I need some input on a remote desktop connection to a windows 2003 server. The current network setup is a 10 computer Windows 2003 domain with a basic Linksys router. What I plan on doing is have somebody from the outside remotely connect to the server to run a certain application. This application will get ran twice a month at most, so I really see no reason to upgrade to a terminal server license. If I stick with the linksys router I should be able to just port forward the remote desktop connection, correct? I don’t want to put the server in the DMZ. If I want to have the outside person connect to the server remotely I just give the IP address of the router and the forwarding should take care of it? Just wondering how this sounds, and if it will work as a setup, and if anything sounds like a security issue?

Thanks for any help

You're quite on the nose, sensing a security issue. As far as my meagre professional experience with Windows (I'm a *nix geek, I'll try and keep this as bias free as possible) you face three pertinent issues, one of which is security related:

1) The linksys router will now forward any traffic on xyz port to your computer:xyz. This means that if at any time there is an exploit available for the Windows Remote Desktop client (which occurs quite regularly), this port is now accessible from the outside world and to whatever malicious activity some might contrive to put forth.

Best way to mitigate this is to forward that, and only that port and also disable NetBIOS over TCP.

2) You will need to statically set the IP Address of the Windows Server (if it is not already so), because the port forwarding will not follow the DHCP leases.

3) The connection will most likely not be encrypted, which means anyone listening on the wire, inside or outside your network can observe and capture passwords and other information. You would be wise to implement some form of encrypted tunnel (VPN, IPSEC, etc.)

Hope that helps (it's early and my caffeine hasn't quite kicked in yet, I'll prob think of something else later)

F.A. de Sibert

"The connection will most likely not be encrypted, which means anyone listening on the wire, inside or outside your network can observe and capture passwords and other information."

That is incorrect. RDP is encrypted already, although tunneling it through VPN that's encrypted would add another encryption layer. The encryption strength is either 56-bit or 128-bit.

The danger in forwarding the port is now someone on the internet has access to the listening port. There has been a DoS vulnerability to RDP that was just patched (make sure you install the patch!!!), but should a new vulnerability become known, you may consider changing the RDP listening port to something other than 3389, and forward that port on the router to the server.

http://www.petri.co.il/change_terminal_server_listening_port.htm

"It happens."

Phdfreddied,
Thanks for the info. Yeah the security didn’t seem the best to me, because I thought I recall seeing an article or an update for it. I would like to do a VPN, but I don’t think they really want to spend much money at all.

Heropsycho,
Thanks also for the info. I looked up on the encryption and your right on the connection having it. The port change is a good option, and I might end up using it. I’m thinking I might go pickup a cheap firewall that allows me to specify access rules, and just permit access from that IP to the port. The linksys doesn’t exactly include the best firewall support.

Thanks again guys

Check out www.ipcop.org for an easy to manage linux firewall/router distro that can do that. Absolutely no linux knowledge or experience is required to be able to use it. You don't need a beefy box for it either. I run it on a Celeron 450MHz, 512M RAM (utilizes 8% of that, I just put that in because I had absolutely no other use for the memory) and a 5.7gig hard drive. After initial setup, which is menu driven, all management is done via https web connections remotely with easy webforms, similar to a SOHO router like the linksys. Even includes Snort IDS, VPN endpoint, and web caching proxy. Free, too!

I also want to stress again that the user name and password is NOT sent in plain text. If you use Windows 2003, it's 128-bit encrypted. The only documented vulnerability was the DoS I mentioned, which is addressed with the patch.

"It happens."

The ipcop looks awesome! Unfortunately the place doesn’t have room for machine to run all the time. Any suggestions on a hardware firewall, that is around $300 or less? I was looking at sonicwalls, but they run pretty high with subscriptions.
Thanks again

Keep in mind once ipcop is setup initially, everything is done via network. In other words, you don't need a keyboard, mouse, or monitor connected once setup.

It's what I use short of a PIX.

"If that [soiled bed] sheet is a [holy] manifestation, then I'm working on a miracle in my Jockey's!"

How about stability? Reset it once a month, once every 4 months?

I only reboot it when I patch it if the patch requires a reboot. (Patches are handled in the GUI, just like upgrading a SOHO router firmware.)

Otherwise, you can leave it running indefinitely. I've had it run months at a time, and the only reason I rebooted was to complete an update install.

Also, you can power down and reboot it remotely through the web gui, too.

"It happens."