Securing Windows Remote Desktop with CopSSH

Download This Guide in PDF Format

I like having the ability to remotely access my PC at home while I am away in case I want to grab an important file I have left there, or if I need to finish something I didn’t quite get around to.  For ages I simply set port forwarding on my router allowing port 3389 to be directed to my desktop PC, which let me connect to my computer using Microsoft Remote Desktop Protocol (RDP).  While this was not the most secure method of doing so, it worked, and I did not want to change how I did things.

That’s not to say that RDP is not secure – it does use 128 bit RC4 according to Microsoft.  However, with man-in-the-middle attacks being relatively easy to carry out, I thought there had to be a better (and more secure) way of connecting to my oh so precious home network.

In the end, I decided that I could route my RDP sessions through an SSH tunnel and sleep a little easier at night.  If you follow the directions below, you can too.

Going forward in this document, I will use the term “Server” to refer to the remote computer (in my case, my home PC) that we will be connecting to.  I will use the term “Client” to refer to my local computer, the computer I will be connecting from.

Installing CopSSH

1) Download CopSSH, Putty and Puttygen.

2) Execute the CopSSH installer, click Next to proceed, then click I agree to accept the license agreement.

CopSSH Screen 1

3)    Select the installation directory as shown below. Click Install to proceed.

Note:  With the release of CopSSH v2.0, the default installation directory has changed from C:\Program Files\CopSSH to C:\Program Files\ICW.

CopSSH Setup Page 2 - Destination Folder

4)    CopSSH requires that Windows add a Service Account in order to run CopSSH as a service.  Click Install at the Service Account prompt unless you want to change the user name CopSSH creates.

CopSSH Setup Page 3 - Service Configuration

5) Once all of the files are copied and the service has been started, you will receive the following message stating that no users are enabled on the server. This is a security precaution – you will need to manually activate each user who you wish to allow access via SSH.

CopSSH Screen 3

6) To add a user, open the Start Menu, locate the CopSSH folder, and launch the Activate a User application. Select the user you wish to activate from the drop down box shown. Before you click Next, you can deselect the option to Create keys for public key authentication if you wish to generate the keys separately. I will demonstrate how to generate keys separately, so deselect the box if you wish to follow along.

CopSSH Add User

7) Upon clicking Next, you will receive a message stating that the selected user has been activated and can access the machine via SSH.

SSH Key Pair Generation

1) Start Puttygen, enter 4096 into the Number of bits in a generated key field, then click Generate to begin the key creation process.

Puttygen Screen 1

2) Move the mouse as requested to add randomness to the key generation. Once you have generated enough random movements, your key will be created. Once the generation has finished, add a Key Comment if you wish, then enter a key passphrase two times as shown – the more complex, the better.

PuttyGen Generate Random Data

3)    Highlight all of the text in the Public key for pasting into OpenSSH authorized_keys file box and paste the data into a text editor.  Save the file to the C:\Program Files\ICW\home\<UserID>\.ssh\ folder on your Server, naming the file authorized_keys with no extension.

This naming is important unless you change the key file that CopSSH looks for in the SSHD configuration file.  For the Administrator account shown, you would save the file as:
C:\Program Files\copssh\home\Administrator\.ssh\authorized_keys

Note: You cannot simply click the Save Public Key button to generate this file – CopSSH will not accept that file format as a key.  You must manually copy and paste the public key as noted above.

PuttyGen Example Key

4)    Now click Save Private Key. save the private key then close Puttygen.  You will want to copy this key to any PC you are using as a Client, as it is required by Putty to make the connection to the SSH server.  I would suggest backing this key up so you do not have to repeat this process in the future.

Configuring CopSSH

1)    Now we need to reconfigure CopSSH to use a port other than 22 for connectivity.  Changing the port number adds a bit of security through obfuscation to your SSH install.  Since port 22 is commonly used for SSH, changing the port in your installation makes it just a bit harder for someone looking to exploit something.

To change this setting, we need to open the SSHD configuration file.  It is located at
C:\Program Files\ICW\etc\sshd_config. You can open it in Wordpad or any text editor.  Notepad really is not the right tool for this job.

2) In the file, the first value you can change is Port. Change it to something that you will remember, uncomment the line by removing the pound sign at the beginning of the line, then save and close the file.

sshd_config - Changing Service Port Number

3) The next values you want to change control how users can authenticate to the SSH server. This is a detail that I missed in my first write-up that an astute reader noticed was overlooked.

This configuration change is very important as it disallows any user from authenticating to your SSH server without a key file. If you do not change these values, users can connect to the server simply using their logon name and regular password.

You need to enable the PasswordAuthentication and PermitEmptyPasswords settings by removing the pound sign to uncomment the line, and assigning a value of “no” to both settings.

Set PasswordAuthentication and PermiteEmptyPasswords to no

4) Now, restart the OpenSSHD service via Windows’ Services panel to allow the configuration changes to be applied.

5) If you have a router with firewall capabilities installed, you should log on to the administration web page and forward the SSH port you just defined to the computer on which you installed CopSSH. I will assume that you know what you are doing and let you take care of this on your own.

Configuring Putty

Now we need to configure Putty to connect to our SSH server. This is a pretty straightforward process that you should do on the remote computer from which you want to connect.

1) Launch Putty. Under Session settings, we will adjust 2 items:

a) Set your Host Name or Host IP for connection. I use DD-WRT on my router, and it supports DynDNS – so I just entered my DynDNS host name here.

b) Set the Port number to reflect the port number you configured in the sshd_config file earlier.

Putty Server Configuration - Enter Server Name and Port Number

2) Under Connection -> Data, we will adjust one item:

a) Set the Auto-login Username value to reflect the user you enabled on the SSH server

Putty Login Details - Enter Remote User Name

3) Under the main SSH section, we will adjust two items:

a) Check the Enable Compression box under Protocol Options section

b) Select 2 only under the Preferred SSH protocol version section

Putty  - Set SSH Protocol Options, Compression, SSH 2 Only

4) Expand the SSH section and select Auth. In this section, we will set the Private key file for authentication to the location of the private key you created earlier.

Putty - Select Private Key

5) Under the Tunnels section of the SSH section, we will establish the tunneling settings for your remote desktop sessions. This where the real work gets done.

You must create an entry for each computer you want to connect to at the other end of the SSH tunnel. To do this, you will need RDP enabled on the target computer, as well as the host name of the target computer. Once you have entered the proper values, click Add to add the port forwarding to the configuration.

Putty - Port Redirection - Enter host name and port number

In the previous picture, you should note two things:

a) The Source port refers to the port you are connecting to on your local computer, i.e. the port that Putty will listen to for connections while you have the SSH tunnel established. I usually set this to 3390 for the first host I want to RDP to, and then count up from there.

b) In the Destination section, you will need to enter the name of the remote server you want to connect to, followed by a colon, then the RDP port number. For hosts using the default Windows RDP configuration, this is always 3389. If you have changed this value, adjust as necessary.

You can pretty much add as many hosts as you can keep straight in your head:

Putty Screen 6

5)  Return to the main Sessions section of Putty and give the configured session a name as seen below. Click Save to save your configuration – it will then appear in the list of saved session configurations.

Putty - Save Session Information

6) Finally, when you want to RDP into your remote computer, you can launch the Putty console to establish the connection, or you can simply run “putty.exe –load <session name here>” from the command line to launch Putty and connect to your remote host. For example, I would type “putty.exe –load Home Network” if I wanted to launch this particular connection.

7) After you authenticate using the passphrase you created earlier, you can simply RDP into your remote computer by connecting to localhost:3390 from the Remote Desktop Connection application as shown below:

RDP to Local Machine

Note: You can always test SSH connectivity locally by replacing your SSH host’s IP address with localhost and launching Putty. In fact, I recommend you do this to ensure that your key pair is working properly before you attempt to connect remotely.

Tunneling for VNC

Some people have inquired as to whether or not you can secure VNC in the same fashion as Windows RDP.  The answer is “Absolutely”.  To do so, pick any Source Port you like, and substitute 5900 as the destination port number for the remote server.  It’s as simple as that.

The next time you fire up VNC, you merely need to enter localhost as the host name, followed by a colon, then the port number you picked.

Note: This process can get tricky depending on the VNC client you are using.

For instance, TightVNC uses a strange port numbering system where you need to subtract 5900 from the port number you wish to connect to if it is different than port 5900.  As an example, if I was connecting to port 5901 on my local machine, I would enter localhost:1 as the VNC server address.  If instead I selected port 222 as my tunneling port, I would enter localhost:-5678 as the VNC server address (Yes, that is a negative port number).

Tunnel Settings for TightVNC

Hopefully this document helped you in your journey to safer, more secure remote communications.  If you have any questions, comments, or additions, please drop by http://geek-republic.com/chat and ask for DrNathan.  I’m usually there.


15 Responses to “Securing Windows Remote Desktop with CopSSH”

  • Josef Meile:

    Hi,

    I’m using the same principle to have a secure remote desktop on my network. However, it is a much bigger network, an university network and not a small intranet. Correct me if I’m wrong:

    Let’s say that I have four machines: machine1, machine2, machine3, and machine4. Let’s say that:
    1) machine1 is the machine where copSSH is installed, aka ssh server.
    2) machine2 and machine3 are the machines I want remotely to access, aka remote machines.
    3) machine4 is my local machine, aka client machine.

    So, if I got this ssh tunnels theory, this is how a connection between the client machine and a remote machine happens:
    1) First you connect from the client machine to the ssh server through putty.
    2) Then you start the Remote Desktop software and give machine2:3390.

    At this point, the client machine will send the RPD commands to the ssh server, which will forward them to the remote machine. So, the connection between the client machine and the ssh server is encrypted, but the connection between the ssh server and the remote machine isn’t -> Is this right?

    So, I thought that for my case would be perhaps much safer to install the copSSH software on both remote machines: machine2 and machine3. Then, I wouldn’t need machine4 and I will only have a tunnel pro putty session. If I got it well, then the connection between my local machine and a remote machine will be encrypted and since the remote machine will be sending the RPD commands to itself, there wouldn’t be a risk that somebody can see what I’m doing.

    I would be happy if you could send me some feedback about this.

    Best regards
    Josef

  • Josef Meile:

    Umm, there is a mistake from me there. Actually, on the Remote Desktop session you give localhost:3390 and not machine2:3390

  • DrNathan:

    Josef,

    You are mostly correct on how the SSH tunneling works. When you configure Putty in step 5, you are entering 2 values:

    1) The source port, which is the port on your local machine that Putty will monitor for connections.

    2) The remote computer name along with the RDP port, port 3389.

    Once you have connected to your SSH server with Putty, Putty starts listening to the local ports you assigned earlier. So if you assigned “Source Port” 3390 to be associated with Computer1:3389, any connections to your local machine on port 3390 will be redirected through the SSH tunnel to port 3389 on Computer1.

    So, when you tell Microsoft’s Remote Desktop client to connect to the local computer, it is in turn being sent over the tunnel by Putty. The SSH server on the far end merely passes the traffic onto the destination PC on the remote end.

    As for your second question, you are correct in that once the traffic leaves the SSH server on the remote end, it is no longer protected by the SSH tunnel. Technically, RDP is encrypted so the data is not being sent out in the open, but there are sniffing tools such as Cain that can listen in to RDP session handshakes in attempts to steal credentials.

    If you wanted to be better protected, I would recommend either installing SSH on each remote computer as you mentioned, or installing a router in what I assume is your dorm room to segregate your private network from the rest of the computers on the University’s network. A simple router using DD-WRT that also has firewall capabilities would be more than enough to keep most people out of your “private” network.

    Hopefully that clears up some of the process for you. I’m glad that you found my post helpful, and please do not hesitate to ask any more questions.

  • Computer Geek:

    This works great, thanks for the walkthrough.

  • [...] I don’t understand how to install copSSH – can’t you add some pictures? No, but this guy can. [...]

  • Hey i found this blog while researching. Keep up the good work, I wish the best for your site.

  • pfg:

    I got the following problem:
    I configured SSH as mentioned and I can connect and authenticate to the server through PuTTY.
    But I can not RDP the remote PC.
    I’m running 7 Ultimate on both PCs and I have the RDP port open in my target PC’s firewall.
    The message I got is the following: “This computer can’t connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.”
    NOTE: I’m trying this through my LAN.

    Thanks in advance,
    pfg

  • pfg:

    SOLVED!! Instead of using computername:port in PuTTY I used computerlanip:port and worked!

    Thanks anyway, any answer or feedback would be appreciated anyway!!

    pfg

  • DrNathan:

    pfg,

    Sounds like you had some sort of DNS issue. Typically you do not have to statically enter the IP address of the remote computer you are trying to connect to, as it is resolving its own host name.

    Glad you got it all sorted out!

  • Leonardo:

    Hi there … again DrNathan, well I used the same method using ubuntu 10.04 as a client. installed putty in ubuntu software center, then i used rdesktop to logon ….. works fantastically …. i can even do a concurrent logon to windows xp after a hacked i found on the website …. now my xp machine is working like a server for multiple logons from either windows or linux ….

    i used this link for concurrent logon to xp … isn’t open source community just great
    http://alonbilu.wordpress.com/2008/05/17/enabling-multiple-concurrent-remote-sessions-on-windows-xp-sp3-patched-file-included/

  • Mike:

    Leonardo,

    It’s great that you got the same process working with Ubuntu. Even more, I like the use of the XP machine as more of a terminal server than a standalone PC. While not *technically* legal to do, I think the patch for multiple concurrent sessions is definitely required.

    I often try to get on my home PC while my wife is also working on it – there’s no reason we both shouldn’t be able to do a small bit of work on it at the same time.

  • Leonardo:

    hahaha … ya … i agree

  • SS:

    Would it be possible to for you to update the instructs for copSSH 4.x.x?

    Thanks.

    • Mike:

      I had no idea they updated to version 4.x.x already – I’ll take a look and see what’s different, then rework things. Keep your eyes peeled for a new walk-through!

  • SS:

    Looking forward to it! Thanks!

Leave a Reply

 

Follow Geek Republic
Categories