I use remote desktop on my server, but I only need it from inside the company. I would like to make it as secure as possible. Does anyone know how to bind it to specific IP addresses or ranges? Any other security tips for it?
I believe you can do this on the local server by ipsec filtering. It's been a while since I've messed with 2003 Server, so bear with me. In the local security policy of the server, you should have an IPsec setting (if you are using gpedit.msc, it would be much better). You may want to look at this article....
What is the problem you don’t want anybody else from inside your network to access it remotely, or is your worry that someone from outside will take control of that server?
You're probably not exposed to the internet anyway. I can't imagine a company with all their workstations directly attached to the internet without some form of security.
In the event you are on a LAN where every workstation has an internet address, just enable the firewall and deny any traffic from IPs outside your range.
You can have your network team create an ACL only allowing your IP Address to communicate via port 3389 to your Data Center subnet. By default, remote access only allows local administrator to access the machine via RDP. The default should be secure enough depending on who the local and domain admins are...
The second article I pointed you to should help you out immensely. One more thing that you can do is change the listening port, which will help you keep prying eyes away. Here is a link that explains how to change it.
If I remember correctly, this is the same for 2003 as it is 2000. When connecting via Remote Desktop Client (RDC), you will need to have the IP (or FQDN) followed by a : and the "new" port number (ie., 192.168.0.1:3390).
If the server is in the DMZ, then the main thing you'll need to do is tell your clients how to get to the machine in the DMZ. Depending on how your firewall is configured, just having the inside interface's IP address as your default gateway should do the trick. However, I've had situations where that was not adequate. If you're unable to reach the machine this may be the case. Remedy with a route statement.
example command: (Win32 machines)
route add 10.0.2.0 mask 255.255.255.0 10.0.1.1
There's also the possibility that your DMZ does not trust your inside interface. In which case you will have to poke a hole through from your inside interface to to DMZ for the RDP port 3389 (TCP). Also, make sure none of your PCs built in firewalls are blocking this communication.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.