TechSoup.org The place for nonprofits, charities, and libraries

Discuss remote administration for Windows Server

  • My experience is that putting a Windows 2000 or 2003 terminal server on the Internet without a firewall is an invitation for disaster. One tool that was not mentioned is a VPN (Virtual Private network). Smoothwall http://sourceforge.net/projects/smoothwall is a very easy to configure open source (free) program that will run on an old, inexpensive computer. It may require some technical expertise to set up, but the extra security is well worth the effort. Otherwise your data could be my data whenever I want it.

    Rick Aldred, MCSE+Security
  • If you implement SSH, you can easily manage more than 1 box without having to fudge around with the ports that Remote Desktop is running on. For example:

    Client 2 Server Port Forwards:
    127.0.0.1:9051 --> 10.9.0.51:3389
    127.0.0.1:9050 --> 10.9.0.50:3389
    127.0.0.1:9011 --> 10.9.0.11:3389

    Granted, you can just Remote Desktop into one box, then Remote Desktop to another once you're inside the network, but have you ever used double/tripe remote desktop in full screen mode? I find it confusing.

    So you only open 1 port on your firewall to get access to virtually unlimited IPs and ports on your private IP subnet. And SSH is little overhead compared to PPTP and LPTP traffic.

    Not to mention, most SSH servers come with SFTP - so now you can upload/download files securely without exposing a typical, unsecured FTP server.

    For my home systems, I use OpenSSH (a bit of a bear to install and configure if you aren't techy - and its open source) and for professional installations I use BitVise WinSSHD.

    The real gems for remote (and local) administration of a Windows Server / Network, however, are in my mind are LogMeIn and Dameware Utilities. At a typical client's, I'll install my own small workstation with LogMeIn Free. On that box will be Dameware Utilities. I love the pricing structure for Dameware, you only pay per administrator, not per computer/server you are administering.

    Chris Shipley
    Nutmeg Consulting

  • Ah, yes, that makes sense. Most of my clients only have one server, so I rarely have the need to remotely control more than one box per site.

    As for exposing RDP to the public Internet, I have over a dozen organizations that are set up this way and I've never had any trouble with intrusions. My impression is that the biggest risk is from brute force attacks on the password. So as long as you have a nice strong password on the administrator account, you haven't much to fear from the bad guys.

     

    Zac Mutrux
    President, Sarai LLC
    http://www.sarai.org/
    zac@sarai.org
    415-359-3791

  • I agree with that. Its better, in my opinion, than exposing something like VNC. You should really SSH port forward or VPN tunnel for VNC connections.

    Chris Shipley
    Nutmeg Consulting