Remote Desktop for Multi Users - Part 2

 

In part one we looked at setting up a Remote Desktop PC with multi-user access on a local area network (LAN). You have not read part one? Click here.

Now that we have a working Remote Desktop PC, you might want to place it on the Internet. With the Remote Desktop PC facing the Internet you will be able to access it from any Internet connected location.

 

However, running a public facing PC on the Internet is a security risk. Your poor old Remote Desktop PC will be ruthlessly attacked by hackers and bots dead set on gaining access.

The safest option is to run a virtual private network (vpn). A vpn creates a encrypted tunnel through the Internet between your LAN and a remote PC accessing it. You can think of it like a PC that can join your LAN from a remote location through a safe passageway. The remote PC can access your Remote Desktop PC the same way as any other PC on your LAN as covered in part 1.

If you do not want to spend the time and effort to install and maintain a vpn there is a simpler option.

 

Securing Your Remote Desktop PC

ElvWatcher is an opensource project that offers security for your Internet facing Remote Desktop PC. ElvWatcher will IP ban offending PCs that unsuccessful attempt to login. It does this by adding a IP address block in your Remote Desktop PC's firewall from offending PCs that attempt multiple failed logins.

 

Download ElvWatcher here to your Remote Desktop PC and install it.

You can follow the EvlWatcher installation instructions and learn more about EvlWatcher at their github website.

 

The next issue to consider is the Windows users passwords on the Remote Desktop PC. Make sure all passwords are complex (password123 will not cut it!). Update any weak user passwords on your Remote Desktop PC.

 

Ethernet, Static IP Address, Fixed DHCP

It is recommended that your Remote Desktop PC is connected to your Internet router via an Ethernet cable. Ethernet is a better connectivity option and more reliable than wifi. Also you will want to configure the Remote Desktop PC with a static IP address or a fixed DHCP address from your Internet router.

 

Your Internet Router's IP Address

Use your favorite web browser to log into your Internet router. Before you can log into your router you will need to find out what the router's IP address is, at the same time we can also find out what the IP range your network is on.
Open a Command Prompt window on your Remote Desktop PC.

 

  or    
fig 1. Openshell                                        fig 2. Windows 10 search

 

In the Command Prompt window enter: ipconfig <enter>


fig 3. IP address configuration

 

Look for "Ethernet Adapter #:", IPv4 Address and Default Gateway.

  • IPv4 Address. . . .: is the IP address of your Remote Desktop PC
  • Default Gateway. . . .: is the IP address of your Internet router

 

If your Default Gateway and IPv4 Address are say, for example, 192.168.0.1 and 192.168.0.22 and your Subnet Mask is 255.255.255.0, your network's IP range is from 192.168.0.1 to 192.168.0.254.

 

Open your web browser and point it to your Internet router.
example:  http://192.168.0.1

 

There will be a username and password required to access the Internet router. Once logged in navigate to the router's LAN set-up. Here you will be able to reserve an IP address for your Remote Desktop PC. Consult your router's documentation or search the Internet for your router's user guide. Typically you choose a PC that is currently connected to your router from a list and then assign a fixed IP address to it, say for example 192.168.0.254.

 

Port Forwarding

Next we need to get your Remote Desktop PC facing the Internet. In your router we need to port forward incoming requests from the Internet to your Remote Desktop PC. Again you will need to consult your router's documentation for these instructions.

 

The port number for Remote Desktop Protocol (RDP) is: 3389

 

Here is a Lifewire article that describes how to set-up port forwarding on a TP-Link router. For extra security you can change the Service Port number to something other than 3389 but the Internal Port number must be set to 3389.

If the Service Port number is changed to something other than 3389 you will need to add a comma separated port number after the public IP address that is entered in your Remote Desktop Connection utility (see fig. 6). With this change the router passes the incoming request from the new Service Port number onto Internal Port number 3389. However, this may not help you security wise if your public IP address is port scanned to discover which ports are open.

You can change the listening port number on the Remote Desktop PC and the Internal Port number on the router to match but that is beyond the scope of this article. For now just keep the Service and Internet port numbers at 3389. Afterwards when all is working well you can make changes to enhance security.

 

Public IP address

Our final requirement is to discover what your public IP address is. This is the IP address your Internet Service Provider (ISP) assigns to your router. It is the router's IP address that is seen on the Internet not the IP address that is seen on your LAN.

 

To find out what your public IP address is, do a Google Search for: What is my IP address

Or click here.


fig 4. Google search for your public IP address

 

This is the address that is needed to log into your Remote Desktop PC from the Internet. You will need to test this from another network that has Internet access, either at another location or via a Internet connected mobile device such as a mobile phone or a tablet that is not connected to the same network as your Remote Desktop PC.

From a remote location launch the Remote Desktop Connection utility, enter your public IP address and select Connect.

                          
fig 5. Connect to your remote desktop PC from the Internet                fig 6. If you changed your incoming Source Port number

 

If all goes well your remote desktop PC login screen will appear. You will need to login using your Remote Desktop username and password.

 

Dynamic DNS Service

Most ISPs allocate IP addresses dynamically to their Internet subscribers. This is a pool of IP addresses that are doled out to subscribers in a dynamic fashion. This means that over time, or if you power recycle your router, your public IP address will change.

 

To help keep your public IP address consistent, you can either request a static IP address from your ISP or subscribe to a Dynamic Domain Name service (DDNS).

 

FreeDNS is a free DDNS service.

DDNS works by using a hostname instead of a IP address. The hostname resolves to whatever your current public IP address is. So if you use a DDNS hostname instead of your public IP address, the hostname will resolve to whatever your current public IP address is. Another words, your hostname remains constant while your public IP address changes.

 

Now you have a fully accessible Remote Desktop PC that can support multiple user logins. Keep an eye on EvlWatcher to see how many banned IP addresses you rack up.