security question regarding opening up ports


S

Schnitzel

I'm trying to setup a small network to allow multiple users to remote in
using Windows XP remote desktop. The router in the office allows vpn
passthrough. I was able to setup VPN server/client but this allowed only a
single remote desktop connection. I googled it and are now planning on using
port forwarding starting at 3389 (standard remote deskop port) and up. For
example:

rounter port LAN computer:port
3389 192.168.8.1:3389
3390 192.168.8.2:3389
3391 192.168.8.3:3389

then in the remote desktop connection dialog, one would connect like this:

<router wan ip>:3390

this would initiate a remote desktop session on 192.168.8.2

The office is quite small, so maintaining this list is not much work. I am
just not sure on how secure this is and whether there is a better way to do
this.

I don't have a huge budget, i.e. obtaining a hardware vpn server or
obtaining windows 2003 server is not an option.
 
Ad

Advertisements

S

Sooner Al [MVP]

The security really is no different opening multiple ports for Remote
Desktop [RDC] versus one port for one PC and RDC. Make sure you use strong
passwords.

http://www.microsoft.com/protect/yourself/password/checker.mspx

You could also use high number ports versus 3389/3390/3391, ie. use
45671/45672/45673 for example. Sort of security through obscurity so to
speak. Not fool proof but it does cut down on port probes on TCP Port 3389
for example. In all cases use strong passwords.

If you happen to be connecting to Vista Ultimate/Business desktops make sure
you use Network Level Authentication [NLA].

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html
http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html

What type of VPN did you setup? When connected with the VPN can you ping the
RDC hosts? If you can't ping the RDC host through the VPN tunnel then you
will never connect using RDC. I ran RDC through a PPTP VPN, OpenVPN and
Secure Shell [SSH] tunnel in the past and had no problems connecting to
multiple PCs with RDC.

If you can't get a VPN to work then look at SSH. An added advantage of SSH
versus PPTP VPN is you can use a private/public key pair protected by a
strong password for authentication making it very safe and secure. Here are
some links...

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

I like Tunnelier as the SSH client because you can set it up to
automatically connect to one RDC host PC when the SSH tunnel is established.
Very convenient.

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
S

Schnitzel

thanks for your quick reply.

You could also use high number ports versus 3389/3390/3391, ie. use
45671/45672/45673 for example. Sort of security through obscurity so to
speak. Not fool proof but it does cut down on port probes on TCP Port 3389
for example. In all cases use strong passwords.

good point.

What type of VPN did you setup? When connected with the VPN can you ping the
RDC hosts? If you can't ping the RDC host through the VPN tunnel then you
will never connect using RDC. I ran RDC through a PPTP VPN, OpenVPN and
Secure Shell [SSH] tunnel in the past and had no problems connecting to
multiple PCs with RDC.

I used windows xp built in vpn client/server:

For server:
Add new connection
set up an advanced connection
accept incoming connections
etc.

For client:
Add new connection
Connect to the network at my workplace
Virtual private network connection
etc.

I then opened up port associated with pptp on my router. This configuration
works fine, but only allows one connection from outside to a computer behind
the router - Windows XP VPN limitation !?

Is this PPTP VPN?

If you can't get a VPN to work then look at SSH. An added advantage of SSH
versus PPTP VPN is you can use a private/public key pair protected by a
strong password for authentication making it very safe and secure. Here are
some links...

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

I like Tunnelier as the SSH client because you can set it up to
automatically connect to one RDC host PC when the SSH tunnel is established.
Very convenient.

this looks promising and I will probably go this way unless I can get the
built-in vpn to work.
 
S

Schnitzel

Sooner Al said:
Yes, the XP PPTP VPN server function will only allow one incoming connection
at a time. I misread your post and thought you could not connect to more
than one PC through the VPN tunnel with RDC. The bottom line is you need
more than one simultaneous incoming VPN connection and be able to access any
of your workstations with RDC through the tunnel. I understand now.

Yes, this is exactly what I need.
SSH would get around that limitation since you are not in a position to
upgrade to a server class OS or additional hardware. Be aware that if your
behind a supported router then reflashing with third-party firmware like
DD-WRT would give you a PPTP server function on the router. DD-WRT also
includes a SSH server function. Just another option for little to no cost.

http://www.dd-wrt.com/wiki/index.php/Main_Page

unfortunately, our router (D-Link DIR-655) is not supported - my luck :(

so it looks like setting up ssh vpn tunnel is the way to go. I am familiar
with putty and I suppose it is similar to tunnelier? I just checked and it
does seem to have support for tunnels and port forwarding.

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

Schnitzel said:
thanks for your quick reply.

You could also use high number ports versus 3389/3390/3391, ie. use
45671/45672/45673 for example. Sort of security through obscurity so to
speak. Not fool proof but it does cut down on port probes on TCP Port
3389
for example. In all cases use strong passwords.

good point.

What type of VPN did you setup? When connected with the VPN can you ping
the
RDC hosts? If you can't ping the RDC host through the VPN tunnel then you
will never connect using RDC. I ran RDC through a PPTP VPN, OpenVPN and
Secure Shell [SSH] tunnel in the past and had no problems connecting to
multiple PCs with RDC.

I used windows xp built in vpn client/server:

For server:
Add new connection
set up an advanced connection
accept incoming connections
etc.

For client:
Add new connection
Connect to the network at my workplace
Virtual private network connection
etc.

I then opened up port associated with pptp on my router. This
configuration
works fine, but only allows one connection from outside to a computer
behind
the router - Windows XP VPN limitation !?

Is this PPTP VPN?

If you can't get a VPN to work then look at SSH. An added advantage of
SSH
versus PPTP VPN is you can use a private/public key pair protected by a
strong password for authentication making it very safe and secure. Here
are
some links...

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

I like Tunnelier as the SSH client because you can set it up to
automatically connect to one RDC host PC when the SSH tunnel is
established.
Very convenient.

this looks promising and I will probably go this way unless I can get the
built-in vpn to work.
 
S

Schnitzel

Sooner Al said:
Repost...

Yes, the XP PPTP VPN server function will only allow one incoming connection
at a time. I misread your post and thought you could not connect to more
than one PC through the VPN tunnel with RDC. The bottom line is you need
more than one simultaneous incoming VPN connection and be able to access any
of your workstations with RDC through the tunnel. I understand now.

thanks for clarifying... I wasn't sure if I explained it well enough.
SSH would get around that limitation since you are not in a position to
upgrade to a server class OS or additional hardware. Be aware that if your
behind a supported router then reflashing with third-party firmware like
DD-WRT would give you a PPTP server function on the router. DD-WRT also
includes a SSH server function. Just another option for little to no cost.

http://www.dd-wrt.com/wiki/index.php/Main_Page

unfortunately, our router (D-Link DIR-655) is not supported - my luck :(

so it looks like setting up ssh vpn tunnel is the way to go. I am familiar
with putty and I suppose it is similar to tunnelier? I just checked putty
and it
does seem to have support for tunnels and port forwarding.
Would an instance of putty run on a dedicated machine then as a 'server', or
is this all initiated and configured on the client?

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

Schnitzel said:
thanks for your quick reply.

You could also use high number ports versus 3389/3390/3391, ie. use
45671/45672/45673 for example. Sort of security through obscurity so to
speak. Not fool proof but it does cut down on port probes on TCP Port
3389
for example. In all cases use strong passwords.

good point.

What type of VPN did you setup? When connected with the VPN can you ping
the
RDC hosts? If you can't ping the RDC host through the VPN tunnel then you
will never connect using RDC. I ran RDC through a PPTP VPN, OpenVPN and
Secure Shell [SSH] tunnel in the past and had no problems connecting to
multiple PCs with RDC.

I used windows xp built in vpn client/server:

For server:
Add new connection
set up an advanced connection
accept incoming connections
etc.

For client:
Add new connection
Connect to the network at my workplace
Virtual private network connection
etc.

I then opened up port associated with pptp on my router. This
configuration
works fine, but only allows one connection from outside to a computer
behind
the router - Windows XP VPN limitation !?

Is this PPTP VPN?

If you can't get a VPN to work then look at SSH. An added advantage of
SSH
versus PPTP VPN is you can use a private/public key pair protected by a
strong password for authentication making it very safe and secure. Here
are
some links...

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

I like Tunnelier as the SSH client because you can set it up to
automatically connect to one RDC host PC when the SSH tunnel is
established.
Very convenient.

this looks promising and I will probably go this way unless I can get the
built-in vpn to work.
 
S

Sooner Al [MVP]

Repost...

PuTTY, or Tunnelier, are SSH clients. You would need to install and
configure a SSH server of some type on one of your XP boxes. I prefer copSSH
a SSH server Windows installer package that runs on NT/2000/XP/2003/Vista. I
have also had copSSH running on a Windows Home Server [WHS]. copSSH is based
on OpenSSH/OpenSSL/cygwin and is updated as those are updated.

http://www.itefix.no/i2/node/27

http://www.itefix.no/i2/forum/35

http://theillustratednetwork.mvps.org/Ssh/SecureYourcopSSHServer-Vista.html

PuTTY and Tunnelier both support port forwarding so its easy to setup an RDC
connection using either one. The reason I like Tunnelier is because I can
setup an automatic RDC connection to one PC that starts when the SSH tunnel
is established. Of course that is a personal choice.

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

Good luck...

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Ad

Advertisements

S

Schnitzel

You pretty much answered all my questions and the added security features of
setting up SSH with the private/public key are great for piece of mind.

Those links you sent are very useful.

thanks for your help

Sooner Al said:
Repost...

PuTTY, or Tunnelier, are SSH clients. You would need to install and
configure a SSH server of some type on one of your XP boxes. I prefer copSSH
a SSH server Windows installer package that runs on NT/2000/XP/2003/Vista. I
have also had copSSH running on a Windows Home Server [WHS]. copSSH is based
on OpenSSH/OpenSSL/cygwin and is updated as those are updated.

http://www.itefix.no/i2/node/27

http://www.itefix.no/i2/forum/35

http://theillustratednetwork.mvps.org/Ssh/SecureYourcopSSHServer-Vista.html

PuTTY and Tunnelier both support port forwarding so its easy to setup an RDC
connection using either one. The reason I like Tunnelier is because I can
setup an automatic RDC connection to one PC that starts when the SSH tunnel
is established. Of course that is a personal choice.

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

Good luck...

--

Al Jarvi (MS-MVP Windows – Desktop User Experience)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

Schnitzel said:
unfortunately, our router (D-Link DIR-655) is not supported - my luck :(

so it looks like setting up ssh vpn tunnel is the way to go. I am familiar
with putty and I suppose it is similar to tunnelier? I just checked putty
and it
does seem to have support for tunnels and port forwarding.
Would an instance of putty run on a dedicated machine then as a 'server',
or
is this all initiated and configured on the client?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top