1

Remote Desktop access disabled is 100% safe.

Is there a foolproof method to exclusively enable Remote Desktop access from a designated laptop to a workstation within my LAN? I understand that achieving absolute safety is challenging, but I aim to establish a configuration that allows access only from this specific device while prioritizing security to the fullest extent possible.

I aim to attain a security level that would prevent Remote Desktop access even in the case of another connection on the LAN with the same IP and MAC addresses of the exclusive laptop + the correct Username and Password.

Maybe authentication with pre-installed self-signed certificates approach?

  • I just have a LAN with 2 workstations, 3 laptops & and some mobile devices. No AD, etc. I want Workstation-1 to accept RDP connection exclusively from Laptop-1 (without considering its IP and MAC addresses) deny all others even before the stage of asking Username and Password.

--

I found that link (not sure if it's relevant for my case):

Setup RDP to DC from jumphost/PAW only - with IPSec

It "focus on the configuration of secure RDP (Remote Desktop Protocol) access for a jumphost/PAW (Privileged Access Workstation) to a DC (Domain Controller), such that the jumphost/PAW is the only computer which the DC will accept ingoing RDP connections from."

Amit
  • 260

1 Answers1

3

Remote Desktop itself doesn't have built-in mechanisms for this, and the best security would be achieved through external means (i.e. not involving the RDP authentication process – not just because it has had security issues before).

IPsec packet encryption would be the closest thing for a Windows-native solution; you can configure it via wf.msc (in the same console that lets you configure basic IP-based firewall rules, which I suppose doesn't fit your criteria).

IPsec supports certificate authentication, though on Windows a self-signed certificate won't do – you'll need to create your own CA and then sign machine certificates with that, e.g. using "xca" or OpenVPN's "Easy-RSA" tools. The client machine certificate could be protected from extraction using the TPM that your laptop probably has.

(Note that you're not looking to set up an IPsec VPN – neither IKEv2 VPN nor L2TP/IPsec VPN – you're looking to set up host-to-host "transport mode" protection.)

The other option would be a third-party peer-to-peer VPN (WireGuard, OpenVPN, etc) together with IP-based rules to limit connections to only the virtual VPN interface (the Windows Firewall "public/private" profiles might make this easy).

OpenVPN uses certificates with a CA and comes with tools creating them. WireGuard does not use X.509 certificates (and therefore cannot make use of Windows' built-in TPM support), but it does use EdDSA keypairs in a similar way as SSH keys or self-signed certificates, and on Windows it tries to prevent anything except the WireGuard GUI from reading the stored configurations.

u1686_grawity
  • 452,512
  • Connecting the host and the client to the same VPN configuration through certificate authentication seems like the simplest approach. This effectively prevents anyone from accessing the host unless also connected to the VPN which unless a critical vulnerability is discovered in encryption makes it virtually impossible to access with the certificate. – Ramhound Nov 15 '23 at 12:19
  • I have sympathy for a "Windows-native" solution: "Create your own CA and then sign machine certificates with that". What are the steps I have to take? Is there a manual for that? (My knowledge in that territory is very basic.) – Amit Nov 15 '23 at 12:52
  • "Create a CA" is basically "create a self-signed certificate" except it has the 'CA: true' flag in it. Use something like xca or easy-rsa if this is a personal system – or the Active Directory Certificate Services role in Windows Server if you have AD. – u1686_grawity Nov 15 '23 at 13:06
  • 3
    There's a HowTo, easy step-by-step: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/securing-rdp-with-ipsec/ba-p/259108 – Bernd Schwanenmeister Nov 16 '23 at 14:40
  • @BerndSchwanenmeister, your link is a good lead. There is a talk about "Privileged Administrative Workstations" (PAW). There is a talk about "Authentication Method". I didn't understand what makes my laptop a PAW with exclusive access credentials regardless of its IP, MAC address and the correct Password. I thought this should be involved with a unique certificate. Can you explain that? – Amit Nov 17 '23 at 17:06
  • @Amit: In the linked howto, all involved systems are part of an Active Directory domain, so the authentication is done using Kerberos (as every machine and every user has a Kerberos identity, which in AD also carries domain group membership). If the machines were non-AD, they'd need certificates, and the "Remote Users" tab wouldn't work. – u1686_grawity Nov 17 '23 at 17:58
  • @u1686_grawity , do I put these machines at risk, when I add my CA to the Window Certificate Store? For example if someone hostile extract my CA and copy it? – Amit Nov 20 '23 at 00:54
  • Yes, but the CA certificate that you install to client machines can't do much by itself (it's trivial to extract but it's the public half of it anyway) – it's the CA private key (which never goes to any client) that must be closely safeguarded. Preferably keep it "offline" i.e. store it on a USB stick (two for backup) and only connect it to a known clean system when you need to issue certificates. – u1686_grawity Nov 20 '23 at 06:00
  • The connection security rules allow to use kerberos or certificates. Try it out like in the howto and when you arrive at the kerberos part, go to advanced and select your certificates. – Bernd Schwanenmeister Nov 20 '23 at 20:57
  • @u1686_grawity , I try to create the certificates with XCA but not sure about the results. The description is here: https://superuser.com/questions/1817865/how-to-create-ca-2-certificates-with-xca-for-host-to-host-ipsec-authenticati – Amit Nov 24 '23 at 00:26