Windows Server | firewalling remote connections

Question

In my windows server 2012, In the firewall rule for remote desktop connections I have added so that only MY IP address is allowed to connect, now of course I have taken a precaution and added a further 3 IP address to the list (one for my work place and two more for my friends' IP addresses) So in the even that my ISP changes my IP, I still have 3 more lifelines.

Now lets talk even deeper. Assume that all those 3 IP addresses are changed too, I therefore am locked out of my server. Now the actual question for this thread is, what do I do from here? what are the options/solutions? how can I access my server now?

Regards

Answer 1

Poor man's solution: use port knocking.

Probably it isn't the best choice, and it may rise alerts on IDS (if not trained to discard this false positive, but login attempts from recently changed IPs will raise them too).

Anyways it may suffice, since you would be setting it as a last resort, after a (hopefully) remote event of changing all 3 IPs withouht updating your rules.

There are Windows solutions out there (see Server Fault related question), maybe quite out of date, but may work.

Another solution could be to use DNS. This may seem more attractive since it does not involve using old software.

1. Setup the server to look periodically (< 10 minutes) for a known DNS like remote.example.com and allow that IP to RDP (or whatever).
2. Setup your computer to (safely) update the DNS entry upon IP change.
3. Please make sure you use DNSSEC enabled resolvers and the DNS provider is signing your zone.

And the last idea that comes to mind to me is to use SSH (maybe with Cygwin?) with key-based login only and port-forward some local port in your computer to localhost:RDP in the sever.

Setting up VPN and roadwarrior configuration (either with PSK or PKI) would be overkill, but it you run out of options, it's better than no login at all.