I' need to access my production environment from remote ,outside the lan for emergency. I don't want users are prompted for remote desktop credencials and try to guess username and password.
So what can i do?
What is vpn? is it more secure?
Asked
Active
Viewed 1,953 times
1
-
We will need a bit more info to help you here. If you are asking what VPN is, you may be best hiring a professional to assist. – Dave M Mar 06 '13 at 16:41
2 Answers
1
Generally speaking you shouldn't expose Remote Desktop directly to the Internet if you can help it. Using a VPN would be the best solution, because it reduces the attack surface to the VPN termination device/software. If a VPN isn't an option tunneling RDP over SSH is certainly a viable solution as well. If you absolutely have to expose RDP the the Internet directly you should really restrict the IP addresses that can connect via either your edge firewall or, if there isn't one, the Windows Firewall. If you have the worst-case scenario of requiring the entire Internet to have access to your RDP server you should rate-limit new connection attempts at your edge firewall or, if that's not an option, look at software that can rate-limit for you (like my ts_block script).
Evan Anderson
- 141,881
- 20
- 196
- 331
1
VPN stand for Virtual Private Network. It's a way to connect remote users and networks to an internal network in a safe way. It usually includes authentication as well as connection encryption.
There are two main types of VPNs: site to site and remote access. Site to site is used to connect whole networks while remote access is typically used for, well, connecting remote users (i.e. single machines).
So yes, VPN is the best way to got for what you want to do.
In practice, what you should do is setup a VPN endpoint at the edge of your network (most firewalls have an option for this) or inside you DMZ (if you have a larger infrastructure) and have users connect to that VPN system. From there, you can setup what they can have access to and how.
More sophisticated system also uses SSL connection for tunneling RDP or other remote control system. They work in a similar manner although the details will vary: users connect to a (usually web-based) external interface and then tunnel through that server to reach the internal machine.
In all cases, you should setup the VPN endpoint directly on your production server but use an different machine for that.
From there, it all depends on how secure you need your system to be. It's not uncommon to require users of higher-security systems to connect to an SSL VPN server, use it to connect to a "jump" server and then RDP from there to the final production machine.
If you want specific examples of products that can help you set this kind of things up, I can give you some references of what I used.
Edit: I know of 3 products that willl do what you specifically want well: Citrix Metaframe (expensive and suiited for large deployment, probably not what you're looking for), MS's own remoteApp system (not vers well suited to secure deployment and frankly probably too complex to setup for you need) and Sophos UMT.
I suggest you use the last one: it's a specialized Linux firewall distro that includes all you need. There is a "free for home users" version that has all the features you need. For commercial use, however, you'll need to purchase a license.
If you feel like investing more time into the project, you can also do is yourself using OpenVPN server on any Linux system for free.
Stephane
- 6,432
- 3
- 26
- 47
-
thanks for your answer, now i need some product to make ssl vpn. I noticed my router has a vpn option and also windows server 2012 allow to configure a vpn, but i don't know how. Are there some internet tutorials? – user2119955 Mar 06 '13 at 14:41