How to setup and adjust security for Remote Desktop connection in Windows XP?
Wednesday, 15 April 2009 18:35 | 
Remote Desktop it is native Windows remote management tool which allows you to do administrative tasks remotely. It provides many advantages such as access to remote host's drives and printers, clipboard sharing, smart cards, serial ports, bringing sounds from remote host etc.
In this tutorial I will show you how to set up Remote Desktop connection on your computer with Windows XP. I will also advice you how to adjust some security settings to make it more secure and little bit more difficult to discover.
Let's analyse case as shown on Pic. 01: |
| Pic. 01. |
This is the most common home network scheme. To allow connection to this host we need to do several things:
- forward communication comming on port 3389 to host's Private IP address. In mostly cases host's IP is asigned automatically by DHCP server (DHCP at home router). We need to setup Desktop host for static IP and forward communication on port 3389 to asigned desktop's static IP (must be done on router).
- open port 3389 on host's firewall. It should be done automatically at the time on turning 'ON' Remote Desktop on host, however if in any case it has not been done or you are using other than native system's firewall software you need to open it manually. How to open port on system's native firewall you can learn here.
- turn 'ON' and setup Remote Desktop on host.
How to turn 'ON' and setup Remote Desktop on Windows XP?
1. Right-click on My Computer and go to Properties, than switch to Remote tab.
2. Tick Allow users to connect remotely to this computer and click Select Remote Users...
 |
| Pic. 02. |
3. The members of Administrators group will have an access guaranteed automatically, however if you want to give an access to any other user you have to add them to the list:
 |
| Pic. 03. |
4. Make sure that all users added to Remote Desktop have their passwords setup. Users without passwords will not be guaranteed remote access.
5. Make sure that port 3389 is opened on your firewall. If you use system's firewall it should be opened automatically.
How to setup connection to remote host?
1. Go to menu START>All Programs>Accesories>Remote Desktop Connection
2. Type in remote host's public IP address or its Fully Qualified Domain Name (FQDN). For example: 80.36.15.197 or desktop01.dyndns.com :
 |
| Pic. 04. |
3. You may adjust some of connection settings by clicking Options>>
Pic. 05.
4. You may connect to remote host with your selected drives, serial ports or printers:
 |
| Pic. 06. |
5. When you connect to remote host, you will be asked for credencials.
In this simple way you can setup your computer to Remote Desktop connection and manage some administrative tasks remotely. Although Remote Desktop connection is using 128bit encryption there is a possibility that hacker can attempt to transparent man in the middle attack, completly invisible to the remote user. This simple solution seems to be pretty good for home users, however for business use I recommend to establish VPN connection with IPSec and then attempt to Remote Desktop.
Another problem is when we would like to access remotely more then one host in the same location (LAN network) over the Internet. What to do if our case looks like on picture below?
 |
| Pic. 07. |
Well, there is solution for such case. Default port number for Remote Desktop connections is 3389. However we could setup different port number for each host so they would listen for Remote Desktop connections on other ports than 3389. If we could do that, we would be able to forward specified ports to any host in LAN network. If we could change default Remote Desktop port, we would also increase security. Attacker finding open port 3389 expects that either Remote Desktop or Remote Assistance service is listening on it and use for example dictionary or brutforce attack to access resources. Changing default Remote Desktop port to any other between 3000 and 65535 will significantly hamper life to potential attacker.
How to change default RDP port to any other?
1. Go to menu START>Run and type in regedit command or press WINDOWS+R and type in regedit command.
2. Registry editor should pop up on the screen, than go to:
HKEY_LOCAL_MACHINE\CONTROL\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
and find the key named PortNumber :
 |
| Pic. 08. |
3. Right-click on it and choose Modify, than switch to Decimal and change value to new port number which Remote Desktop should listen for connection:
 |
| Pic. 09. |
4. Confirm change, close regedit .
5. Go to Windows Firewall, switch to tab Exceptions, find and untick Remote Desktop.
6. Click Add Port and open new port for Remote Desktop Connection the same one as you have changed in step 3. Click here to learn how to open ports in Windows Firewall.
7. Restart computer.
Analysing LAN network scheme shown on Pic. 07 we can do the folows:
- setup each host as shown above to listen on ports:
- Host1 on port 20001
- Host2 on port 20002
- Host3 on port 20003
- setup port forwarding on router (sometimes it is also called Virtual Servers):
- Port 20001 to 192.168.0.2 (default Host1's IP address)
- Port 20002 to 192.168.0.3 (default Host2's IP address)
- Port 20003 to 192.168.0.4 (default Host3's IP address)
- attempt to connection over the Internet by typing in:
- Computer: 80.36.15.197:20001 [see Pic. 05] - connection to Host1
- Computer: 80.36.15.197:20002 [see Pic. 05] - connection to Host2
- Computer: 80.36.15.197:20003 [see Pic. 05] - connection to Host3
Last Updated ( Friday, 17 April 2009 10:13 )
Comments