5

Is it possible to prevent Remote Desktop from replying when requesting for it through a domain name? In other words if I type in "www.example.com" into the Remote Desktop Connection prompt it will resolve to my server, how do I prevent that?

If it matters, the server is a Windows Server 2008 64-bit.

Thanks in advance!

Gup3rSuR4c
  • 661
  • 3
  • 14
  • 29

3 Answers3

5

No you can't DNS resolution is a separate process done by the system. If you have both a webserver and rdp server on www.example.com if you remove www.example.com from the DNS, the website will no longer be reacheable using the name.
So you can't solve your problem but I don't see why it's a problem

radius
  • 9,633
  • 25
  • 45
  • I see. Without going into great detail, I've recently made substantial changes to some of my web applications and I unfortunately know of malicious people that would like to do bad things to them... Wanted to see if it was possible to avoid revealing the server at least through the domain name. Is it instead possible to have RDP listen on a separate "private" IP? – Gup3rSuR4c Aug 13 '10 at 09:53
  • 2
    Of course you can't hide the server IP as it's needed by the client to access the web server. You can enable a firewall on your server to only allow access to RDP server from some trusted IPs, this would be a better solution than using a 2nd public IP dedicated to RDP. – radius Aug 13 '10 at 10:01
  • I see. I was going to ask for a guide, but then I realized that my IP can change at any time from my ISP thus causing me to loose access to the server if I were to restrict it to an IP... Thanks for the help! – Gup3rSuR4c Aug 13 '10 at 10:16
  • You could use thing like VPN, someone will still be able to try to connect to your VPN service but this reduce risk in case of a security hole in RDP (but of course you could have a security hole in VPN software, so ...) – radius Aug 13 '10 at 12:21
  • Quick followup: How do hosting providers prevent RDP? Say www.example.com is hosted with GoDaddy (on a shared hosting), if you use it in the RDC window it will timeout. If you try the IP of the domain it also times out. Are they doing IP restrictions or something else? – Gup3rSuR4c Aug 13 '10 at 17:34
  • 2
    Well for one, they are not necessarily using Windows servers (even for ASP code, you can still be running *nix with Apache). But for the most part they will restrict things via a firewall so that the only thing the "world" can touch on the servers are ports they allow (port 80, 443, etc). RDP (port 3389) will most likely be limited to people on their corporate network, or even a subset of that, since they don't necessarily want sales people and the cleaning lady to have access to production servers... – peelman Aug 13 '10 at 18:09
  • @peelman, I see. So, if I were to add a dedicated firewall to my server, I could configure it to only accept connections from my home IP (or any that I specify really) and if my IP were to ever change I can just access the firewall through its control panel and update it, right? – Gup3rSuR4c Aug 22 '10 at 03:07
  • Yes, you could. Hint: Your server already has a firewall. Server 2008's is relatively good. – peelman Aug 23 '10 at 12:18
3

"Security through obscurity" is a bad idea, because it only works if your enemies are stupid and not particularly determined. However, you certainly can change the listening port for RDP: http://support.microsoft.com/kb/306759

What you may really want to do is to configure a VPN connection, and, when it is working, block outside connections to port 3389 using Windows Firewall. This tutorial from Microsoft is overkill, but it should include all the details that you need.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
-3

It does not answer your question but would it not be more simple to configure firewall to "deny all" on port 3389 (RDP) and open it for specific (your home pc) IP-addresses and optionally add IPSec "Secure Only"?

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
Gennady Vanin Геннадий Ванин
  • 687
  • 3
  • 13
  • 28