Windows 10 Pro networking: allowing users to remotely access accounting software on a laptop; security and conceptual questions before testing

-1

1

I had posted two questions about the situation described in the heading last month. Thought they were eventually marked as "too broad," closed, and deleted, the preliminary comments were tremendously helpful in solving what was a rather intricate problem. (In fact, so were all the promising search results). For the sake of posterity, I wanted to post my question again (hopefully using more of the canonical language, so as not to violate the community standard for specificity) along with both the solutions that I found.

The situation: users in two different cities running windows 10 pro laptops behind standard residential high speed internet/router setups need ready access to an accounting database application currently installed on one of the computers.

The constraints: solutions cannot require any new hardware or the purchase of any new software; furthermore, because I will be administrating whatever system is put in place, it needs to be simple enough to be maintained by someone whose background in networking is limited to a careful reading of the "all-in-one for dummies" on the subject.

Question: since, if the laptops were on a local network together, simply mapping a shared drive from the laptop running the accounting application to the other would allow for concurrent access (the ideal situation) to the accounting system, which natively supports multiple users, establishing a VPN, which will simulate such a LAN connection, then mapping a drive as usual, seems like a good first attempt. Since financial data will be transmitted, security is a principal concern: before I attempt to test anything, which will involve forwarding ports on one of the routers hence an obvious security risk, what do I need to know about choosing, installing, and testing VPN software ahead of time to prevent undue exposure while learning-by-doing?

EDIT.

Another question: assume I have established a VPN connection and mapped a drive, but that the accounting application runs too slow if accessed concurrently; since the application is just a database and is designed for installation on a server, I suspect that the problem is that it has been installed on a few year old windows 10 pro laptop. There is nothing I can do about the hardware or operating system on that machine, so I need a "faster" way to connect safely. Although originally meant for network administration tasks, RDP seems like a possible solution, since it works natively with the operating systems and has a mechanism to prevent concurrent access to the system. So, I ask the analogous question to the above, but about RDP instead of VPN: what do I need to know to safely get started with testing?

entprise

Posted 2017-06-04T12:35:26.010

Reputation: 117

Answers

0

re: #1. The native windows 10 pro VPN server application is regarded as unsafe for the connection of computers sharing financial data. openVPN is regarded as safe (and also the standard solution to this problem!), and is of course "open" for use. Furthermore, recent versions are distributed with a windows installer and windows GUI interface that makes it a viable solution for basic windows users, if the person setting it up is comfortable working with the command line and batch files.

openVPN uses a specific port to establish an encrypted connection between machines; opening this port on the host router is not terribly unsafe. openVPN allows for simple point-to-point static-key connections, and setting them up is relatively straightforward. In this situation, that is all that is required. During testing, you can use the dynamic IPs issued by each laptop user's ISP. But, for things to be stable for typical users, a free service like no-ip will have to be used. Note that testing the VPN or even just no-ip while behind the host router will give screwy results!

re: #2. RDP itself is unsafe for use over the internet: forwarding the RDP port on the host router is extremely dangerous. But, since you already have a VPN connection, that is unnecessary: while connected to the VPN, assuming the users can coordinate their use of the host laptop, use RDP from the client to the server. Because the access to the hardware/operating system is singular with RDP, it should be much faster.

Note, however, that in this situation a separate user account on the host laptop should be created for the client user. Adjust permissions as stringently as possible so that the client user cannot damage the host. In fact, even if you are just mapping a drive over a VPN as in situation #1, you should consider creating a separate user account on the host laptop for the client user, since they will then be able to enter those credentials when attempting to explore the mapped drive (likewise, you can limit permissions to that user, so if they attempt to explore elsewhere on the host laptop, they will only see what is permissible given their login information).

entprise

Posted 2017-06-04T12:35:26.010

Reputation: 117

Asked: 2017-06-04T12:35:26.010

Viewed: 115 times

Active: 2017-06-04T13:35:59.343