Home Forums Discussions General Discussion Remote Desktop configuration for security

Hi,
Just figured out that I will have to go to my 2 yr old Windows 10 pro machine as I can't afford to upgrade my Server and call in the IT guy to reset everything needed for AC 10.0.
Currently use GoToMyPC for remote access 20 for myself, my nurse (who schedules and does pt calls and telephone Annual Wellness stuff from home on our days not in the office, and for my medical transcriptionist who doe her work from home as well. Yes we do a lot of work remotely [EMRs were suppost to decrease "paper" work]. The cost of gotomypc has escalated and I thought about using Remote Desktop, but do not know how to set it up to be secure. Oh, I suppose I could make sure remote users do not have admin status, that really good passwords are used, that I use a different listening port for Remote Desktop than the standard one but I could sure use some good advise about how to make it as secure as possible and some help setting up/maintaining this kind of system. And NO I do not want to go to AC Cloud service- I would need at least 4 chairs at that table [me, nurse, transcriptionist and receptionist] -starts to get a little "pricey" for a Doctor who could be retiring in 1 yr and is only working part time [unless I go to Telemedicine].Any Ideas/Thoughts/Advice [other than early retirement] ?

You have the basics down, and sound like that you can probably sort of everything on your own eventually.

If this is a cost-driven decision, and if you can live within the constraints of your current solution or LogMeInPro, that will be the lowest cost.

If you want someone with the necessary skills to accomplish a custom setup for your practice, you should expect to pay $125-$200 per hour, and that work will probably be between 3-6 hours at a minimum.

There are significant cost pressures in healthcare, and the culture of expecting professional services to be priced as a commodity, be it medical, technical, or business has led to professionals to retire or leave the market in response.

If you are looking for an inexpensive one year solution, stick with one of the existing market solutions.

I switched to RemoteToPC after GoToMyPC went out of site pricewise, I actually think the connection seems faster so aside from cost performance appears better

I used to use free Windows RDP with Port Forwarding with an older Cisco router.
Worked perfectly but people told me it wasn't "secure".
Bought a new router (RV345 with built in 16 port Gigabyte switch) -- much improved function of office Ethernet, but couldn't figure out how to configure the port forwarding.
RV345 much more complex, and instructions are opaque, to say the least.

RV345 comes with hardware VPN, but couldn't figure out how to configure it for remote access (this is a 2-doctor office -- we don't need heavy duty hardware). Supposedly there is a free VPN connection that works with RDP -- but I couldn't make heads or tails of their "documentation".

Hired our local IP guru -- he worked with Cisco engineer and finally got it to work sort of. Supposedly, there are 2 "free" VPN tunnels available -- I am using one fairly successfully, but we can't seem to make the second one work. There is something called "AnyConnect" which seems to be a licensing scheme, but it is very expensive -- not the sort of thing that a single doctor wants or needs for occasional remoting to the office.

Years ago used LogMeIn -- not bad, but it became ruinously expensive. Same with GoToMyPC and TeamViewer. Right now, I use SplashTop, which is new, and therefor pretty inexpensive.
It works OK, and allows file transfers (at least the "business" version does. Free version does not.

The best solution seems to be Windows RDP through a VPN tunnel -- if you can get it configured. There are probably routers out there that don't require outrageous subscriptions to work -- maybe Asus??

VPN isn't a necessity but it's nice to have extra layer of security. The biggest thing would be to limit login attempts. Changing the port to a random one isn't on that list, but it makes a big difference with respect to random attacks. People are constantly scanning for common ports 21 (FTP), 22 (SFTP/SSH), 3389 (Remote Desktop), etc. Once they find one open, they just keep trying random username and password combinations.

James made a nice summary of the measures you should take:

Sandeep--

You have helped me a lot in the past.
I now have this Cisco router RV345 which works fine for one VPN (Win10) client using the Cisco hardware PPTP. I would like to be able to use it for about 4 different clients -- all running Win10 -- but never more than two logins at a time. It is just for remoting to office server from home or on the road, not setting up another office.

I have struggled, and my IT guy has struggled, and the Cisco techs -- working with the IT guy -- can't seem to do it.
I just can't figure out what AnyConnect is, but I found a Cisco "partner" who sells the software for 25 users for $48/year -- but I have no idea what to do with it, so I didn't even try buying it.

Can I pay you to log in to my server/router and make it work? Is it really so complicated? Cisco claims this is a router/switch for small business -- but they are remarkably opaque when it comes to actual support.

So there's a few different types of VPN connection methods.
1) PPTP - insecure, largely phased out at this point. (developed by MS/Cisco)
2) L2TP (usually with IPSec) - Good, your RV345 supports it. Most universal VPN
3) SSL VPN - Cisco AnyConnect/other proprietary implementations. Simple and has some cool stuff like web portal sign in. Apps.
4) SSTP - Microsoft's successor to PPTP (pretty good but restricted to Microsoft devices) *not on the RV345
5) OVPN - Good but usually requires third party clients. Common with VPN Providers like PIA, TunnelBear *not on the RV345

There all good choices except for PPTP. SSL VPN usually requires an ongoing subscription. OVPN support is limited. SSTP is largely a Microsoft only protocol. L2TP has broad support and integration across many platforms and devices.

In your case, you have to decide between SSL VPN (AnyConnect) and L2TP/IPSec. Since you only plan to use it in a limited capacity, I would just setup the L2TP Server on your RV345 and use the built-in Windows VPN client.

I'll send you a PM.

Thanks Sandeep.
You have confirmed the many hours of research I have done.
I haven't found any place where the specifics --- like how to do it -- are explained, but I had settled on L2TP, but couldn't make it work.

Neither could my IT guy.

We did succeed in getting one connection to a Win10 client with PPTP, which is currently what I use. I understand it is not ideally secure.

I don't understand why they wouldn't or couldn't get L2TP working -- does that require static IP address at both ends?

I guess I can understand why Cisco wants to sell their subscription software.

I had sent you a PM before I read this reply -- I'll check the PM.
I reiterate -- I'm willing to pay!

Something that may not have factored into your consideration, but we discovered this with another client in OR a few years ago after hours of troubleshooting; some ISPs actively block traffic.

Sooooo, you may spend hours and hours setting everything up to only find out that they block certain protocols network-wide.

In our case it took a whole process to reach a senior networking tech, and have him say, "Oh, we don't allow that traffic on our network, so it will never work."

YMMV

Well, we use Charter.
They seem to allow PPTP -- in fact, when we finally got connected I actually had about 4 clients that worked briefly.
I'm down to one now.
It seems to be a restriction that Cisco puts on the hardware at the VPN server end.
Like they want you to license their software.
But I'm all ears and eyes, and your input is most welcome I'm always trying to learn about this stuff.
It actually seems like studying law -- it's not based on any intuitively accessible reality -- it's all protocols which are human inventions, not something out of nature.