how to add remotely controllable machine to home network, without sacrificing network security?

The following setup:

I would like to add a machine (running windows server 2008 r2) to our home network, such that this machine has access to the internet, and such that it can be accessed (with full admin rights) from outside (another country in particular) through RDP. I want to give RDP access to some people who shall maintain some things for me on this machine and perform some work on it on a regular base. They also should have full admin rights to install on this machine whatever they need. Now - I trust these people regarding the tasks they shall perform, but not as much as I would want to sacrifice the security of the private data on the other machines within this network (especially the computers of my family members).

so - the requirements are:

machine running windows server, physically located at my homeplace (because I need regular physical access to it, as it has some testing devices connected to it)
RDP access with full Admin Rights to this machine from outside the home network
no added security risk for other computers in the home network

Is there a way to isolate this machine on a network base, such that it can be accessed through the internet, but cannot communicate with other machines within the home network?

any tips are welcome

user1282931

Posted 2013-02-23T06:00:57.427

Reputation: 204

That heavily depends on many factors (i.e. the infrastructure and devices at your disposal). First and foremost you need a public IP for the server to make it accessible from outside. So depending on how many public IPs you have different scenarios are possible. It's going to be easiest if you have a spare public (if possible fix) IP for the server. Do you have that? And what else do you have in your network (router(s), firewall(s), ...)? And are you more concerned about the authorised people doing weird things or unauthorised people getting access to your Windows box? – scherand – 2013-02-23T12:24:49.333

You would most likely get a better answer from the security page – Griffin – 2013-02-24T05:31:44.997

Answers

The way to accomplish this using consumer grade equipment is using a 3 router Y configuration

enter image description here

By setting the two routers up using the same subnet but on different "LAN"s it is impossible for one network to talk to the other network.

Think of it this way: you have a computer on LAN A with a IP of 192.168.1.2 and a the new server on LAN B with a IP of 192.168.1.3. If on LAN A you request 192.168.1.3 it goes to LAN A's router, sees that it is a request for the 192.168.1.x subnet and does not forward the packet any further up the chain. It also sees that it does not know of any computer at 192.168.1.3 and reports back to the original computer "destination host unknown". If we request any other IP other than 192.168.1.x it will use the gateway and continue on to the internet to try and resolve your IP connection.

For port forwarding (using the above image for example) you would port forward port 3389 (RDP port) to 192.168.0.102 on the top router. You then set up port forwarding again on the right router so 3389 goes to whatever the IP is of the new server.

This gives you complete security on your home network.

Scott Chamberlain

Posted 2013-02-23T06:00:57.427

Reputation: 28 923

Basically you need to isolate the server within a DMZ. Questions like "without sacrificing security" and "allowing remote access" are incongrous - you will naturally sacrifice some security by allowing access. The idea behind security is to limit the damage and exposure to a breach. – hellomynameisjoel – 2013-02-24T09:20:17.037

I don't think this will work. Where do you route 192.168.1.X on 192.168.0.100? To 192.168.0.101 or to 192.168.0.102? I would use two different subnets behind each of 192.168.0.101 and 192.168.0.102 and an ACL or something similar on 192.168.0.100 to prevent the two networks to talk to each other. But then one router (the top one, 192.168.0.100) connected to both subnets is all you need... – scherand – 2013-02-24T12:35:57.420

@scherand You don't need to route 192.168.1.x on 192.168.0.100 as there is nothing on that LAN segment that could be making the request. The only 3 computers on that LAN are the internet and two lan routers. 2nd, many consumer routers don't support ACL's. By doing different subnets a misconfigured router could allow information to cross between the two (it should not be forwarding any 192.168.X.X traffic, but it could), by using the same subnet on both machines it is impossible for the two networks to communicate, which is exactly what the OP was asking for in the last paragraph. – Scott Chamberlain – 2013-02-24T16:09:03.330

@Scott. Ah, you would have NAT in place on 192.168.0.101 and .102. Now I get it. That would work of course. – scherand – 2013-02-28T07:19:26.230

Well, I'm not 100% sure about that, but when connecting to a network, Windows Vista and later (and respective Sevrer versions) ask you if the network is Public, Work or Home network. If you set it to Public, you have access to the Internet, but it cannot access any other PC connected at the same network. I don't know though if this has an impact on RDP or you can simply setup the firewall and your router to allow remote access. Try it to see if it works. If it does work, then it is what you need. You can control the computer remotely, do stuff, but the server cannot access other PCs since the file sharing is disabled by default. As another choice, you could go to the other PCs and forbid any access of the server using its computer name or IP. I don't know how to do that, probably from the Windows Firewall.

spapakons

Posted 2013-02-23T06:00:57.427

Reputation: 406

Key to gaining a level of security here that you see as sufficient is implementing layers of defence, both technical and procedural:

Authentication - mutual authentication of devices (by certificate) helps you ensure that only the correct client can connect to the server, and that the client knows it is connecting to the server

Segregation - place the server on a DMZ, with a connection to the Internet, but no connection onwards to your network. To create this DMZ, you could use firewalls, or routers with access control lists, and configure them to deny all connections from this server to anything else - only allow connection from the client to the server (and it's responses back.)

Patching - keeping the server (and the firewall) up to date prevents attackers using known weaknesses to get past your controls.

Rory Alsop

Posted 2013-02-23T06:00:57.427

Reputation: 3 168

Yes this can be done. Since you are at home and probably don't have enterprise level firewalls, the best thing to do is setup NAT on the internet facing router to forward the RDP ports onto the machine needing RDP access. This way there is a firewall protecting its other services from access unless you explicitly allow it (that's the beauty of NAT). Have two connections inside your home network from your internet facing router: 1st to the computer serving RDP, and 2nd to another router. Plug the 2nd connection into the second router's WAN interface (usually labeled "Internet"). Then have your normal home machines plugged into the second router (or connected to the second routers wireless interface). Make sure the routers are on different subnets, otherwise you will have big problems. The easiest strategy is to put the internet facing router on IP 192.168.1.1/24 and the second router to 192.168.2.1/24. With this setup you simply need to give your friends your internet facing IP address and have the attempt to RDP to it. The internet facing router will receive the packets on the RDP port and forward them to the appropriate system. Because the system is on the WAN side of the second router, it will not be able to access any of the systems connected on the LAN side of the second router, so your other systems will be secure.

Freedom_Ben

Posted 2013-02-23T06:00:57.427

Reputation: 260