Tuesday, July 17, 2007

Secure Windows Remote Desktop - Part 2, Clients

So, you need to tunnel Remote Desktop, and your servers are all set up, right? Good.

Now get Putty.exe for you client computer from HERE and run it.

Fill in your IPCop's host name or public IP and then change the port to 222.

Next, expand Connection, then SSH and select Tunnels.

Add a new forwarded port source 3399 (since this one isn't commonly used) and forward it to the target server's internal IP (NOT the IPCop's IP!) and add a :3389 to the end of the string as in the second figure.

Go back to Session, click Save, and give this connection a name. Click Open, and you will be prompted for a username and password - give these (preferably the remote user we created earlier instead of the dangerous root user) and you will get a prompt. You're done with Putty for now!

Now go to Start, Run, and type mstsc.

Fill in the Server line with localhost:3399 and hit connect. If all been done correctly, you will get a remote desktop on your target machine.

Secure Windows Remote Desktop - Part 1, Servers

The example I give is for a Windows client to connect to a Windows 2003 server behind an IPCop Firewall without granting root access to said firewall. So if a tech needs in, this is a sound way to grant him or her access.

Some background: Microsoft RDP (Remote Desktop Protocol) has vulnerabilities with regards to security and encryption (details are beyond the scope of this post). If we use a protocol that is more secure (namely SSH), then tunnel RDP through the more secure protocol, we wind up with a much more secure implementation.


  • IPCop Firewall - or your favorite Linux distro server serving up SSH on a public IP address - I'll only address IPCop, but this can be generally applied.
  • Remote Desktop Server (Like Windows XP Pro or Windows Server 2003 - other protocols like VNC will work with this, you just ned to know the required ports to fill in on your Putty Tunnel settings.
  • A Windows client with Putty installed (it's easy, just go here -- and download putty.exe)
So, once your IPCop has been set up for SSH (See IPCop docs Here) and remote access to SSH has been granted, you can only log into your IPCop's console as root. Great for you if you are the only one that needs access, but bad if you need to share access as the root user can seriously mudge things up. So we create a new user without root privileges.

SSH to your IPCop as root and sign in.

Create a new user called remote as a member of a new group (also named remote) and use this user for shared remote access. As root, issue the following commands to add the new user:

groupadd remote
useradd -s /bin/bash -g remote -m -k /dev/null remote

The meaning of the command line options (from ifs.vlsm.org):

-s /bin/bash

This makes bash the default shell for user lfs.

-g remote

This option adds user remote to group remote.


This creates a home directory for remote.

-k /dev/null

This parameter prevents possible copying of files from a skeleton directory (default is /etc/skel) by changing the input location to the special null device.


This is the actual name for the created group and user.

To log in as remote (as opposed to switching to user remote when logged in as root, which does not require the remote user to have a password), give remote a password:

passwd remote