Tuesday, July 17, 2007

Secure Windows Remote Desktop - Part 1, Servers

The example I give is for a Windows client to connect to a Windows 2003 server behind an IPCop Firewall without granting root access to said firewall. So if a tech needs in, this is a sound way to grant him or her access.

Some background: Microsoft RDP (Remote Desktop Protocol) has vulnerabilities with regards to security and encryption (details are beyond the scope of this post). If we use a protocol that is more secure (namely SSH), then tunnel RDP through the more secure protocol, we wind up with a much more secure implementation.

Requirements:

  • IPCop Firewall - or your favorite Linux distro server serving up SSH on a public IP address - I'll only address IPCop, but this can be generally applied.
  • Remote Desktop Server (Like Windows XP Pro or Windows Server 2003 - other protocols like VNC will work with this, you just ned to know the required ports to fill in on your Putty Tunnel settings.
  • A Windows client with Putty installed (it's easy, just go here -- and download putty.exe)
So, once your IPCop has been set up for SSH (See IPCop docs Here) and remote access to SSH has been granted, you can only log into your IPCop's console as root. Great for you if you are the only one that needs access, but bad if you need to share access as the root user can seriously mudge things up. So we create a new user without root privileges.

SSH to your IPCop as root and sign in.

Create a new user called remote as a member of a new group (also named remote) and use this user for shared remote access. As root, issue the following commands to add the new user:

groupadd remote
useradd -s /bin/bash -g remote -m -k /dev/null remote

The meaning of the command line options (from ifs.vlsm.org):

-s /bin/bash

This makes bash the default shell for user lfs.

-g remote

This option adds user remote to group remote.

-m

This creates a home directory for remote.

-k /dev/null

This parameter prevents possible copying of files from a skeleton directory (default is /etc/skel) by changing the input location to the special null device.

remote

This is the actual name for the created group and user.

To log in as remote (as opposed to switching to user remote when logged in as root, which does not require the remote user to have a password), give remote a password:

passwd remote





No comments: