the login process on a remote desktop session,
>> I need to enter the current number on the token to successfully login.
>> This number is only valid for 60 seconds before it expires.
>>
>> Is there any kind of soft token that can be installed on my home and
>> office machine that would mirror this hardware token?
>>
>>
>> "Andrew McLaren" <andrew@fakeaddress.com> wrote in message
>> news:55029AF2-2B9F-4E9B-80CC-FDC7C00D8617@microsoft.com...
>>>> I'd like to connect to my home Vista machine from my work using remote
>>>> desktop. However, I'm quite concerned security and being able to
>>>> access all my personal files using just a password (even if it is a
>>>> complex one).
>>>>
>>>> How can I lock down remote desktop so that it is as close to being 100%
>>>> hack proof as humanly possible?
>>>
>>> Alan Jarvi has put togther some good info on configuring and securing
>>> RDP, here:
>>>
>>> http://theillustratednetwork.mvps.o...mendations.html
>>>
>>> Some of Alan's XP info is also useful for Vista:
>>>
>>> http://theillustratednetwork.mvps.o...leshooting.html
>>>
>>> I have RDP'ed into my home machine from work for a few years now. The
>>> most important issue I have found is just making sure my Internet Router
>>> at home is well-secured. I have port forwarding enabled in the router,
>>> so I RDP to my public IP address, and the router forwards the traffic to
>>> my desktop machine (based on the RDP Port number). As a security
>>> measure - possibly excessive, but like you I'm paranoid - I changed the
>>> RDP Port from 3389 to another number. The router emails me the firewall
>>> logs, and I occasionally grep them for port activity on my customised
>>> RDP port. Just to make sure nothing untoward has happened.
>>>
>>> So far, I don't think I've been compromised ... or if they have, they're
>>> beeing very discreet about it :-)
>>>
>>> You can get some background info on RDP client security at the Terminal
>>> Services Team blog:
>>> http://blogs.msdn.com/ts/archive/ta...de/default.aspx
>>>
>>> Hope it helps,
>>> --
>>> Andrew McLaren
>>> amclar (at) optusnet dot com dot au
>>>
>>
>>
>

"Andrew McLaren" <andrew@fakeaddress.com> wrote in message
news:55029AF2-2B9F-4E9B-80CC-FDC7C00D8617@microsoft.com...
>> I'd like to connect to my home Vista machine from my work using remote
>> desktop. However, I'm quite concerned security and being able to access
>> all my personal files using just a password (even if it is a complex
>> one).
>>
>> How can I lock down remote desktop so that it is as close to being 100%
>> hack proof as humanly possible?
>
> Alan Jarvi has put togther some good info on configuring and securing RDP,
> here:
>
> http://theillustratednetwork.mvps.o...mendations.html
>
> Some of Alan's XP info is also useful for Vista:
>
> http://theillustratednetwork.mvps.o...leshooting.html
>
> I have RDP'ed into my home machine from work for a few years now. The most
> important issue I have found is just making sure my Internet Router at
> home is well-secured. I have port forwarding enabled in the router, so I
> RDP to my public IP address, and the router forwards the traffic to my
> desktop machine (based on the RDP Port number). As a security measure -
> possibly excessive, but like you I'm paranoid - I changed the RDP Port
> from 3389 to another number. The router emails me the firewall logs, and I
> occasionally grep them for port activity on my customised RDP port. Just
> to make sure nothing untoward has happened.
>
> So far, I don't think I've been compromised ... or if they have, they're
> beeing very discreet about it :-)
>
> You can get some background info on RDP client security at the Terminal
> Services Team blog:
> http://blogs.msdn.com/ts/archive/ta...de/default.aspx
>
> Hope it helps,
> --
> Andrew McLaren
> amclar (at) optusnet dot com dot au
>


Andrew,

Thanks for the links... good stuff.

Lang

well I have been running a hardware vpn for about 2 years now and haven't
had any trouble I even have a name service so if my ip changes I can still
access it however I do change the password on regular occasions just to be
safe. I guess in retrospect it really depends on what type of material your
trying to protect. Keep in mind that thousands of businesses have vpn's set
up with multiple accounts accessing them and that it isn't often that people
actually get there accounts hacked. I'm not saying its a perfect solution
because a hacker with a ton of knowledge can break into about anything but
its definitely pretty secure.



"-1" <amy@amy.com> wrote in message news:9_Api.4949$fJ5.2748@pd7urf1no...
> If I understand VPN correctly, it is a tunnel that prevents people from
> viewing the information that is encrypted within the tunnel.
>
> The weakenss with this method is at the ends of the tunnel which are
> protected by username/password.
>
> That's where my concern is that someone could discover my server and brute
> force a u/p. I know the article on one of the other threads had some
> suggestions on securing this, but if I could find a 2 factor solution,
> that would give me peace of mind.
>
> "noaim" <newsgroups@myspacerep.net> wrote in message
> news:%23u7cbhnzHHA.464@TK2MSFTNGP02.phx.gbl...
>> that's a expensive technology and I don't believe they offer a hardware
>> version of this. Personally speaking I think u would be perfectly fine
>> with setting up a vpn at home.
>>
>>
>>
>> "-1" <amy@amy.com> wrote in message news:3GApi.4905$fJ5.1503@pd7urf1no...
>>> Thanks for the links, they were a good read and worth implementing.
>>>
>>> For work, I have a token which displays a 9 digit number that changes
>>> every 60 seconds. During the login process on a remote desktop session,
>>> I need to enter the current number on the token to successfully login.
>>> This number is only valid for 60 seconds before it expires.
>>>
>>> Is there any kind of soft token that can be installed on my home and
>>> office machine that would mirror this hardware token?
>>>
>>>
>>> "Andrew McLaren" <andrew@fakeaddress.com> wrote in message
>>> news:55029AF2-2B9F-4E9B-80CC-FDC7C00D8617@microsoft.com...
>>>>> I'd like to connect to my home Vista machine from my work using remote
>>>>> desktop. However, I'm quite concerned security and being able to
>>>>> access all my personal files using just a password (even if it is a
>>>>> complex one).
>>>>>
>>>>> How can I lock down remote desktop so that it is as close to being
>>>>> 100% hack proof as humanly possible?
>>>>
>>>> Alan Jarvi has put togther some good info on configuring and securing
>>>> RDP, here:
>>>>
>>>> http://theillustratednetwork.mvps.o...mendations.html
>>>>
>>>> Some of Alan's XP info is also useful for Vista:
>>>>
>>>> http://theillustratednetwork.mvps.o...leshooting.html
>>>>
>>>> I have RDP'ed into my home machine from work for a few years now. The
>>>> most important issue I have found is just making sure my Internet
>>>> Router at home is well-secured. I have port forwarding enabled in the
>>>> router, so I RDP to my public IP address, and the router forwards the
>>>> traffic to my desktop machine (based on the RDP Port number). As a
>>>> security measure - possibly excessive, but like you I'm paranoid - I
>>>> changed the RDP Port from 3389 to another number. The router emails me
>>>> the firewall logs, and I occasionally grep them for port activity on my
>>>> customised RDP port. Just to make sure nothing untoward has happened.
>>>>
>>>> So far, I don't think I've been compromised ... or if they have,
>>>> they're beeing very discreet about it :-)
>>>>
>>>> You can get some background info on RDP client security at the Terminal
>>>> Services Team blog:
>>>> http://blogs.msdn.com/ts/archive/ta...de/default.aspx
>>>>
>>>> Hope it helps,
>>>> --
>>>> Andrew McLaren
>>>> amclar (at) optusnet dot com dot au
>>>>
>>>
>>>
>>
>
>

"-1" <amy@amy.com> wrote ...

> If I understand VPN correctly, it is a tunnel that prevents people from
> viewing the information that is encrypted within the tunnel.
> The weakenss with this method is at the ends of the tunnel which are
> protected by username/password.



You can use "defence in depth": there are many layers at which you can add
protection, besides passwords. For example, you can limit inbound
connections to those originating at certain IP addresses. If your workplace
has a single outbound proxy server IP address (or a limited set of outbound
proxy addresses), you could define an inbound filter rule on your home
router. This basically tells the router "don't accept *any* incoming
connections, unless they come from these specific IP addresses". Then,
unless the hacker is actually located inside your corporate network, they
won't get the chance to try entering any password - let alone, brute-forcing
it.



There's a matching loss of flexibility - it means you can't VPN in from
hotel rooms etc. But if you want to be secure, there's usually a trade-off
somewhere.



Even basic home routers have inbound filter rules these days, so you can get
quite creative.


> That's where my concern is that someone could discover my server and brute
> force a u/p.



Good choice of password is your best defence against brute force.
Internally, Windows can handle passwords up to 127 chars in length.
Unfortunately, some Windows dialogue boxes truncated the password at 34
chars - I'm not sure whether this was fixed in Vista or not (I suspect it
has). But even 34 chars allows a high degree of entropy. The secret is to
use a "pass phrase" rather than a password. So for example "I saw 27 leaping
buffoons today!". Phrases like these are eas to remeber; almost impossible
to guess; can include numerals and punctuation chars for extra complexity;
and will take several million years to brute-force (this phrase is
particularly easy to remember, because there are so many leaping buffoons
around).



You can also set the lockout on failed password attempts in Windows. So
after say, 3 or 8 or or 15 failed attempts, the account is locked out for a
specified period - 5 minutes, 24 hours, 1 week etc. This is debated,
somewhat: on the one hand, it absolutely prevents brute force attacks. On
the other hand, it allows a Denial-of-Service attack - if someone wants to
prevent you reaching your data, they just try a few fake passwords and lock
you out of your account. Anyway just got to Control Panel, Administrative
Tools, Local Security and look under the Account Security settings.



> I know the article on one of the other threads had some suggestions on
> securing this, but if I could find a 2 factor solution, that would give me
> peace of mind.



2 Factor authentication is very secure; but you are looking at a
considerable jump in cost. Most solutions are oriented towards corporate
networks; ie, the home user VPNs in to corp-net, rather than the other way
around, a corporate user VPNs back to their home PC. Being corporate
products, they are priced accordingly.



To use 2 factor authentication for your home PC, you'll need some kind of
server process to recognise and handle the authentication - either a server
running on your home network, like a IAS or RADIUS Server; or a hardware
router with built-in support for RADIUS or similar authentication. There
might be software agents which can run on your home PC itself ... but I
don't know of any such products (doesn't mean they don't exist; just that I
don't know of any). If you're shopping for solutions, avoid any which talk
about replacing the Windows "GINA" ("Graphical identification and
authentication") - the GINA architecture was radically changed in Windows
Vista; and password software designed for Windows XP or Windows 2003 almost
certainly won't run on Vista if the GINA is involved.



In the past I have worked with products from RSA and Gemplus, for inbound
corporate VPNs - they are both very high quality vendors. They might have
solutions for home users, too ... it's a place to start, anyway.



Other folks might have extra info - hope this helps a bit.


--
Andrew McLaren
amclar (at) optusnet dot com dot au

"Andrew McLaren" <andrew@fakeaddress.com> wrote in message
news:2DD130B9-D49C-4074-88D0-350F466F6B60@microsoft.com..

>"I saw 27 leaping buffoons today!"

And most of them are posting here........ ;-)

Sorry, couldn't resist <vbeg>


--
Jane, not plain 64 bit enabled :-)
Batteries not included. Braincell on vacation ;-)
MVP Windows Shell/User