Secure, remote administration of a Windows computer
I was going to call this post “secure, remote administration of a Windows computer from within Windows” but that sounds a bit odd, unless you realise that the last two posts have been “secure, remote administration of a Linux computer from within Windows” and “secure, remote administration of a Mac OS X computer from within Windows“. Basically, after getting SSH tunneling to work for administering Mac OS X and Linux machines, I thought that it would make sense to apply the same principles to Windows.
John Fitzgibbon’s comparison of free SSH and SCP programs for Windows 9x, NT, ME, 2000 and XP explains the various SSH server options for Windows but one option he doesn’t mention is Tevfik KaragÃ¼lle’s CopSSH, which I found on a list of free SSH implementations recommended by OpenSSH.
CopSSH bundles parts of OpenSSL, OpenSSH and Cygwin into a Windows installer. It’s straightforward to install, and includes a GUI interface to activate a user for SSH, including the generation of a public/private key pair (saved to %programfiles%\copSSH\username\username.key and %programfiles%\copSSH\username\username.key.pub). The private key needs to be imported into PuTTYgen after which it can be saved in PuTTY’s .PPK format and used as previously described for Mac OS X and Linux. The only other point to note is that the sshd_config file is stored in %programfiles%\copSSH\etc and requires the same
AllowTcpForwarding yes and
PasswordAuthentication no settings as seen previously.
To access the desktop via VNC, I installed UltraVNC Server on the target machine noting there are two settings that need to be configured for a successful connection through the SSH tunnel:
- A password must be defined for VNC connections.
- Loopback connections must be allowed.
That’s fine for using an SSH tunnel to secure a VNC session, but why not tunnel remote desktop (RDP) connections to Windows servers instead of using VNC? In theory, all that should involve is changing the forwarded source port from
5900 (VNC) to
3389 (RDP) and setting the corresponding SSH port forwarding destination to
localhost:3389 but Windows doesn’t like that, producing an error message as follows:
Remote Desktop Disconnected
The client could not connect. You are already connected to the console of this computer. A new console session cannot be established.
One suggested fix is to change the destination to use another address from the loopback range (e.g. 127.0.0.2) but I found this just directed me to my own machine (as might be expected with a loopback). For a while, it looked as though the resolution would be related to a change made in Windows XP service pack 2, which prevents connections to loopback addresses other than 127.0.0.1, and Microsoft knowledge base article 884020 includes a hotfix that alters this behaviour but I don’t think it helped me much (I later removed the hotfix and didn’t notice any differences). Eventually I got things working by creating a new forwarded source port of
3390 and destination of
localhost:3389 for SSH port forwarding, after which I could connect using
It’s been an interesting few days getting acquainted with using SSH tunnels to securely connect to remote systems running a variety of operating systems – hopefully posting my experiences here will be useful to others.