Secure, remote administration of a Windows computer

I was going to call this post “secure, remote administration of a Windows computer from within Windows” but that sounds a bit odd, unless you realise that the last two posts have been “secure, remote administration of a Linux computer from within Windows” and “secure, remote administration of a Mac OS X computer from within Windows“. Basically, after getting SSH tunneling to work for administering Mac OS X and Linux machines, I thought that it would make sense to apply the same principles to Windows.

John Fitzgibbon’s comparison of free SSH and SCP programs for Windows 9x, NT, ME, 2000 and XP explains the various SSH server options for Windows but one option he doesn’t mention is Tevfik Karagülle’s CopSSH, which I found on a list of free SSH implementations recommended by OpenSSH.

CopSSH bundles parts of OpenSSL, OpenSSH and Cygwin into a Windows installer. It’s straightforward to install, and includes a GUI interface to activate a user for SSH, including the generation of a public/private key pair (saved to %programfiles%\copSSH\username\username.key and %programfiles%\copSSH\username\username.key.pub). The private key needs to be imported into PuTTYgen after which it can be saved in PuTTY’s .PPK format and used as previously described for Mac OS X and Linux. The only other point to note is that the sshd_config file is stored in %programfiles%\copSSH\etc and requires the same AllowTcpForwarding yes and PasswordAuthentication no settings as seen previously.

To access the desktop via VNC, I installed UltraVNC Server on the target machine noting there are two settings that need to be configured for a successful connection through the SSH tunnel:

  • A password must be defined for VNC connections.
  • Loopback connections must be allowed.

That’s fine for using an SSH tunnel to secure a VNC session, but why not tunnel remote desktop (RDP) connections to Windows servers instead of using VNC? In theory, all that should involve is changing the forwarded source port from 5900 (VNC) to 3389 (RDP) and setting the corresponding SSH port forwarding destination to localhost:3389 but Windows doesn’t like that, producing an error message as follows:

Remote Desktop Disconnected

The client could not connect. You are already connected to the console of this computer. A new console session cannot be established.

One suggested fix is to change the destination to use another address from the loopback range (e.g. 127.0.0.2) but I found this just directed me to my own machine (as might be expected with a loopback). For a while, it looked as though the resolution would be related to a change made in Windows XP service pack 2, which prevents connections to loopback addresses other than 127.0.0.1, and Microsoft knowledge base article 884020 includes a hotfix that alters this behaviour but I don’t think it helped me much (I later removed the hotfix and didn’t notice any differences). Eventually I got things working by creating a new forwarded source port of 3390 and destination of localhost:3389 for SSH port forwarding, after which I could connect using mstsc /v:loopback:3390.

It’s been an interesting few days getting acquainted with using SSH tunnels to securely connect to remote systems running a variety of operating systems – hopefully posting my experiences here will be useful to others.

8 Comments

  • Sunday 25 March 2007 - 11:40 | Permalink


    Or, you could also use the Bitvise Tunnelier SSH client, which is also free and has single-click Remote Desktop tunneling. :-) It even saves you from having to re-type the password when forwarding the Remote Desktop connection – I find that very useful.

  • Sunday 25 March 2007 - 14:08 | Permalink


    Hi Denis,
    I checked out the Bitvise site (as that’s what a recent client of mine uses for SSH connectivity) but although Tunneller is free (for individual use), PuTTY is a well-respected SSH client. Also, the client may be free but the Bitvise WinSSHD SSH server is not – it’s not expensive either and I’m sure it’s a good product but, whilst I’ll happily pay for products when I need them, there are alternative SSH servers available for Windows that don’t have a price tag attached.

    Mark

  • Sunday 25 March 2007 - 23:04 | Permalink
  • iker höek
    Sunday 15 April 2007 - 10:50 | Permalink


    Well, for me the instructions given at http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html about setting up copssh and portaputty for remote desktop were very easy to follow, so I have it running flawlessly.
    I can use remote desktop to manage the remote network via mmc, command-line, scripts, etc. from within the remote desktop session. But since it’s bandwith consuming, instead I would like to use just the command line from my computer. While forwarding mmc from it could be easy, the command-line doesn’t look like that. So my question is: is there a easy way to route the command-line to the remote computer over the ssh connection?

  • Sunday 15 April 2007 - 13:47 | Permalink


    Iker,
    The remote desktop protocol should be pretty lightweight if you reduce the number of colours and turn off things like desktop wallpaper – after all it was designed for terminal server (thin client) sessions.

    As you say, running MMC remotely is going to be problematic (it needs a graphical UI and there is no Windows equivalent of X11 forwarding that I’m aware of).

    From a command line perspective, I don’t have my Windows PC with CopSSH here to test but I think you would be limited to the shells that it offers and their associated commands; however in theory it should be possible to use the standard Windows telnet server and client and to tunnel the telnet traffic through the SSH connection to access a native Windows (cmd) shell. I haven’t tried securing telnet in this way (obviously SSH was intended as a secure alternative to Telnet) and you may find that other SSH deamons for Windows may offer access to the standard Windows (cmd) shell in place of bash, csh, etc.

    HTH, Mark

  • Bill Dany
    Thursday 26 April 2007 - 9:46 | Permalink


    Take a look also at this solution for remote desktop management.

  • Thursday 26 April 2007 - 9:57 | Permalink


    Bill,
    I had a quick look at the Script Logic Desktop Authority site and whilst I can see that it offers a whole load of functionality, the whole point of this post was tunneling standard remote desktop tools through SSH in order to provide a secure method of access.

    I’m also naturally suspicious of products that offer a free trial but have no mention of the full retail price.

    Mark

  • Wolfgang Richter
    Saturday 9 February 2008 - 18:46 | Permalink


    Hello Mark, Iker

    if you log into another machine running CopSSH via PUTTY you can execute Windows programs from the bash shell. The PATH to the Windows directories is set. Type cmd and you get a Windows CMD-shell.

    The only drawback is: PUTTY doesnt support cursor-based history control in the CMD-shell. Its a pain to work in a shell without history.

    Maybe you can tweak the terminal-settings in PUTTY to get it to work.
    Any ideas how to accomplish this ?

    Wolfgang

  • Leave a Reply

    %d bloggers like this: