Clicky

I want a couple of my  friends to remote to a windows server 2008. The server is not a domain controller therefore I can not setup them up on a domain, add certificates or use group policy.
I want to secure their remote access from their workstation. My friends have a apple snow os mac and windows 7 os pc.

Note, on the server I have three nics. I have a static public nic and another nic connected to another network (wireless router for my private network). The last nic is not being  used . I am thinking (if I could) use the third nic to give out dhcp ip address for the VPN.

Is it possible to use VPN to connect to the network if I create a remote and access role to create a secure remote desktop connection with a windows server 2008 SP2?

asked 12/15/2011 04:40

jeamrotae's gravatar image

jeamrotae ♦♦


12 Answers:
What do you mean by 'secure'. RDP connections are encrypted and authentication uses username/password by default. If you run RDP inside a VPN connection you are just encrypting twice and reusing the same username/password combination. Using a VPN will expose your network to greater risk because malware on the VPN clients can attack your network. There isn't as much of an attack vector over RDP, though files can get copied.

Have you considered using remote desktop gateway? It is like a VPN just for RDP sessions.
link

answered

kevinhsieh's gravatar image

kevinhsieh

Yes, if you used a VPN then it always secure and you can access your remote PC's from Windows Remote Desktop or any other remote admin tools. But before you access them make sure that remote end PC or Servers are allowed to access through Remotely.
link

answered 2011-12-16 at 01:00:59

minipop4747's gravatar image

minipop4747

i thought when I use remote desktop and enter username and password, I expose information cleartext over the internet
link

answered 2011-12-16 at 01:44:18

jeamrotae's gravatar image

jeamrotae

If you use a VPN with encryption, your cleartext RDP login will be encrypted by the VPN tunnel itself.

So while the RDP components are not encrypted, the VPN tunnel takes care of that for you.

-Cheers, Peter.
link

answered 2011-12-16 at 01:53:50

ein_mann_betrieb's gravatar image

ein_mann_betrieb

RDP connections are encrypted. They use 128 bit encryption, and you can disable weaker encryption that is available for older clients.

http://technet.microsoft.com/en-us/library/bb457106.aspx

Make sure that your users have a strong password, because there is a worm that spreads by using a dictionary attack to logon to RDP servers. This is a vulnerability in the RDP protocol, but rather an attack against weak passwords. Worms could use the same technique against VPNs, web pages, OWA, ftp servers, SSH hosts, etc.  
link

answered 2011-12-16 at 07:24:21

kevinhsieh's gravatar image

kevinhsieh

I am getting confuse. Please help. Which is better to use with apple mac snow and windows 7, RDP with VPN or RDP without VPN for better security/password protection?
link

answered 2011-12-16 at 09:11:34

jeamrotae's gravatar image

jeamrotae

The RDP stream is encrypted either way. Using a VPN can make your NETWORK more vulnerable because it is the same as if you take your friends' computers and put them on your network without any firewalls. If you use a weak VPN method, such as PPTP you also risk having the credentials stolen by someone who sniffs the traffic (the risk isn't high, but it is there).

My recommendation is to just forward the RDP traffic to your server, or install RD Gateway and use that to protect your RDP server. I think that using a weak VPN increases your risks.
link

answered 2011-12-16 at 13:42:39

kevinhsieh's gravatar image

kevinhsieh

If I install RD gateway, do I need a license and if I don't, can i install RD Gateway and my friends can RDP to the server without them being part of a domain?

Note: Before my friends would know my ip address (isp) and just remote in (i trust them). I have no domain/ domain controller installed. Recently I found out that this is security risk that is why I thought of VPN but since that is not wise. What do you suggest?
link

answered 2011-12-16 at 16:01:31

jeamrotae's gravatar image

jeamrotae

I am not sure that you can use RD Gateway without a domain. Having a domain doesn't inherently make things more secure. You would still be using a username and password. It would still be encrypted. A domain gives you access to other services, but it doesn't add encryption, or somehow make passwords better.
link

answered 2011-12-16 at 16:48:19

kevinhsieh's gravatar image

kevinhsieh

If RD gateway does not need a domain to be installed then this would be good because my friends are not part of any domain. They just use there computers as regular work stations/laptops.

Do you know if I need a license to installed RD gateway?
link

answered 2011-12-16 at 16:55:06

jeamrotae's gravatar image

jeamrotae

Your friends wouldn't need to be part of the domain. Your servers do.

The RD Gateway role doesn't require additional licensing, but you do need to have Windows CALs and RDP CALs for your friends. This is independent of using RD Gateway.
link

answered 2011-12-16 at 17:30:53

kevinhsieh's gravatar image

kevinhsieh

Thanks
link

answered 2011-12-17 at 12:24:34

jeamrotae's gravatar image

jeamrotae

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×2

Asked: 12/15/2011 04:40

Seen: 1443 times

Last updated: 12/17/2011 07:13