How to Fix: Remote Access to Work Computer (Secure)

Dennis Faas's picture

Infopackets Reader Steve T. writes:

" Dear Dennis,

I run a small business, and with the COVID-19 pandemic we have been forced to work remotely from home. The problem we are currently facing is that there are important files on our office PC (server) that I need to share with other employees. Right now I'm having to send these files by email and it's a nightmare. I've looked into using TeamViewer to connect remotely to another computer, but the fees they charge are quite high. Also, I am worried that if TeamViewer got hacked, someone might be able to gain access to my network.

The reason I'm contacting you is because I stumbled across your article on RDP Wrapper, which would allow me to connect remotely to our office pc using multiple connections to our server. Essentially we would be using remote desktop on the office pc. This seems like an excellent choice and there is no hefty recurring fees. That said, I'm worried that this might be a security issue since the server machine needs to have port forwarding open on the router in order to listen for incoming RDP connections by remote users.

Correct me if I'm wrong, but I believe that means anyone can try and connect to our server machine and guess passwords in order to gain access to the network. I also read your article this week about a new strain of ransomware that could potentially bypass RDP authentication. In this case the server could become compromised simply by having it connected to the Internet. Is there a way to secure the RDP connection so it's not open to the public? We need to have remote access to our work computer from home. "

My response:

You are correct - running Remote Desktop (RDP) without securing it is huge security risk. It is one of the biggest reasons corporate networks get infected with ransomware.

The reason this happens is because the RDP service must be listening (on the server) in order to accept a remote connection. To permit this, port forwarding must be open on the router to allow connections to the server directly. Once the port is open, anyone from the outside world can try and connect to your network.

This is a huge security issue because bots (automated malicious programs) will try and guess your passwords and gain access to the network 24/7. Also, if an exploit in the RDP service suddenly became available, then a bot or hacker can gain elevated access to your network and deploy ransomware.

In this case, all your files will become encrypted (making them worthless and unusable) and a note left on your desktop demanding payment to decrypt the files. The cost is usually anywhere from $10,000 to millions of dollars to get your files back.

Here are some articles that highlight what I just said:

Securing Remote Desktop

To answer your question: yes, there is much better way to secure RDP, and it is done using OpenVPN.

It's important to understand that using OpenVPN is 100% different than paying for a third party VPN service (such as NordVPN). The difference here is that a VPN service (such as NordVPN) uses a third party server to relay a connection to another machine, which then anonymizes your IP address. This does nothing to protect your server.

On the other hand, the OpenVPN server service (which runs only on your server) would make the server machine remotely available only to the people you choose. This effectively hides the server from the rest of the Internet, which means that bots and hackers can't try and gain access to your network.

Here's how it works:

The server machine uses its own security certificates which are matched against a client's security certificates (which are run on the client machines). Essentially, these certificates allow the server and client (remote machines) to speak to one another in a language only they understand. This technology is also called secure tunneling.

Update 20200620: Per the user comments below: using programs such as TeamViewer, Support.com, Logmein, Splashtop, etc are not a substitute for RDP and are not secure methods to connect a machine remotely. In fact, they are even less secure than setting up an RDP connection yourself (using Remote Desktop and port forwarding) because these services can have exploits just like RDP, or the sites which run the services themselves can be hacked. Note that these services run on ports 80 and 443 (reserved for the web browser) which are already open on the router and do not require setting up port forwarding.

OpenVPN: Deployment Is Complex

Unfortunately, setting up an OpenVPN server service and client keys is quite time consuming and complex, and depends largely upon how you have your existing network infrastructure set up.

Seven sets of keys need to be generated and then placed into an .ovpn file for both client and server. Each client has its own set of secure keys which are unique. If you have 30 clients then you need to create 30 different certificates. The keys must be generated by hand; if you mix up the certificates, it simply won't work. This is quite time consuming.

Port forwarding also needs to be set up on the router and configured to point to the OpenVPN server service. Also, the OpenVPN server service must be configured to allow multiple clients at the same time, otherwise it will drop the connection each time a new person tries to connect to your network remotely.

If your employees are a mix of Mac and Windows users, then you will need to set up two OpenVPN Servers: one with a TAP adapter configuration for Windows, and the other with TUN for Linux and Mac, because the latter are not compatible with TAP.

Highly Recommended: Virtualize the Server

Whenever I get asked about setting up such infrastructure, I always recommend virtualizing the existing server into a virtual machine. In this case, the virtual server lives inside the real machine, but is completely separate from the host operating system. (Whether or not this is possible depends on the server hardware, but is usually possible with modern hardware).

Virtualizing the server machine allows for high availability and portability. It's also incredibly secure because the virtual machine can run on its own subnet, which would not affect the rest of the network.

If the server machine suffers from catastrophic failure, all you would need to do is copy the virtual machine files onto another machine and it would be up and running in minutes, rather than days or weeks. You would not have to reinstall Windows or reconfigure software ever again.

One of the most appealing reasons for using a virtual machine configuration (versus a physical one) is the use of snapshots. These allow you to roll back the machine to a previous working state within minutes - not days or weeks. This is incredibly convenient if you are hit with malware / ransomware, or if Windows goes corrupt, or if a file gets accidentally deleted, for example. Rolling back a snapshot makes it as if nothing ever happened.

Do You Need OpenVPN Set Up on your Network?

Speaking from experience, setting up this type of infrastructure usually takes me a week to do as it is quite time intensive.

If this is something you (or anyone else reading this article) would like to have set up, I am available for hire - contact me here; review my resume here. I have helped many users already set up this infrastructure and is currently how I have my own remote server set up. It is by far the best way to secure a remote connection, and still have access to all of the remote machine's resources. You can also map drives onto your local machine (by remote) using a VPN, as if you were right there in the office.

I hope that helps!

About the author: Dennis Faas

Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form. 

Rate this article: 
Average: 5 (6 votes)

Comments

kb72's picture

Are all VPN's prone to dropping out multiple times a day if the broadband connection is less than stellar?

Dennis Faas's picture

If the Internet connection at the server (locally) and to the server (by remote) is poor, then you may lose connection. That is true for any program or service running on a remote machine and not just limited to a VPN or OpenVPN server service in this case.

In situations like this, I recommend that the client rent a dedicated server (using a hosting service) and I will image the existing server and deploy the infrastructure in the cloud. I have already done this for a few clients.

Having the server in the cloud means that uptime is guaranteed to be 99% because they have uninterrupted power supplies (UPS) on site that prevent loss of power to the machine. Also, hosting services have redundant Internet backbone connections to the server, which means connectivity should always be good.

The downside to renting a server like this means there will be a recurring monthly fee for the service - but that cost is offset if it means 99% uptime.

TopDriver's picture

I am a consultant to an Accounting firm. When the COVID shut everything, we had the same issue. How do we keep things secure while allowing people to work from home? Being a user of TeamViewer Free Version for some time, I initially set them up with TeamViewer as a testing environment. We did that for about a month with 2 users. When we decided that it would work for our environment and contacted TeamViewer to purchase their product, we also found that their cost was too far out of reach.

Performing a lot of research, we found a solution called, "Splashtop". We looked at several other tools that are leaders in the remote desktop world. Our problem is that the job requires a minimum of 2 monitors. In fact, we have one person that uses 3 monitors. When I read a review that gave Splashtop good reviews, I decided to test it. It worked GREAT. Besides TeamViewer, it is the only Remote Desktop App that we found to work reliably with two monitors on the host and the client side. I feel Splashtop is more User Friendly than TeamViewer.

We have since virtualized the environment. Therefore, all of the files that users need to do their job remains at the office. With the Splashtop Business Software, I am able to de-activate the "File Transfer" feature. So, what is at the office, stays at the office. As a side note: virtualization allowed us to free up the Office Computers to do other things. The remote personnel are on a server, not on the office computers.

I agree with Dennis. The less ports that have to opened on a Firewall, the better. I reduces the holes for a hacker to get into the Office Network. The nice thing about TeamViewer and Splashtop is that there's no need to open ports on the firewall.

Dennis Faas's picture

Programs like TeamViewer and Splashtop use port 80 or 443 which are reserved for web traffic using the browser. All routers by default have port 80 and 443 open, similar to how port forwarding works. Despite not setting up port forwarding manually on your router, you are still vulnerable because anyone who uses either Teamviewer or Splashtop - including hackers and bots - can still gain access to your network using these programs and your server will respond. The only way to prevent this is to use OpenVPN like I've suggested.

TopDriver's picture

Hi Dennis,

Unless you know something that I don't, I am open to suggestions.

I have not opened any ports on my personal router or at the office. And, I have turned off UPnP on my home router. So, I don't understand how those ports would get opened.

Because I was concerned, I just did a port scan by ShieldsUp to verify. I don't have any ports open.

I also did a google search for "Splashtop Open Ports". And, I hate publishing this because of the hackers. But, Splashtop uses ports 6783, 6784, and 6785.

Thanks

Dennis Faas's picture

According to their website, the default port for splashtop is 443. If you changed it to something else you would need to use port forwarding. Even so, the service is still open to the public unless you use something like OpenVPN to run it on a private subnet. If you have other concerns please email directly. Thanks.