Administering your Windows Servers with N900
 

Just in case some of you have to administer Windows servers remotely via the N900 these are the steps that you can do:

1. if you haven't yet done so, open up port 3389 on your company firewall and route the traffic to your server (http://www.microsoft.com/windowsxp/u...ity/rdfaq.mspx)
(your server needs a public IP address for this. If your server has a private IP, then you'd need to VPN in to your office network first)
2. enable remote desktop access on your server (http://support.microsoft.com/kb/814590)
3. if you're behind a firewall at your home (or at a friend's house) that doesn't have all the outgoing ports open by default, allow port 3389
4. download rdesktop to your N900 via App Manager. It is in extras-devel, so use caution. (http://maemo.org/packages/view/rdesktop-cli/)
5. run it

The whole session is encrypted, so there's no need to go through VPN (unless your company policy requires it. Hopefully in the future N900 adds PPTP support)

It has excellent UI refresh speed, much better than VNC. Besides, since Windows servers have the built in RDP protocol there's no need to install a VNC server.

Works like a charm. This has increased the utility of my N900 big time. Now I don't have to get out of my bed when anything goes wrong with my servers.

Note: the same technique works with any Windows system. I tested it on Vista, Windows 7, Windows Server 2003.

Re: Administering your Windows Servers with N900
 

rofl where do i start?
nope don't want to start another pointless flame war...

Re: Administering your Windows Servers with N900
 

I guess some people have unlimited access to modify their network infrastructure, ability to bypass any change request process, and use unauthorized devices, running unapproved apps on their networks...others do not?

Re: Administering your Windows Servers with N900
 

I sat here for 10 minutes trying to think how you could start a flame war on something like this. :confused:

Guess I must be missing something. :D

Re: Administering your Windows Servers with N900
 

Maybe you have to work in the IT dept for a "secure" location to understand?

:p

Re: Administering your Windows Servers with N900
 

haha deadmalc :)

Re: Administering your Windows Servers with N900
 

All my servers are in a bunker. Does that count? :)

Yeah, I must have missed something. The idea is sound though. Though I administer *nix boxes mostly and use VNC if I need a GUI. Perl scripts do a majority of my administration though. :D

Re: Administering your Windows Servers with N900
 

...and if you are not willing to use the RDP default port (for sec reasons even MS recommends to change) you have to use rdesktop-cli (instead of rdesktop) because rdesktop does not support different ports then the default one. Run rdesktop-cli from the XTerminal prompt.

Re: Administering your Windows Servers with N900
 

Let's start with these points...

1. Opening RDP to the world, to administer from one remote device is a bad idea.
2. Although RDP is encrypted, there is no verification of the server's identity by default - this makes it possible for man-in-the-middle attacks.
3. AFAIK rdesktop doesn't support TLS, so enabling it to reduce the risk of a man-in-the-middle attack is not an option.
4. VPN is good. Off the top of my head, OpenVPN and vpnc (Cisco compatible VPN client) are both available for Maemo, so there is no reason not to use it.

Re: Administering your Windows Servers with N900
 

You can also add openconnect (for Cisco SSL VPN solutions) to the list of VPN clients available on maemo...

Re: Administering your Windows Servers with N900
 

Depends on "whose bunker"...there's a couple of people with personal bunkers in their backyards, waiting for "the big day".

:p

Either way, while the OP's idea is "nice to know", but there are just way too many issues to get into...for some situations. I had a good laugh though. Thoughts of SWAT teams with laser sights and 24hr coverage on FOX news were dancing through my head.

:D

Re: Administering your Windows Servers with N900
 

A large companies bunker. :)

Re: Administering your Windows Servers with N900
 

While I might not agree with the technique - I do have to say thanks to OrangeBox for the howto. Its a vast improvement from the normal troll and in some circumstances may be a good solution for an individual etc.

Thanks OB

Re: Administering your Windows Servers with N900
 

Fair enough, and justifiable enough. I was attempting to "humorously" make the point that, "that dog ain't gonna hunt", anywhere there are decent security measures in place....bunker locations included, be it corporate or fed., but more so at fed. Especially when you're at a site, leaning up against a server rack, and you realize your hand is covering a label that reads, "NORAD".

Re: Administering your Windows Servers with N900
 

I disagree. This is how millions of Windows Servers are being administered around the world. When VPN is not an option, we usually lock down access for the source IP. This should work even for people who are on DSL at home since the IP does not change that often. Also username, password, domain name must be given.
Yes, by default is the key here. I let you write up a tutorial for the certificates ;-) to prevent MIMs
And the point here is?
PPTP is by far the easiest VPN configuration. Hope Maemo will add support to it. OTOH most mainstream firewalls allow you to connect via IPSEC and SSL-VPN in addition to PPTP.

Re: Administering your Windows Servers with N900
 

By people not concerned about security - inexperienced admins, generally. It's trivial to configure a VPN using OpenVPN (free), or even MS Routing and Remote Access (free with MS Server OS). It's not unusual these days for most firewalls to include some sort of VPN functionality. There is no excuse for exposing potentially insecure services such as this to the world these days. Even Microsoft advises to open as few ports to the world as possible. You never know what the next vulnerability in RDP will be, and based on a quick look through old KB articles remote code executions and denial of service attacks aren't out of the realm of possibilities.

Even if they were told to do so and how, it would currently break access using rdesktop.

The only way to verify the identity of the remote server is using TLS. TLS is not supported by rdesktop, therefore there is no way to mitigate MITM attacks. Tunneling the traffic through a VPN greatly reduces the likelihood of a MITM attack, though, which is another reason I advise against access RDP without any other security mechanisms in place.

From what I can tell, MPPE support has not been built with the default Maemo kernel, so it'll take a bit of work to get a PPTP client up and running. Until then, there's nothing stopping you from using something else.