Accessing remote desktop from outside the network
 

I periodically use Remote Desktop to access files and programs on my main pc from my laptop . This works perfectly when I am accessing it from my own home network, but not from anywhere else. How can I configure the router to allow Remote Desktop connections from outside the network and how can I make sure those connections are as secure as possible?

The PC that I am connecting to is running Vista Ultimate and I am using a relatively basic Netgear router, WGR614 if I remember correctly.

You want to install a VPN of some sort.

Micro$oft Remote Access listens on port 3389. Before you just open up that port on your router and forward connections to your desktop PC, make sure you understand the implications of doing so. I use an SSH tunnel for this. Unless the tunnel is open, access is blocked. Even so, nobody can directly find the PC from the internet.

The good news is that MS requires any user account that is going to connect via RDP to have a password, so you have some level of protection there. Forwarding port 3389 on your router to your machine on the home network will do the trick.

No, the connection is not encrypted. But a decent password on the account will prevent a brute force attack. Besides, I've had 3389 up and open for years and haven't even seen someone try to attack it (monitoring the audit logs in Windows). I wouldn't worry too much about that attack vector.

While it's true that RDP has some rudimentary protection via password, and most home networks won't be hacked, I'd still feel better protected behind a VPN.

With a VPN, you get an IP address on the local network, making it unnecessary to open ports on a router.

Except for the VPN port, depending on what you are using to terminate the connection. ;)

My server at home is online all the time and is constantly being scanned/probed and I can watch the traffic hitting it. And I have NEVER seen a probe on port 3389. There is too much low-hanging fruit for it to be a reasonable attack vector for people to waste time trying to hit.

And if you're really worried about port scanning, you can also set your router to listen on an alternate port.

For example, set up your router to forward external port 54321 (or whatever) to internal port 3389 on the appropriate internal IP address. Then when you open Remote Desktop Connection on your client machine, you just add :54321 to the end of the IP address or domain name you normally use to connect (no other configuration is necessary on the target computer).

Of course security through obscurity isn't real security, but it's one more tool you have to decrease the chances of somebody finding your machine and trying to brute-force it.

This is actually a great argument for why changing the port is a waste of time. The fact is that port scanning will find that open port, even if you change the port number.

If you don't use it that often, I would recommend a solution from logmein.com or gotomypc.com. I prefer gotomypc.

Out of curiosity, why? I'd rather not add the extra software on my computer if I don't need to and RDP is built-in. Remote printing and file transfers aren't as clean, but for straight access to the desktop RDP is pretty efficient.

RDP actually has encryption (not just password protection). Its weak and susceptible to man-in-the-middle attacks, but it is an encrypted connection.

Because you don't need to make any changes to your router or have a static IP to use them.

It's certainly doable to go through opening ports and the rest, but I just never found it worth it.

You also need to change the scope for the remote desktop exeception in windows firewall (if you use it) from local subnet till all computer (including those on the internet).

I RDP to my home network daily in order to manage my downloads and run software which I don't have on my work-machine.

Can you explain a bit more? I'm not that familiar with the mechanics of port scanning, but was under the impression that most scanners don't scan every port for every service (particularly once you get beyond 10000 or so). Besides, even if a bad guy sees that port 54321 is open on my router, how do they know which protocol to try to use to get in through it?

When I switched sshd to port 2222 on my Linux VPS from the default 22, the number of random attempts to log in plummeted. There seemed to be one persistent hacker from Romania who kept trying to get in for a few months. But when it was on port 22, there would be a half dozen attempts every day or two from all over the world.

Thank you for the replies, I went ahead and opened port 3389 on the router. What should I enter for the name of the remote computer when configuring Remote Desktop Connection? Would it be my home IP address?