- Posts: 1
- Thank you received: 0
Setup Remote Desktop Win 2K3 via Cisco 800 Series Router
17 years 5 months ago #21154
by Rofnek
Setup Remote Desktop Win 2K3 via Cisco 800 Series Router was created by Rofnek
GoodDay Ppl.
We hv a small LAN controlled by Win 2K3 server acting as DHCP/File & antivirus server. A cisco 800 series router with ISDN connection allows every PC in LAN internet access. How do l go about setting my server (that's right -- only Win 2K3 server) that it allows remotes desktop access from anywhere in the world with maximum security? Internal IP range is 200.200.1.x and 200.200.1.3 being gateway(router's IP).
Any help would be grately appreciated.
Many Thanks
Rofnek
We hv a small LAN controlled by Win 2K3 server acting as DHCP/File & antivirus server. A cisco 800 series router with ISDN connection allows every PC in LAN internet access. How do l go about setting my server (that's right -- only Win 2K3 server) that it allows remotes desktop access from anywhere in the world with maximum security? Internal IP range is 200.200.1.x and 200.200.1.3 being gateway(router's IP).
Any help would be grately appreciated.
Many Thanks
Rofnek
17 years 5 months ago #21169
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Setup Remote Desktop Win 2K3 via Cisco 800 Series Router
This can be easily setup on your Cisco 800 series router. All you need to do is setup a Static Mapping to translate the address from the outside to the inside.
As for security, this will depend on how much you think you are at risk, your type of buisness and what it would mean to your company to have a compromise. If for example you are a financial institute then i wouldn't go down this route at all and would possibly look at proper VPN connectivity with IPSec and 2 Factor Authentication. However if you are a small firm making windows or something then the risk is probably much more acceptible.
If you were to do this then i would probably set it to an unknown port number, fairly high in the range (60000+) because some attackers will only do port scans for well know services that may have vulnerabilities.
To secure it further, i would see about gettign the people who need access on a fix IP Address from home to allow you to setup ACCESS LISTS to specific IP Addresses, this will then limit who can access that port unless they are doing really advanced IP spoofing which would be very dificult over the Interent as they wouldn't really be able to get the return traffic (or lets say its very very difficult).
Finally, only enable the users who need the access to Remote Desktop into the Windows 2003 server.
Now, the static NAT translation (i call them static since i am used to the Pix )
[code:1]ip nat inside source static tcp [i]inside_address inside_port Outside_address outside_port extendable[/i][/code:1]
There is nothing stopping the inside_port being 3389 and the outside_port being 60025 or something..... (i think, never tried it on the router but sure it should work).
Cheers
As for security, this will depend on how much you think you are at risk, your type of buisness and what it would mean to your company to have a compromise. If for example you are a financial institute then i wouldn't go down this route at all and would possibly look at proper VPN connectivity with IPSec and 2 Factor Authentication. However if you are a small firm making windows or something then the risk is probably much more acceptible.
If you were to do this then i would probably set it to an unknown port number, fairly high in the range (60000+) because some attackers will only do port scans for well know services that may have vulnerabilities.
To secure it further, i would see about gettign the people who need access on a fix IP Address from home to allow you to setup ACCESS LISTS to specific IP Addresses, this will then limit who can access that port unless they are doing really advanced IP spoofing which would be very dificult over the Interent as they wouldn't really be able to get the return traffic (or lets say its very very difficult).
Finally, only enable the users who need the access to Remote Desktop into the Windows 2003 server.
Now, the static NAT translation (i call them static since i am used to the Pix
)[code:1]ip nat inside source static tcp [i]inside_address inside_port Outside_address outside_port extendable[/i][/code:1]
There is nothing stopping the inside_port being 3389 and the outside_port being 60025 or something..... (i think, never tried it on the router but sure it should work).
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.120 seconds