RDP connection via dyndns

hi,
I have dyndns connection through router to server port 3389 on domain for
administrative purposes. What is solution for next problem: if I log on as
"admin" then redirect me on comp with IP 192.168.1.10, and if I log on as
"joe" then redirect me on IP 192.168.1.20?
thanks

"Haralambus" <(E-Mail Removed)> wrote in message
news:3dybcp3ad60w$.1f75j8stjps4a$.(E-Mail Removed).. .
> hi,
> I have dyndns connection through router to server port 3389 on domain for
> administrative purposes. What is solution for next problem: if I log on as
> "admin" then redirect me on comp with IP 192.168.1.10, and if I log on as
> "joe" then redirect me on IP 192.168.1.20?
> thanks


You can do this by changing the port rdp listens on for each computer then
forwarding that port to the right computer.

Computer at 192.168.1.10 listens on port 3389.
On the router forward port 3389 to this computer.
To connect you would use mstsc /v:servername:3389

Computer at 192.168.1.20 listens on port 3390
On the router forward port 3390 to this computer.
To connect you would use mstsc /v:servername:3390

http://support.microsoft.com/kb/306759

Perhaps a better alternative would be to use a router/gateway that allows
you to establish a VPN connection to the network then RDP to individual
computers over the VPN connection.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

"Bill Kearney" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) t...
>> Perhaps a better alternative would be to use a router/gateway that allows
>> you to establish a VPN connection to the network then RDP to individual
>> computers over the VPN connection.
>
> That's "easier" from a connectivity standpoint, but not from security.
> With multiple RDP ports you're limiting the connection to solely RDP
> connections. With a VPN you open up the entire network segment to all
> forms of traffic. That and I've found it /slightly/ faster to use RDP
> ports. You make a connection directly to that port, saving a bit of
> network and CPU bandwidth overhead.


While I agree that VPNs can be a security risk, opening more ports through
the router for rdp can also be a a security risk. In this case where only
two ports are needed opening another port is probably the lesser risk. If
you wanted to rdp to several computers or even all computers on the network
then the VPN would be a better option. It's easier to manage one VPN
connection and leave all the workstations listening on the default rdp port.
Both options involve some risk. The risk can be managed.

Yes, the VPN option is very slightly slower. In the real world I can't tell
the difference with typical broadband connections on the remote end.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

"Bill Kearney" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) t...
>> While I agree that VPNs can be a security risk, opening more ports
>> through the router for rdp can also be a a security risk. In this case
>> where only two ports are needed opening another port is probably the
>> lesser risk. If you wanted to rdp to several computers or even all
>> computers on the network then the VPN would be a better option. It's
>> easier to manage one VPN connection and leave all the workstations
>> listening on the default rdp port. Both options involve some risk. The
>> risk can be managed.
>
> I think you miss my point. Having even a dozen RDP ports open would only
> mean RDP connections would be at risk. Opening a VPN would allow ALL
> protocols through it. This is potentially a much greater risk. One with
> a lot less logging to catch hacking attempts.
>
> Maybe it's like opening a window versus a garage door. Even if you open a
> dozen windows, it won't allow the same 'size' risk as a huge garage door.
> Not exactly a perfect analogy, but close enough.
>
> I would not trade ease of router configurations against the security
> risks. To quote Franklin, those that would sacrifice liberty for security
> deserve neither. Paraphrasing that as those that would risk security for
> simplicity deserve the disaster they get.
>


With a VPN you only open one port. Yes, once the user is authenticated they
have (possibly) full access to the network and all protocols you allow over
the VPN but they still have to authenticate. That is the same with RDP. Both
are only as secure as the authentication process. If you open many RDP ports
to many computers as the numbers increase so does the likelihood of an easy
to guess local administrator password. On the networks I manage I have many
more dictionary attacks against RDP ports than VPN ports. Once someone has
RDP access with local admin credentials it is only a matter of time before
they have domain credentials. With a VPN you can use certificates that can't
be guessed. With both you could use 3rd party two factor authentication.
With a decent firewall you can limit the protocols allowed over the VPN
connection. You can use some form of NAP, NAC, etc. to ensure the computer
connecting through the VPN meets network standards. With both you can limit
the connection to specific IP addresses. Security is about managing risk.
You take appropriate steps to manage the risk that comes with doing a task.
As I said earlier both RDP and VPN access come with a risk. The risk can be
managed as long as you understand what the risk is. With a decent
firewall/VPN device I really don't see that one VPN connection is less
secure than many RDP ports. It may be but it doesn't have to be. Depending
on how you setup RDP it may be the less secure option.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

"Kerry Brown" <(E-Mail Removed)*a*m> wrote in message
news:(E-Mail Removed)...
> "Bill Kearney" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) t...
>>> While I agree that VPNs can be a security risk, opening more ports
>>> through the router for rdp can also be a a security risk. In this case
>>> where only two ports are needed opening another port is probably the
>>> lesser risk. If you wanted to rdp to several computers or even all
>>> computers on the network then the VPN would be a better option. It's
>>> easier to manage one VPN connection and leave all the workstations
>>> listening on the default rdp port. Both options involve some risk. The
>>> risk can be managed.
>>
>> I think you miss my point. Having even a dozen RDP ports open would only
>> mean RDP connections would be at risk. Opening a VPN would allow ALL
>> protocols through it. This is potentially a much greater risk. One with
>> a lot less logging to catch hacking attempts.
>>
>> Maybe it's like opening a window versus a garage door. Even if you open
>> a dozen windows, it won't allow the same 'size' risk as a huge garage
>> door. Not exactly a perfect analogy, but close enough.
>>
>> I would not trade ease of router configurations against the security
>> risks. To quote Franklin, those that would sacrifice liberty for security
>> deserve neither. Paraphrasing that as those that would risk security for
>> simplicity deserve the disaster they get.
>>
>
>
> With a VPN you only open one port. Yes, once the user is authenticated
> they have (possibly) full access to the network and all protocols you
> allow over the VPN but they still have to authenticate. That is the same
> with RDP. Both are only as secure as the authentication process. If you
> open many RDP ports to many computers as the numbers increase so does the
> likelihood of an easy to guess local administrator password. On the
> networks I manage I have many more dictionary attacks against RDP ports
> than VPN ports. Once someone has RDP access with local admin credentials
> it is only a matter of time before they have domain credentials. With a
> VPN you can use certificates that can't be guessed. With both you could
> use 3rd party two factor authentication. With a decent firewall you can
> limit the protocols allowed over the VPN connection. You can use some form
> of NAP, NAC, etc. to ensure the computer connecting through the VPN meets
> network standards. With both you can limit the connection to specific IP
> addresses. Security is about managing risk. You take appropriate steps to
> manage the risk that comes with doing a task. As I said earlier both RDP
> and VPN access come with a risk. The risk can be managed as long as you
> understand what the risk is. With a decent firewall/VPN device I really
> don't see that one VPN connection is less secure than many RDP ports. It
> may be but it doesn't have to be. Depending on how you setup RDP it may be
> the less secure option.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
> http://www.vistahelp.ca/phpBB2/
> http://vistahelpca.blogspot.com/
>
>
>
>

I think that you are kidding yourself if you think that a firewall will
limit protocols used over VPN. When the VPN traffic comes through the
firewall it is still encrypted and encapsulated. All the firewall sees is
the wrapper. It has no idea what is inside the encrypted data.

In message <(E-Mail Removed)> "Bill
Kearney" <(E-Mail Removed)> was claimed to have wrote:

>> While I agree that VPNs can be a security risk, opening more ports through
>> the router for rdp can also be a a security risk. In this case where only
>> two ports are needed opening another port is probably the lesser risk. If
>> you wanted to rdp to several computers or even all computers on the
>> network then the VPN would be a better option. It's easier to manage one
>> VPN connection and leave all the workstations listening on the default rdp
>> port. Both options involve some risk. The risk can be managed.
>
>I think you miss my point. Having even a dozen RDP ports open would only
>mean RDP connections would be at risk. Opening a VPN would allow ALL
>protocols through it.

No, the VPN only allows approved protocols/ports/whatever through it,
there is no need to provide a VPN user with a "default allow" policy.

I'd suggest using VPN, but once users VPN in, still only allow RDP
access to the internal machines. Aside from the security benefits, it
also allows a uniform configuration to be deployed across the board,
rather then opening ports pointing to individual end user machines and
potentially forgetting to remove said access down the road when an IP is
reassigned.

>This is potentially a much greater risk. One with a
>lot less logging to catch hacking attempts.

RDP's does have a lot less logging then a VPN, true enough, but you can
get the job done if you don't mind reviewing eventlogs on a dozen
different machines.

>Maybe it's like opening a window versus a garage door. Even if you open a
>dozen windows, it won't allow the same 'size' risk as a huge garage door.
>Not exactly a perfect analogy, but close enough.

An apt analogy, given that the burglar can fit just as easily through a
window or a garage door. What do you think is easier to guard, a dozen
windows, or one well lit garage door?

"Bill Grant" <not.available@online> wrote in message
news:Oi3VE$(E-Mail Removed)...
>
>>
>> With a VPN you only open one port. Yes, once the user is authenticated
>> they have (possibly) full access to the network and all protocols you
>> allow over the VPN but they still have to authenticate. That is the same
>> with RDP. Both are only as secure as the authentication process. If you
>> open many RDP ports to many computers as the numbers increase so does the
>> likelihood of an easy to guess local administrator password. On the
>> networks I manage I have many more dictionary attacks against RDP ports
>> than VPN ports. Once someone has RDP access with local admin credentials
>> it is only a matter of time before they have domain credentials. With a
>> VPN you can use certificates that can't be guessed. With both you could
>> use 3rd party two factor authentication. With a decent firewall you can
>> limit the protocols allowed over the VPN connection. You can use some
>> form of NAP, NAC, etc. to ensure the computer connecting through the VPN
>> meets network standards. With both you can limit the connection to
>> specific IP addresses. Security is about managing risk. You take
>> appropriate steps to manage the risk that comes with doing a task. As I
>> said earlier both RDP and VPN access come with a risk. The risk can be
>> managed as long as you understand what the risk is. With a decent
>> firewall/VPN device I really don't see that one VPN connection is less
>> secure than many RDP ports. It may be but it doesn't have to be.
>> Depending on how you setup RDP it may be the less secure option.
>
> I think that you are kidding yourself if you think that a firewall will
> limit protocols used over VPN. When the VPN traffic comes through the
> firewall it is still encrypted and encapsulated. All the firewall sees is
> the wrapper. It has no idea what is inside the encrypted data.


If the firewall/VPN device is the endpoint then it can easily manage what
protocols are allowed. If you are using RRAS the RRAS server could be in a
DMZ then only certain protocols allowed from there to the network. There are
many ways to manage this. If you are using RRAS as the endpoint and the RRAS
server is on your internal network then I agree, you have a security risk
that may be unmanageable.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/

In message <Oi3VE$(E-Mail Removed)> "Bill Grant"
<not.available@online> was claimed to have wrote:

> I think that you are kidding yourself if you think that a firewall will
>limit protocols used over VPN. When the VPN traffic comes through the
>firewall it is still encrypted and encapsulated. All the firewall sees is
>the wrapper. It has no idea what is inside the encrypted data.

This depends on your configuration.

My VPN endpoint is on the firewall and injects the packets inside the
NAT portion, but outside the packet filter, so at this stage a VPN user
has a local 172.16.1.0/24 IP (with most of the LAN is under
172.16.0.0/24) and crossing the barrier from 172.16.1.0 to 172.16.0.0
runs through the firewall and limits a VPN user's access.

On Fri, 24 Oct 2008 06:52:51 -0700, Kerry Brown wrote:

> "Haralambus" <(E-Mail Removed)> wrote in message
> news:3dybcp3ad60w$.1f75j8stjps4a$.(E-Mail Removed).. .
>> hi,
>> I have dyndns connection through router to server port 3389 on domain for
>> administrative purposes. What is solution for next problem: if I log on as
>> "admin" then redirect me on comp with IP 192.168.1.10, and if I log on as
>> "joe" then redirect me on IP 192.168.1.20?
>> thanks
>
>
> You can do this by changing the port rdp listens on for each computer then
> forwarding that port to the right computer.
>
> Computer at 192.168.1.10 listens on port 3389.
> On the router forward port 3389 to this computer.
> To connect you would use mstsc /v:servername:3389
>
> Computer at 192.168.1.20 listens on port 3390
> On the router forward port 3390 to this computer.
> To connect you would use mstsc /v:servername:3390
>
> http://support.microsoft.com/kb/306759
>
> Perhaps a better alternative would be to use a router/gateway that allows
> you to establish a VPN connection to the network then RDP to individual
> computers over the VPN connection.

thanks for plenty info's!

"Bill Kearney" <(E-Mail Removed)> wrote in message
news:X-CdnVboa-(E-Mail Removed)...
>> With a VPN you only open one port. Yes, once the user is authenticated
>> they have (possibly) full access to the network and all protocols you
>> allow over the VPN but they still have to authenticate.
>
> With RDP they access a session on a box. Limited to that box's access to
> the local network and to that user account's access. That is CONSIDERABLY
> less exposure than a VPN connection.

If you are connect via a VPN directly to a server running RRAS and the
server is inside your network then what you say is true. Nowhere in this
thread have I recommended that setup. Please read all the posts again.
Again, I'll point out that if someone gains local admin access they soon
have domain access. RDP protects your network from the outside machine. It
does not protect you from whoever finds a way to logon to the target machine
inside your network. In one sense it is less secure because that machine is
already trusted by the network.

>
>> That is the same with RDP. Both are only as secure as the authentication
>> process. If you open many RDP ports to many computers as the numbers
>> increase so does the likelihood of an easy to guess local administrator
>> password.
>
> If an admin is lazy, no protocols, ports or whatever is going to help the
> security. But that's a phenomenally weak argument to support your point.

It's not weak at all. I work on many different networks. When I first start
with a new network it's very common to see clients with default OEM installs
where the local administrator account has no password.

>
>> With a decent firewall you can limit the protocols allowed over the VPN
>> connection.
>
> And at the same time you argue about weak passwords? Oh please, you can't
> realistically expect to argue it both ways. Programming protocol
> limitations on a firewall tends to be significantly more complex. Enough
> such that even IF they had a firewall (or upstream router) that supported
> it the likelihood they'd use it rapidly approaches zero.
>
>

I use these capabilities on firewalls all the time. I know many other people
who do. Others in this thread have indicated they do.

It all comes down to management. The more ports you have open, the harder it
is to manage them. It doesn't really matter what the ports are for. If you
need the capability to RDP to more than a couple of computers on a network
it is much easier to manage the security of one VPN port than several RDP
ports. With several RDP ports you need to manage the target IP addresses.
This means static IPs or DHCP reservations. You need to change the registry
on each of these computers. If you need to add a new computer or change an
existing computer you need to consult a manual list of what port to use then
make sure the list and the registry on the target are updated. You need to
check each computer for local admin accounts. You need to setup an IP
address that doesn't conflict with something else. The list goes on and on.
It is a management nightmare. Management nightmares easily become security
nightmares. Yes, it's hard to setup good security for a VPN. This doesn't
mean it's not the best solution. I use both solutions all the time. Where I
need the best security I use RDP over a VPN that uses a firewall as it's
endpoint. It is the best solution for security. It takes more work to get
that security but once setup it is far easier to manage.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/