Accessing remote desktop from outside the network
Oct 20, 2008 | 6:28 am
#1
Original Poster
Join Date: Jan 2003
Location: between DCA and BWI
Programs: SPG Gold, Hyatt Plat, UA Premier, Hilton Gold
Posts: 3,652
Accessing remote desktop from outside the network
I periodically use Remote Desktop to access files and programs on my main pc from my laptop . This works perfectly when I am accessing it from my own home network, but not from anywhere else. How can I configure the router to allow Remote Desktop connections from outside the network and how can I make sure those connections are as secure as possible?
The PC that I am connecting to is running Vista Ultimate and I am using a relatively basic Netgear router, WGR614 if I remember correctly.
The PC that I am connecting to is running Vista Ultimate and I am using a relatively basic Netgear router, WGR614 if I remember correctly.
Oct 20, 2008 | 6:53 am
#3
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Between AUS, EWR, and YTO In a little twisty maze of airline seats, all alike.. but I wanna go home with the armadillo
Programs: CO, NW, & UA forum moderator emeritus. Eurobonus Millionaire
Posts: 38,683
Micro$oft Remote Access listens on port 3389. Before you just open up that port on your router and forward connections to your desktop PC, make sure you understand the implications of doing so. I use an SSH tunnel for this. Unless the tunnel is open, access is blocked. Even so, nobody can directly find the PC from the internet.
Last edited by Xyzzy; Oct 20, 2008 at 9:22 am
Oct 20, 2008 | 7:56 am
#4
A FlyerTalk Posting Legend
Join Date: Apr 2001
Location: PSM
Posts: 69,232
The good news is that MS requires any user account that is going to connect via RDP to have a password, so you have some level of protection there. Forwarding port 3389 on your router to your machine on the home network will do the trick.
No, the connection is not encrypted. But a decent password on the account will prevent a brute force attack. Besides, I've had 3389 up and open for years and haven't even seen someone try to attack it (monitoring the audit logs in Windows). I wouldn't worry too much about that attack vector.
No, the connection is not encrypted. But a decent password on the account will prevent a brute force attack. Besides, I've had 3389 up and open for years and haven't even seen someone try to attack it (monitoring the audit logs in Windows). I wouldn't worry too much about that attack vector.
Oct 20, 2008 | 9:03 am
#5
Join Date: Apr 2006
Location: on the Llano Estacado
Posts: 2,652
The good news is that MS requires any user account that is going to connect via RDP to have a password, so you have some level of protection there. Forwarding port 3389 on your router to your machine on the home network will do the trick.
No, the connection is not encrypted. But a decent password on the account will prevent a brute force attack. Besides, I've had 3389 up and open for years and haven't even seen someone try to attack it (monitoring the audit logs in Windows). I wouldn't worry too much about that attack vector.
No, the connection is not encrypted. But a decent password on the account will prevent a brute force attack. Besides, I've had 3389 up and open for years and haven't even seen someone try to attack it (monitoring the audit logs in Windows). I wouldn't worry too much about that attack vector.
With a VPN, you get an IP address on the local network, making it unnecessary to open ports on a router.
Oct 20, 2008 | 9:34 am
#6
A FlyerTalk Posting Legend
Join Date: Apr 2001
Location: PSM
Posts: 69,232
My server at home is online all the time and is constantly being scanned/probed and I can watch the traffic hitting it. And I have NEVER seen a probe on port 3389. There is too much low-hanging fruit for it to be a reasonable attack vector for people to waste time trying to hit.
Oct 20, 2008 | 1:46 pm
#7
Join Date: Jan 2003
Location: NYC
Posts: 8,687
And if you're really worried about port scanning, you can also set your router to listen on an alternate port.
For example, set up your router to forward external port 54321 (or whatever) to internal port 3389 on the appropriate internal IP address. Then when you open Remote Desktop Connection on your client machine, you just add :54321 to the end of the IP address or domain name you normally use to connect (no other configuration is necessary on the target computer).
Of course security through obscurity isn't real security, but it's one more tool you have to decrease the chances of somebody finding your machine and trying to brute-force it.
For example, set up your router to forward external port 54321 (or whatever) to internal port 3389 on the appropriate internal IP address. Then when you open Remote Desktop Connection on your client machine, you just add :54321 to the end of the IP address or domain name you normally use to connect (no other configuration is necessary on the target computer).
Of course security through obscurity isn't real security, but it's one more tool you have to decrease the chances of somebody finding your machine and trying to brute-force it.
Oct 20, 2008 | 1:55 pm
#8
A FlyerTalk Posting Legend
Join Date: Apr 2001
Location: PSM
Posts: 69,232
And if you're really worried about port scanning, you can also set your router to listen on an alternate port.
For example, set up your router to forward external port 54321 (or whatever) to internal port 3389 on the appropriate internal IP address. Then when you open Remote Desktop Connection on your client machine, you just add :54321 to the end of the IP address or domain name you normally use to connect (no other configuration is necessary on the target computer).
Of course security through obscurity isn't real security, but it's one more tool you have to decrease the chances of somebody finding your machine and trying to brute-force it.
For example, set up your router to forward external port 54321 (or whatever) to internal port 3389 on the appropriate internal IP address. Then when you open Remote Desktop Connection on your client machine, you just add :54321 to the end of the IP address or domain name you normally use to connect (no other configuration is necessary on the target computer).
Of course security through obscurity isn't real security, but it's one more tool you have to decrease the chances of somebody finding your machine and trying to brute-force it.
Oct 20, 2008 | 9:24 pm
#10
A FlyerTalk Posting Legend
Join Date: Apr 2001
Location: PSM
Posts: 69,232
Out of curiosity, why? I'd rather not add the extra software on my computer if I don't need to and RDP is built-in. Remote printing and file transfers aren't as clean, but for straight access to the desktop RDP is pretty efficient.
Oct 20, 2008 | 10:12 pm
#11
Join Date: May 2007
Location: USA
Programs: Delta Skymiles
Posts: 177
RDP actually has encryption (not just password protection). Its weak and susceptible to man-in-the-middle attacks, but it is an encrypted connection.
Oct 20, 2008 | 10:13 pm
#12
In Memoriam
Join Date: Feb 2000
Location: Easton, CT, USA
Programs: ua prem exec, Former hilton diamond
Posts: 31,801
Because you don't need to make any changes to your router or have a static IP to use them.
It's certainly doable to go through opening ports and the rest, but I just never found it worth it.
It's certainly doable to go through opening ports and the rest, but I just never found it worth it.
Oct 20, 2008 | 11:21 pm
#13
Join Date: Apr 2002
Location: Sweden
Posts: 195
You also need to change the scope for the remote desktop exeception in windows firewall (if you use it) from local subnet till all computer (including those on the internet).
I RDP to my home network daily in order to manage my downloads and run software which I don't have on my work-machine.
I RDP to my home network daily in order to manage my downloads and run software which I don't have on my work-machine.
Oct 21, 2008 | 12:19 pm
#14
Join Date: Jan 2003
Location: NYC
Posts: 8,687
When I switched sshd to port 2222 on my Linux VPS from the default 22, the number of random attempts to log in plummeted. There seemed to be one persistent hacker from Romania who kept trying to get in for a few months. But when it was on port 22, there would be a half dozen attempts every day or two from all over the world.
Oct 23, 2008 | 12:06 pm
#15
Original Poster
Join Date: Jan 2003
Location: between DCA and BWI
Programs: SPG Gold, Hyatt Plat, UA Premier, Hilton Gold
Posts: 3,652
Thank you for the replies, I went ahead and opened port 3389 on the router. What should I enter for the name of the remote computer when configuring Remote Desktop Connection? Would it be my home IP address?