Hi this is Jerry Boutot.
The purpose of this tutorial is to show you how
how to configure remote desktop to securely access your home PC from any remote location.
I'm going to show you how to first set up the
the port forwarding for RDP on the router followed by how to secure and encrypt
the connection using recommended
Microsoft settings for securing Remote Desktop. For this tutorial, I'm using two Windows 10
Professional Edition desktops installed in
VMWare Workstation as Virtual Machines. The process I'm going to show you will be
identical to what you will do on you're own PC
and router with the exception that my IP and your IP address are most likely different.
There's also a pretty good chance we don't
have what you learn here and apply it on your own
router in your own environment.
This Windows 10 virtual machine is going to be the TARGET PC.
This PC represents your home computer or any
computer inside a network that you own and control. This is the PC you will connect to
remotely. This Windows 10 virtual machine is
the EXTERNAL or REMOTE PC. This represents your work PC, your laptop,
a friend's PC, a Hotel, library, cruise ship...
Any PC that is not in the network with the TARGET PC. For the sake of this tutorial, we'll
call it your "work" PC.
The first thing to do is to find out the external, or Public Facing IP Address of the router.
We DO NOT want the IP address of the PC
inside your network. You want to use the IP Address that would reach your router from
somewhere outside your network.
To do this, open your browser and go to Google and type in What is my IP Address and Google
will tell you what your Public Facing IP Address
is. You'll want to write that down because you'll need it later. Now, unless you have a fixed IP
address from your ISP, that IP address can
change. Particularly, it can change when you reboot your cable modem. It doesn't happen
very often but it's probably a good idea to check
it every now and then after you set this up. Because when you're at work and you go to
connect to your home PC, for example, if the
Public IP Address at home changed, it's it's not going to work. If you don't want to
constantly have to check your IP Address, you
you may want to check out DYNDNS.org, or NOIP.com. Those services offer Dynamic
DNS - or DDNS - which automatically keeps
track of your IP address for you. Your router may also have it's own free service. Netgear for
example has their Netgear DDNS service.
Dynamic DNS is outside the scope of this video. Just know that if you own and control your own
router then it's likely available to you
should you want to use it. For simplicity, this tutorial instructs you to
change your PC's IP address to a fixed address
using the Network Adapter settings. While this can be done on the router,
it's outside the scope of this video.
If you have a fixed IP address on your PC already, you can skip over the sections of the
video that show you how to set it.
So the first thing to do is enable Remote Access on each PC that you want to access from
outside your home or office.
Right-click on the Computer Icon on your Desktop and select Properties.
Alternatively, you can open the System applet
in the Control Panel and click "System" to get to the System Properties of your PC.
On the left side, click Remote Settings.
In the Remote Settings dialog, ignore the Allow Remote Assistance setting.
It doesn't matter if it's checked or not.
Select Allow remote connections to this computer and make sure Allow connections
only from computers running Remote Desktop
with Network Level Authentication is checked. You can select specific users and specify
only the users that are allowed to access
the PC from outside your network. Your own user account already has access.
Click OK two times to enable remote access.
Now you will enable the firewall for remote connections.
Open the Control Panel, go to Windows Firewall
and click Allow an app or feature through Windows Firewall.
Click on the Change Settings button
to enable settings changes here. Scroll the list to find Remote Desktop. Check it
if it is not checked already.
Enable the Private checkbox but do not enable the Public checkbox. Click OK.
Now we want to make sure we have a
fixed IP address on the PC. Open the Control Panel,
Network and Sharing Center.
Click on Change Adapter Settings. Click the Local Area Connection
or whatever your adapter is.
You may have a wireless adapter only, or a wired Ethernet adapter, or both.
The main thing is to pick the one that your PC
is likely to be connected to when you're away. We're going to document the IP addresses
of the DNS Servers and the default gateway
that already exists on the network adapter's dynamically assigned IP Address.
Right-click the Local Area Connection and click
Status. Click Details. This dialog has all the information we need.
The IPv4 Address is assigned by my Router.
I'm going to be changing the IPv4 setting to this IP address as a Fixed IP Address.
Write down the IP address you see here so you
can enter it manually in the next step. Of course if you're familiar with your Router and
feel comfortable finding a different IP address
that is unused on your network, then by all means use whichever IP address you want to
use. Go ahead and write down the default
gateway IP Address and the Primary and secondary DNS Server IP addresses.
Once you've written down the IPv4 IP Address
and the Primary and Secondary DNS Server IP addresses, click Close only once so we return
to the Local Area Connection Status dialog.
Click the Properties button to open the properties of the connection. Click on the
Internet Protocol Version 4 item and click the
Properties button. In the Properties Dialog that opens, click to select the Use the Following IP
Address radio button. I'm going to use the IP
address that I wrote down in the prior step. You should not use this IP address unless it
happens to be the same IP Address that you
wrote down from your own system. In the IP Address field, set up your fixed IP address.
The one I'm going to use is the one I wrote
down earlier: 192.168.1.8. Accept the default subnet mask of 255.255.255.0 and enter the
default gateway that you wrote down in a
previous step. Next you'll enter the DNS Servers that you wrote down in the previous
step. My system uses the Router's IP Adddress
as the DNS Server so I 'll use 192.168.1.1. Your DNS Server addresses may be different,
but you should have written them down
already. Type in what you wrote down OK, click Close, and click Close again. Your IP
Address should now be changed to a fixed IP
Address. Right-click on the Local Area Connection, click Status, and click Details to
confirm the IP Address. Now it's time to open
your Router Configuration. Open your browser and type http:// followed by the default gateway
address that you used in your IPv4
configuration. For example, since my default gateway is 192.168.1.1, I will use
http://192.168.1.1 and hit Enter on the
keyboard which opens my Router login screen. On a side note, since you're working through
this tutorial I'm going to assume that you know
how to open your Router configuration. If you don't, then you may not want to continue with
this tutorial. However, if you do know how to
get into your Router configuration, I strongly you to change the password from the default
Router password if you haven't done so
already. Now every Router is different, so yours will not look like this unless you have the same
Router. In this particular Router, the setting I
need is in the Advanced Setup --> Port Forwarding --> Port Triggering settings. On
another Router that I own it's under the
Gateway Settings. The thing to look for is Port Forwarding. On this Router it says Port
Forwarding. On my other Router it says Single
Port Forwarding. The main thing is that all Routers should have a setting for Port
Forwarding and you'll have to find it. Once you
have the port forwarding settings open, create new setting for RDP. In some Routers you can
name it, so name it RDA for Remote Desktop
Access or whatever you want to. Type in the external port you want to use. In this example
I'm using 12345. Type in the Internal Port you
want to use. In this example and at this point in the tutorial, we'll just type in 3389 which is the
default RDP port. I'm basically obscuring the
default RDP port of 3389 and forwarding the port 12345 to port 3389. This is so that users
on the internet can't just try and get to your PC
using the known port 3389. In this case we're opening port 12345 to the general internet and
the Router will translate it to port 3389. Next
you will put in the IP Address of the Target PC that you want to reach from outside your
network. In my case it's 192.168.1.8. You will
want to use your own IP Address here. To summarize, I'm programming the Router to
forward port 12345 requests to port 3389 of the
PC at IP Address 192.168.1.8. Save or Apply the setting. Next we're going to try and connect
to the Target machine from this Windows 10
Remote PC. We'll be connecting through the Internet to the Target PC. We'll use the proper
IP Address and Port to do this. On the Remote
PC I'll open Remote Desktop Connection and enter the Public Facing IP Address that we
wrote down earlier, followed by a colon ":" and
then the Port. This is very important: to access the Target PC you must use the External Public
Facing IP Address, not the IP Address of the
PC itself. You're going out to the Internet from one PC, then coming back into your network
requesting that port we set up for the Target PC
previously. Click Connect. Enter the Username and Password for the PC you are connecting
to. When prompted regarding the Remote PC's
identity, ignore it. You know the PC that you're connecting to. Click Yes and in a few seconds
the desktop for the Target PC will appear. In the
real world, you won't be using two Virtual Machines to do this. You will likely set up only
one PC for Remote Access at home and you'll
access it from work. Click on the X at the right side of the Remote Desktop Bar at the top of
the screen to close the remote session. Click
OK if presented with a Disconnect dialog. Now let's secure this connection between the
Remote PC and the Target PC because it's
very dangerous to open ports on your Router without securing the connection and the data.
At the very least you'll want to encrypt the data
that is travelling between the two PC's at either end of the RDP session. So let's get back to
the Target PC and do some more configuration.
Since we logged into this Target PC remotely we'll have to log back in. Once logged back in,
minimize the browser screen that's showing the
Router's Port Forwarding settings for now. At this point, the Target PC is already set up to be
connected to with Remote Desktop but we're
now going to configure more settings to maximum security. The first thing to do is to
make sure that any user account that you're
going to use to log on to the Target PC has a strong password. It should have 8 or more
characters. 12 or more is recommended, with
numbers, lower-case letters and upper-case letters and special characters. If the password
for the user account you will use to log in to the
Remote PC is not strong or is easy to guess you'll want to go change it now before going
any further. So now let's open Local Security
Policy. On the keyboard, use the Windows Key and the letter R to open the Run dialog. Type
secpol.msc and hit OK to open the local
security policy. If you get a message for Administrative Templates ignore it and click OK.
Expand Local Policies, click on User Rights
Assignments and then find the Allow log on through Remote Desktop Services. Double-
click it. It's really a good recommendation to
remove both of the groups Administrators and Remote Desktop Users for security reasons.
The reason we remove those groups is
because for example, you could set up an Admin account on your PC with a weak
password and forget that you did, and now
you'd be exposed. Your PC would be open to anybody from outside who knows your IP
Address. If you have a weak password on an
Admin user account, then there's a chance that with enough effort a hacker might be able to
get in. So in this dialog, we're only going to
keep the user or group that you want to allow to the Target PC with Remote Desktop. And
that user or users must have strong passwords.
Click Add User or Group and add to this list the user account that you want to allow access with
Remote Desktop. Click OK to close this dialog
and then close the Local Security Policy dialog. Now we'll open the local group policy. Again
use the Windows Key and the letter R to open
the Run dialog. Type gpedit.msc and hit OK or Enter. Again, ignore and OK the Administrative
Templates dialog if it appears. In the left side
Local Computer Policy list, expand Administrative Templates, Windows
Components, Remote Desktop Services,
Remote Desktop Session Host, and then click on Security. Double-click Set client connection
encryption level. Set this setting to Enabled
and set the Encryption Level to High Level. give us 128 bit encryption. Click OK. Double-
click Require secure RPC Communication.
Enable this setting. Click OK. Double-click Require use of specific security layer for
remote (RDP) connections. Set this to Enabled
and set the Security layer to SSL. Click OK. click Require user authentication for remote
connections by using Network Level
Authentication. Set this to Enabled. Click OK. Once those changes have been made, you can
close the Local Group Policy editor. Now this is
an optional step, but I really recommend doing this. You should obscure the RDP port on the
PC itself. It would prevent an internal hacker in
your network from accessing your PC with port 3389. Again, it's not necessary, but if you want
to have your PC repond to anything other than
the default port 3389 for any reason this is how you do it. Use the Windows Key and R to open
the Run dialog. Type regedit and hit Enter to
open up the Registry Editor. Work your way down to the following path:
HKEY_LOCAL_MACHINE, SYSTEM,
CurrentControlSet, Control, Terminal Server, Winstations, RDP-Tcp. You can see the whole
path down in the status bar of the Registry
Editor. Once there find the PortNumber key. Double-click to open it. Change the Base to
Decimal and type in a value for the Port
Number you want to use. Write down the value because you're going to need it later. I'm going
to change mine to 23456. On a side note, you
don't want to use 23456 on your own system. Use something unique and known only to you.
Click OK and close the registry editor. Whether
or not you change the default RDP port, you're going to need to allow the RDP port through
the Windows Firewall. To do this, click the Start
button, type Windows Firewall. Hit Enter. The Firewall opens. Click Advanced Settings. The
Windows Firewall with Advanced Security
window opens. Select Inbound Rules, then right-click on it and select New Rule. When the
wizard pops up, select Port. Click Next. Make
sure TCP is selected then enter the Port number. When I showed you how to change it
in the Registry, I used port 23456, so I will put
23456 here. If you changed the default port in the Registry, you'll need to put that port here. If
you keep the default port 3389, you still need to
put that here. After entering the port number, click Next. The default value of Allow the
connection is OK, so click Next. On the When
does this rule apply? screen, uncheck Public and click Next. Give the rule a name like
Custom RDP Port or whatever you want to use
then click Finish. Let's restart the Target PC to make those settings take effect. The next thing
to do is to go to another computer on your
network and make sure you can access the Target PC with RDP on the Local Area
Network. I'll use the Remote PC Virtual
Machine to test this, but you'll want to test it computer on your network. The thing you're
testing is the ability to access the Target PC
using RDP from another PC in the same network. We're not testing Access from a
remote computer yet. That'll come next. You
can access it by it's Internal IP Address, or the PC Name, followed by a colon ":" then the Port
Number. In the case of the default RDP port
3389, you can leave the colon and the Port Number off. But if you set up an obscure port
number then you'll use that port number after
the colon. So on the PC that you want to use to connect to the Target PC, use Windows-R.
Type mstsc and hit Enter. Here you'll use the
Target machine name. If you set up a Custom RDP Port for that PC, then use the machine
name followed by a colon ":" and the custom
port number. In my case, the Target PC name is WIN10-Target, and I used the port 23456 as
a Custom RDP Port. So I'll type WIN10-
Target:23456. Click Connect. The desktop of the Remote PC should load. If you get a
security dialog regarding a certificate, connect
anyway. At the top of the Remote Desktop screen you should see a blue bar. Click the X
at the right edge of the blue bar to disconnect
the Remote Desktop Session. If you don't see bar, move your mouse to the top edge of the
screen and the blue bar will unhide itself so you
can then click the X to close the remote session. The next step is to try and connect
through the Internet to the Target PC by using
the Public Facing IP Address of the Router where the Target PC is located. For this
Tutorial, I'll be using the Remote Virtual
Machine to connect through the Internet to the Target PC. If you previously edited the registry
and changed the RDP port on the Target PC, to
something other than the Default RDP port 3389, you'll have to modify your Router's Port
Forwarding configuration to reflect this. If you
did NOT change the default RDP port on the Target PC, then you can skip this section. Go
back to your Router's port forwarding screen
where you set up port forwarding previously. Edit the port forwarding settings so that
external port 12345 forwards to the internal
port number that you set up as a custom port Target PC. For this tutorial I changed the
default RDP port on the Target PC to 23456.
So I will change the port forwarding so that port 12345 forwards to port 23456. Save the setting.
And that's it. Now you've set up your PC to be
accessed securely with RDP from a PC outside of your home network. You've also obscured
the RDP port on the Target PC so that it's not
easily accessed by another PC in your network. Now it's time to test our RDP setup through the
Internet. Once again, go to another PC on your
network and make sure that you can access Target PC through the Internet. Of course,
you're going to want to do a real world test from
a PC that is physically located somewhere but for right now this will work to prove that you
can access the Target PC through the Internet,
because we're going to be using the Public Facing IP Address and the external port. Again,
I'll use the Remote PC Virtual Machine to test
this. What you're testing this time is the ability to access the PC using RDP from a PC
physically located outside your network. To
simulate this, I'll just use the Remote PC Virtual Machine. You can access the Target PC by it's
Public Facing IP Address, followed by a colon
":", then the Port Number. In the case of default RDP Port 3389, you can leave the colon and
the port number off. But if you set up a custom
external port number on the Router, then you'll use that port number after the colon. On the
Remote PC, use Windows-R, and type mstsc
and hit Enter. Here you'll use the Public Facing IP Address of the Target PC's Router. If you set
up a Custom RDP Port on the Router, use the
Public Facing IP Address of the Target PC, followed by a colon ":", and the custom Port
number. In my case I'll use the Public Facing IP
Address of the Target PC. I used port 12345 as a Custom RDP Port, so I'll type the Public
Facing IP Address followed by a colon ":" then
12345. Click Connect. And finally, if you set everything up correctly, the desktop of the
Remote PC should load. If you get a security
dialog regarding a certificate, connect anyway. And that's it. You've completed setting up and
securing a PC so it can be accessed with a
secure, encrypted connection from a PC physically located outside your Router and
Firewall. This is Jerry Boutot signing off. Have a
totally awesome day.
