A
A
asgard882013-05-30 12:16:17
Remote access
asgard88, 2013-05-30 12:16:17

Setting up secure rdp access to a work machine?

Good afternoon comrades! I want to implement the possibility of a secure connection to a working machine. The bottom line is this - there is a machine on win7, I want to make a check when connecting via rdp more reliable than just a login / password.
Pokapav on the Internet found a lot of different options. I would like to implement such a method so that on client machines, outside the corporate network, from which I will connect, a minimum of additional software is needed.
Ideally, use only standard ms windows tools, without installing vpn clients, drivers, tokens, smart cards or the like. To deploy a win server on the network, with a certification authority, to connect to 1 machine, I think it's superfluous, and you need to buy a license.
What do you advise?
Ps It would be cool to make just a self-made certificate, dump it on a flash drive, and make the working machine check if the client has the right certificate.
PPS entered the world of electronic certificates, encryption and similar paranoia for the first time, therefore, from a huge number of solutions for GOST, iso and other technologies, your head is spinning.
PPPS these pink fantasies are inspired by the need to frequently connect from different PCs in our branches. Installing software every time to connect to your machine is painfully expensive, and you will have to connect often.

Answer the question

In order to leave comments, you need to log in

13 answer(s)
S
script88, 2013-05-30
@script88

Isn't it better to do it with teamviewer? than reinvent the wheel

S
Sergey Altman, 2014-09-19
@altman

Unfortunately, Windows Server does not know how to authenticate a client against a certificate. All those instructions on the internet how to use the certificate are for the CLIENT to authenticate the SERVER, so as not to connect to a "fake" server.
Once again in other words: the server authenticates the client only by password. In order for the client to authenticate the server, a certificate can be used.

Z
ZoraX, 2016-06-08
@ZoraX

You can make it cooler and much safer without any certificates attached to Windows, etc.:
1. Raise your openacess vpn server on any cloud VDS server or other resource. By the way, you can raise vpn on the same server to which you plan to access via RDP (the main thing is that the ip address is external and it can be accessed from the big Internet)
2. Remember the ip address of this server, in the case of an all in one solution, remember the internal local address , which will be issued to us every time when connecting to vpn
3. On the router, we do port forwarding for RDP, we specify 3389 as the local port, as the port sticking out, any except the default one. Protolol - TCP IP or both , specify the ip address of that openvpn server as the source address. (point 2)
4. Thus, it will be possible to reach your remote desktop only by connecting via vpn, other connections from any other addresses will be dropped.

I
IgorK11, 2019-01-14
@IgorK11

Also, tell me a simple way to log rdp connections, who came in from which ip when.

Integra Login Analytics RDP

O
oia, 2013-05-30
@oia

Isn't it easier to change the connection port from 3389 to any other?

I
iLexx_13, 2013-05-30
@iLexx_13

Is this win7 behind some kind of router or is there a full-fledged gateway on the line?
Just at one time I wanted to do this: The gateway is on the line, port-knocking
is configured in it . Next, a self-extracting archive is created, which contains port-knocking for windows , the saved rdp-config, a shortcut for placing it on the desktop, and a small bat-file, which will be launched by the shortcut like this: where 8080 is the port, if on it knock on it, the port for rdp 8081 will open - the port, if you knock on it, the port for rdp will be closed. The archive is configured so that after unpacking it copies the shortcut to the desktop.
port-knoking 8080
start mstsc rdp.conf
port-knoking 8081
Further, the user does not need to do anything except click on the shortcut (run bat'nickname) and enter the login / password from the system.
All this is somewhat confusing - but then it seemed to me that it would be easier for users than to explain how to install a certificate / raise VPN / etc ..., and it becomes more secure than just using a login / password.

A
Alexander Grebenshchikov, 2013-05-30
@archerz

Use an encrypted tunnel with zebedee . On a working computer, launch the zebedee service, and on the client machine, launch the zebedee console client from a flash drive using a batch file.
Pluses:
1. The channel between the client machine and service is ciphered.
2. Traffic is compressed.
3. Protection against unauthorized connections using keys.
4. Ability to forward multiple ports through one tunnel.

F
foxnet, 2013-05-30
@foxnet

As far as we know, without a certification center, nothing sensible will work anyway.
If you need a very very reliable connection without a domain, then you can use IPSec. This will require configuration on each client, but all traffic will be encrypted. In this case, you can also use certificates, but without a certification authority, it will not work here either. Without an IPSec CA, the channel can establish a preshared key connection.

K
kirion, 2013-05-30
@kirion

If you still need a corporate authentication solution, then I advise you to look towards One-Time Password technologies. With them, no client part is needed, PKI with all the consequences does not need to be kept. OTP examples: RSA SecurID, Aladdin OTP, endeed ID.
Just do not hang bare rdp outside, it is vulnerable.

K
kirion, 2013-05-31
@kirion

Because MS12-020.

A
asgard88, 2013-05-31
@asgard88

Also, tell me a simple way to log rdp connections, who came in from which ip when.

S
stepanovg, 2014-08-18
@stepanovg

Tell me, does a self-signed certificate not save in a situation of an open port 3389?
(on the example of win2008r2/2012)

A
Alexander Vladimirovich, 2014-11-20
@polyanin

WinSSHD
www.bitvise.com/ssh-server

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question