How Secure is Remote Desktop for a Server?

[gexamb]

I am wondering if it would be practical to use RDP (Remote Desktop Protocol?) on an Win Server 2003 server to connect to another pc over the internet for the sole purpose of sending backups. I heard it is possible to make a client pc's harddrive mapped as a network drive and you can use that drive as if it were a regular network drive, helping me to do backups offsite.

How secure is it? Can i make it more secure? What do i need to make it secure and how?

I can setup RDP but before I do, I wanted to research more into this topic concerning the security of it. I read somewhere that I would need to use PKI to send authentication certificates to prevent MITM (Man in the Middle) Attacks. Is this necessary? How can I set this up if needed?

The server will be pretty much be using RDP after hours. Can i program RDP to be enabled at certain time frames? Will having RDP enabled overnight compromise the security? I would guess so.....

Any suggestions or comments would be much appreciated. Thanks

 

[DelJo63]

I heard it is possible to make a client pc's harddrive mapped as a network drive and you can use that drive as if it were a regular network drive, helping me to do backups offsite.

If all systems are on your LAN, then a mapped drive is THE proper approach. Security is a non-issue and there is minimal data movement
to the backup system and/or attached HD.

I am wondering if it would be practical to use RDP (Remote Desktop Protocol?) on an Win Server 2003 server to connect to another pc over the internet for the sole purpose of sending backups.

yes this can be done, but usually RDP is for managing the remote system, not data backups.

How secure is it? Can i make it more secure? What do i need to make it secure and how?
I can setup RDP but before I do, I wanted to research more into this topic concerning the security of it. I read somewhere that I would need to use PKI to send authentication certificates to prevent MITM (Man in the Middle) Attacks. Is this necessary? How can I set this up if needed?

research; never get enough of it!

Most products encrypt the data stream so that no one can tell what is happening.
However, some only encrypt the data, not the login and therefore expose the system to keylogging attacks.

RealVNC, gotoMyPC, ... there are several remote system control products ...
will give you some ideas.

 

[kimsland]

How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session

 

[gexamb]

Im sorry, i forgot to mention. This connection will not be used on LAN. It will be used on the internet.

I read that I can setup a remote hdd as a mapped network drive, meaning i can specify server backups to be saved on that hdd which is sitting at home for example.

Would these third-party software allow me to do this as well? I just need a secure connection to another pc over internet to be sending backups. Online backup services are waaaaaayyyy too expensive.

kimsland, if i lock down server 2003, what good does it do me? Does it only allow rdp connection and locks everything else down to prevent being tampered with?

i will check out those software, thx guys.

edit

checked out Real VNC and used gotomypc before and they both do not create a directory path for programs such as novabackup to be able save file remotely. Its just a crude copy and paste system.

 

[DelJo63]

well, ok. Mapping a drive across the Internet is --- BOLD!.

The process requires the firewall to open SMB ports for i/o to and from specific IP
addresses. SMB is the familiar File/Print sharing ports, but as you what some integrity
for the data, I would only open the tcp/445 port and NOT the udp/139 port.
(For non windows readers, SMB is the SAMBA protocol using LMHOST/V1).

The additional step would be port forwarding from the outer firewall to the internal system
and this would be necessary on BOTH ends of the connection.

Here's the BOLD part; mounting and mapping the drive would occur using LMHOST/V1 hashed passwords
and this is not considered the best encryption. If both ends move to LMHOST/V2
OR have passwords greater that 15 characters, then the exchange is much more secure (from an access point of view).

The data would not however, be encrypted!

 

[gexamb]

this thing gets more confusing by the day. lol

just an update:

we have planned to move our external hdd that is connected to the server into another office with 2 5m usb active repeater cables. this will keep the data somewhat secure in case of a disaster. now if i can have the server backup files backed up or saved offsite automatically is what i need.

im tired of thinking already, i need a beer.

jobeard thank you for all your help, you have helped me in all my threads. I appreciate the help.

 

[DelJo63]

we have planned to move our external hdd that is connected to the server into another office with 2 5m usb active repeater cables. this will keep the data somewhat secure in case of a disaster.

hum; (imo) not thinking clearly here.
10-20-100 feet separation is of little or NO help when the building burns to the ground.

Local backup copies allow the team quick response times to restore day-day problems. Business continuation needs a better solution.

now if i can have the server backup files backed up or saved offsite automatically is what i need.

YES! This is how you protect the company assets!

I would do the due diligent solution of regular backups to removable media. Every
Monday, send LAST MONDAY's media to an off-site storage area -- heck
-- even take it home! At the same time, retrieve the media from off-site for that instance stored 30 days ago.

There's 1000's for variations on this kind of plan.

 

[gexamb]

thanks for you ideas.

i meant that incase of an electrical fire started by the server itself, the external drive will be somewhat safe. but it is true, in case of a building fire or whatever, it will be useless.

i think the only logical, and i guess cheaper solution, would be to do regular backups on the drive, and then take it home and save a copy at home like u mentioned. i dont think we would need more than a month's worth of work to be backed up, seems like an unnecessary waste of space.

im sorry if i have made this whole thing so difficult, its just that my boss is paranoid and thinks that everything has to work his way. thank you jobeard, you have been a major help. if there are any updates or etc, ill post them. thank you.

 

[DelJo63]

If he's paranoid, then it's too risky for you to take possession of the backups and
remove them to your residence (tongue in cheek ). Make HIM take them home, clutter his living room

Better still, google for Iron Mountain; Offsite backup solution provider == only ~$800/month.

Ask for the $800 as a raise for the custodial care of company equipment

 

[gexamb]

LMAO, like that will ever happen. he'll shoot crystals out of his *** before he gives me a raise or lets me take custodial care of company equipment (BTW we are in the business of selling crystal). lol

my original suggestion was for him to take the backups home, not me. Like I have nothing else to do than copy backups.

anyway man, thank you for your help. i will post again if any new ideas pop into my head, thanks.