Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing Remote Desktop

Status
Not open for further replies.

derajer

IS-IT--Management
Jul 6, 2005
28
US
I use remote desktop on my server, but I only need it from inside the company. I would like to make it as secure as possible. Does anyone know how to bind it to specific IP addresses or ranges? Any other security tips for it?
 
Doesn't your company have a firewall to configure?

If you don't, start by playing with Monowall firewall. It's free, free, free...
 
I believe you can do this on the local server by ipsec filtering. It's been a while since I've messed with 2003 Server, so bear with me. In the local security policy of the server, you should have an IPsec setting (if you are using gpedit.msc, it would be much better). You may want to look at this article....

 
What is the problem you don’t want anybody else from inside your network to access it remotely, or is your worry that someone from outside will take control of that server?

regards lars
 

You're probably not exposed to the internet anyway. I can't imagine a company with all their workstations directly attached to the internet without some form of security.

In the event you are on a LAN where every workstation has an internet address, just enable the firewall and deny any traffic from IPs outside your range.
 
You can have your network team create an ACL only allowing your IP Address to communicate via port 3389 to your Data Center subnet. By default, remote access only allows local administrator to access the machine via RDP. The default should be secure enough depending on who the local and domain admins are...
 
Sorry, I forgot about this thread due to recent problems here.

A couple of things that I should have made clearer

1. I am the entire IT dept for a relatively small but very complex conglomerate

2. The server provides quite a few unique services so it sits on the DMZ

 
The second article I pointed you to should help you out immensely. One more thing that you can do is change the listening port, which will help you keep prying eyes away. Here is a link that explains how to change it.


If I remember correctly, this is the same for 2003 as it is 2000. When connecting via Remote Desktop Client (RDC), you will need to have the IP (or FQDN) followed by a : and the "new" port number (ie., 192.168.0.1:3390).
 

If the server is in the DMZ, then the main thing you'll need to do is tell your clients how to get to the machine in the DMZ. Depending on how your firewall is configured, just having the inside interface's IP address as your default gateway should do the trick. However, I've had situations where that was not adequate. If you're unable to reach the machine this may be the case. Remedy with a route statement.

example environment:
inside subnet: 10.0.1.0/24
inside firewall interface IP: 10.0.1.1
dmz subnet: 10.0.2.0/24

example command: (Win32 machines)
route add 10.0.2.0 mask 255.255.255.0 10.0.1.1

There's also the possibility that your DMZ does not trust your inside interface. In which case you will have to poke a hole through from your inside interface to to DMZ for the RDP port 3389 (TCP). Also, make sure none of your PCs built in firewalls are blocking this communication.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top