Windows 7  comes with set of powerful tools, but it seems like Microsoft didn’t want to take them all the way. One of these tools is the “Remote Desktop” Windows 7 has to offer. It uses the RD Protocol which by default isn’t encrypted1. This put us into a problem as we will always want to choose to send our credential over a secured connection.

1. Activating “Remote Desktop”

Start >> Right click on “Computer” >> Properties

On the left side, choose “Remote Settings”.

We choose the “less secured” method as we need support for Linux boxes and in any case, we are going to use ‘stunnel’ to encrypt/authenticate the clients. Don’t get excited from the warning about allowing, if you don’t have this warning, you will need to disable access to Remote Desktop – except from ‘localnet’ (we don’t want people to directly connect to RDP, but to access via ‘stunnel’).

There you need to tick “Allow connections from computers running any version of Remote Desktop (less secure)”

2. Selecting Users Who Allowed to Connect.

If you wish to limit the users who allowed to connect, you do so from the “Select users…” button. Remember, that you cannot have  concurrent user sessions, unless you decide to hack your system – I didn’t tried it, do so on your own risk.

3. Setting the Tunnel, Stunnel.

Get Stunnel, after you installed it, configure it’s main file, stunnel.conf. You will need to make stunnel to listen on port ’3388′ (or something else that is free on your system) and tell it to link it (connect) to ’128.0.0.2‘ port ’3389′. Windows RDP won’t accept connections to ’127.0.0.1′ for some reason. Here is my Windows Remote Desktop (Server) configuration file:

compression = rle
debug = 0
engine = auto
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[Local-VNC]
accept = 3388
cert = stunnel.pem
cafile = stunnel.pem
verify = 2
connect = 127.0.0.2:3389
client = no

And my Linux Remote Desktop (Client) configuration file:

compression = rle
debug = 0
pid=/var/run/stunnel4/stunnel4.pid
engine = auto
foreground = no
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[Desktop-VNC]
accept = 127.0.0.1:3389
cert = /etc/stunnel/stunnel.pem
cafile = /etc/stunnel/stunnel.pem
verify = 2
connect = IP_TO_DESKTOP_MACHINE:3388
client = yes

If you have problems, use the ‘debug’ (’0′ – no debugging, ’7′ – maximum debugging) and ‘foreground’ (‘yes’) to view the output. Make sure you’re using the same PEM file for both Windows and Linux. Also, on the client side, make sure you’re connecting to ‘localhost:3389′, from there will will be tunneled to your Remote Desktop server.

4. Firewalling, RDP and Stunnel

-TODO-

Currently I find it out of the scope of this article, you will need to make sure RDP is only allowed from ‘localnet’ (’127.0.0.0/8′) and ‘stunnel’ is globally allowed to be accessed via TCP port ’3388′.

 

1 As of RDP version 6 encryption is no longer prune to MITM attack, but it limits you to clients that support it. For more information and howto, you can visit this site.