News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – remoting into a desktop without VPN

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – remoting into a desktop without VPN

    Viewing 14 reply threads
    • Author
      Posts
      • #2209728 Reply
        Susan Bradley
        AskWoody MVP

        If you are a small or medium business – or an IT consultant who helps small or medium businesses here’s a thought of a way to temporarily allow folks
        [See the full post at: Patch Lady – remoting into a desktop without VPN]

        Susan Bradley Patch Lady

        8 users thanked author for this post.
      • #2209739 Reply
        b
        AskWoody Plus

        Could you explain how/why this is more secure than a VPN?

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        • #2209900 Reply
          NetDef
          AskWoody_MVP

          VPN allows file level access to shares with the user permissions on that share directly from a client machine.  The security nightmare is that the home machine may be a staff members BYOD with substandard anti-virus and existing infections.

          Secure RDP over TLS acts more like a long distance extension cord for a monitor and keyboard/mouse to a secure workstation on premises.

          But . . . there is one security hole that should be closed even with RDP:  By default the remote users local USB devices and their C: drive is mounted, these can be forcefully disabled – and should be – in Group Policy.

          Disable Drive redirection:
          https://www.windows-security.org/0d474c28e9044a1ea9706eb63c2e3d15/do-not-allow-drive-redirection

          Disable PnP on RDP:

          https://www.windows-security.org/08e6a9e97bba2f9f8d797e163aa8b24f/do-not-allow-supported-plug-and-play-device-redirection

           

          Unless really required, I disable all of the following to increase security, and also to reduce bandwidth:

          Disable audio and video playback redirection
          Disable audio recording redirection
          Do not allow COM port redirection
          Do not allow LPT port redirection
          Do not allow drive redirection
          Do not allow supported Plug and Play device redirection

          ~ Group "Weekend" ~

          • This reply was modified 2 weeks, 5 days ago by NetDef.
          1 user thanked author for this post.
      • #2209744 Reply
        Susan Bradley
        AskWoody MVP

        It only does screen images across the wire.  It doesn’t make that remote PC a part of the local remote network.  So if that remote machine is infected, it won’t infect the network.  It’s similar to Logmein or Splashtop where the remote machine is just a conduit not a member of the network.

        Susan Bradley Patch Lady

        5 users thanked author for this post.
        • #2209745 Reply
          Susan Bradley
          AskWoody MVP

          P.S. it only goes over port 443, 3389 is not exposed externally and if you are really paranoid you can add two factor duo.com to that rdgateway.

          Susan Bradley Patch Lady

      • #2209765 Reply
        techweenie
        AskWoody Lounger

        I was quite disappointed to find out (the hard way) that Server Essentials 2019 completely removed all support for any RDS roles.  Not cool, Microsoft. Not cool.

        1 user thanked author for this post.
        • #2209767 Reply
          Susan Bradley
          AskWoody MVP

          I just added that as a footnote on the bottom so folks won’t try it with that version.

          Susan Bradley Patch Lady

      • #2209892 Reply
        NetDef
        AskWoody_MVP

        You don’t need to spend money to purchase a public certificate anymore.  LetsEncrypt certs work perfectly well on Essentials with RDP Gateway services on Server 2012-R2 and Server 2016.

        There is also a free automation tool to renew the LetsEncrypt certificates.

        Step by step instructions on installing the tool and the first LetsEncrypt cert here:

        https://www.server-essentials.com/support/get-a-free-lets-encrypt-certificate-anywhere-and-automatically-renew-it

        And the actual automation tool you can use for this purpose here: (Note, this tool is FREE if you only need one cert for an Essentials server.)

        https://certifytheweb.com/

        I have this running on 22 Essential servers and they’ve been solid for almost a year now.

         

        ~ Group "Weekend" ~

        • #2209895 Reply
          techweenie
          AskWoody Lounger

          If you’re like me and want a certificate that doesn’t require maintenance, Namecheap sells certificates for just $8/yr.

          • #2209901 Reply
            NetDef
            AskWoody_MVP

            Seriously, once I install the above CertifytheWeb tool and get it working I generally have zero maintenance on that server for certs.  It’s actually less work than doing an annual cert renewal with NameCheap.  😀

            ~ Group "Weekend" ~

      • #2209894 Reply
        NetDef
        AskWoody_MVP

        Additional steps to lock down your RDP Gateway:  Enable TLS 1.2 on Server 2016 and Disable older encryption protocols.  A side benefit is that this speeds up the initial handshake from clients on the Internet when they connect.

        How to disable weak versions of SSL/TLS Protocols on Windows Servers

         

        ~ Group "Weekend" ~

      • #2209902 Reply
        anonymous
        Guest

        This is great for businesses that actually have servers and such.  what about the really, really small businesses that only have a peer-to-peer network?

         

        john

        • #2209919 Reply
          cyberSAR
          AskWoody Plus

          Take a look at copssh for a quick and easy setup. https://itefix.net/copssh

          Copssh is an OpenSSH server and client implementation for Windows systems with an administration GUI. You can use Copssh for remote administration of your systems or gathering remote information in a secure way.

          Copssh packages portable OpenSSH, Cygwin and some popular utilites, plus implementing some best practices regarding security.

        • #2209920 Reply
          Paul T
          AskWoody MVP

          You can try a peer to peer share, like TeamViewer.

          10 Remote access software products.

          cheers, Paul

          • This reply was modified 2 weeks, 5 days ago by Paul T.
        • #2210500 Reply
          Susan Bradley
          AskWoody MVP

          Logmein

          Gotomypc

          Copilot

          Splashtop

          I’ve used all of them, all work well.

          Susan Bradley Patch Lady

      • #2209940 Reply
        gkarasik
        AskWoody Plus

        I have been unable to find a satisfactory solution to this problem: Remote Desktop changes the location of icons on the client desktops, and some of my clients find this so discombobulating that RD is not usable. Is this resolved in the latest RD version?

        GaryK

        • This reply was modified 2 weeks, 5 days ago by gkarasik.
        • #2209946 Reply
          cyberSAR
          AskWoody Plus

          I only seem to have this problem occasionally with 1 client who runs 3 monitors and I believe it may have to do with running different resolutions between my machine and his but I haven’t really investigated it. For him I use AnyDesk. For all others with 1 or 2 monitor setups it doesn’t seem to be an issue.

          Edit to add he also has like 100 shortcut icons and folders on the desktop between the monitors. A real mess 🙂

          • This reply was modified 2 weeks, 5 days ago by cyberSAR.
          • #2210092 Reply
            OscarCP
            AskWoody Plus

            I have noticed this when the connected machines screens have different resolutions. The icons in the low resolution screen appear much larger (and moved around, so they can still fit together, which is something of neat trick) when seen on the screen of the machine with higher resolution.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • #2210499 Reply
            Susan Bradley
            AskWoody MVP
            1. Buy same size screens
            2. Buy Fences, it keeps the icons arranged
            3. live with it.  No it hasn’t been fixed.

            Susan Bradley Patch Lady

      • #2210502 Reply
        gkarasik
        AskWoody Plus
        1. Buy same size screens
        2. Buy Fences, it keeps the icons arranged
        3. live with it.  No it hasn’t been fixed.

        It’s not me who has to “live with it.” It’s clients who have to live with it, and because they yell and scream and threaten to fire me, I have either to find a way to make it work or to find alternatives. Some clients think my job is to satisfy them, not to adapt their work habits to my choice of remote software. Some clients are funny that way.

        My preference is TeamViewer, but it’s very expensive. I think the best in terms of user experience is the original version of PCAnywhere, it’s got serious security problems. Really Remote Desktop would be a great solution if MS would fix the icon-location problem. Others have done it, so it’s a mystery why MS won’t.

        GaryK

        • This reply was modified 2 weeks, 3 days ago by gkarasik.
        • #2210504 Reply
          techweenie
          AskWoody Lounger

          It is ok to fire clients. I’ve done it. But I’m busy enough that I can do that and not lose a dime. A stress free life is worth more than a problematic client.

        • #2210704 Reply
          Elly
          AskWoody MVP

          @gkarasik-

          I hate anything that messes up my desktop… and I love that you respect your clients… and I remember something that you may find helpful.

          In  the AskWoody Newsletter, ISSUE 16.15.0 • 2019-04-22, Deanna, of OlderGeeks did a review of ‘Desktop Restore’. This is something I now keep and use!

          It can be downloaded at their site.

          Maybe a client could be e-mailed a link and install before you use Remote Desktop? I know that I would be very grateful at having a way to restore my desktop. At the very least, it would show that you are sensitive to their concerns.

          Not quite as elegant as doing it from within Remote Desktop… but certainly more serviceable than leaving the desktop disrupted, and the client perturbed.

          Non-techy Win 10 Pro and Linux Mint experimenter

          1 user thanked author for this post.
          b
      • #2210505 Reply
        gkarasik
        AskWoody Plus

        It is ok to fire clients. I’ve done it. But I’m busy enough that I can do that and not lose a dime. A stress free life is worth more than a problematic client.

        As have I, as have many of us, but what’s not clear is why I should fire a client who’s making what seems to me to be an entirely reasonable request: Please find a solution that doesn’t mess up my desktop and hurt my productivity, which is what produces enough income so that I can pay you the exorbitant amout youre charging me to keep my computers running well.

        GaryK

        1 user thanked author for this post.
      • #2210719 Reply
        Paul T
        AskWoody MVP

        Please find a solution that doesn’t mess up my desktop and hurt my productivity

        Can’t be done unless you run the same size screen and resolution.
        That is the least inconvenience your users will have to put up with during this crisis.

        cheers, Paul

        1 user thanked author for this post.
        b
        • #2211133 Reply
          gkarasik
          AskWoody Plus

          Please find a solution that doesn’t mess up my desktop and hurt my productivity

          Can’t be done unless you run the same size screen and resolution.
          That is the least inconvenience your users will have to put up with during this crisis.

          cheers, Paul

          I don’t how “this crisis” relates to this question.

          GaryK

      • #2211086 Reply
        Damian
        AskWoody Lounger

        Any concern for Key Loggers on the Home PC that could record RDP Credentials?

      • #2211089 Reply
        gkarasik
        AskWoody Plus

        Any concern for Key Loggers on the Home PC that could record RDP Credentials?

        Sure, but wouldn’t those be the same concerns you’d have for any credentials for any remote software?

        GaryK

        • #2211123 Reply
          Damian
          AskWoody Lounger

          Any concern for Key Loggers on the Home PC that could record RDP Credentials?

          Sure, but wouldn’t those be the same concerns you’d have for any credentials for any remote software?

          Currently we only allow VPN using corporate computers that are firewall locked down to our VPN.   I am worried about my corporate machines but I would be concerned about random home machines that are not governed by our corporate protection.  This does not seem like a safe option if their corporate credentials are freely read by the home PC.  Maybe my viewpoint is unique?

          • #2211132 Reply
            gkarasik
            AskWoody Plus

            Any concern for Key Loggers on the Home PC that could record RDP Credentials?

            Sure, but wouldn’t those be the same concerns you’d have for any credentials for any remote software?

            Currently we only allow VPN using corporate computers that are firewall locked down to our VPN.   I am worried about my corporate machines but I would be concerned about random home machines that are not governed by our corporate protection.  This does not seem like a safe option if their corporate credentials are freely read by the home PC.  Maybe my viewpoint is unique?

            Gosh no. Or at least I hope it’s not unique. Your point is well taken, and it’s a thought that should be terrifying every admin contemplating people working from home. How many of these home machines are also being used by others in the house to look at who knows what? My point, no doubt poorly expressed, is only that this isn’t a concern unique to RDP. The danger from key-loggers or other MITM attacks is the same for LogMeIn, GoToMyPC, TeamViewer, or any other remote-control software. A panicked, poorly-thought-out policy to send people home to work that doesn’t take into account the security of those home machines will have–not could have–major malware consequences for some businesses.

            GaryK

            1 user thanked author for this post.
      • #2211189 Reply
        Ascaris
        AskWoody_MVP

        My preference is TeamViewer, but it’s very expensive. I think the best in terms of user experience is the original version of PCAnywhere, it’s got serious security problems. Really Remote Desktop would be a great solution if MS would fix the icon-location problem. Others have done it, so it’s a mystery why MS won’t.

        TeamViewer has announced that (because of the pandemic) they are suspending the commercial-use checks that allow them to detect when people are using the personal (free) version for business use.

        NoMachine also works really well (in Linux, but I would imagine Windows is at least as good)), though I don’t know what their policies are about work-from-home.  It’s another option, at least.

        As far as the icon positions… I’ve used DesktopOK to save and restore them in Windows (multiple versions of Windows over the years).  Windows will happily jumble them up anytime the available desktop space changes, usually (but not always) from resolution changes, and not just those triggered by RDP.  It happened to me fairly often when I used Windows, and this program has saved me tons of time rearranging them.

        Group "L" (KDE Neon User Edition 5.18.4).

      • #2212445 Reply
        Simon_Weel
        AskWoody Plus

        We use Remote Desktop without RDC. No, we don’t have port 3389 open to everyone. This involves setting up the firewall with rules for every colleague. Since I only have about 12 of them and they all have their own pc at the office, this is pretty easy to do. Every colleague provides me with their home internet IP-address. I create rules on the firewall to open port 3389 for that IP-address and route RDP traffic coming from them to their own pc in the office. Every colleague is granted Remote Access on their own office-pc. Works pretty well.

        For those without fixed IP-address at home, I use the (free) DDNS service provided by Changeip.com. The colleagues involved run the ‘Homing Beacon’ service on their home-pc and the firewall is setup for the FQDN provided by the DDNS service instead of the home-IP address.

        Simon

    Viewing 14 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – remoting into a desktop without VPN

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.