Use SSH to securely use Remote Desktop Connection to Windows

Page update date :
Page creation date :

Operating environment

Remote connection to Windows
  • Windows 11
Remote connection from Windows
  • Windows 10
OpenSSH
  • OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

Prerequisites

Remote connection to Windows
  • Windows 10 or later (Pro or other edition required). However, this does not apply if OpenSSH can be prepared separately.
  • Windows Server 2019 or later. However, this does not apply if OpenSSH can be prepared separately.
Remote connection from Windows
  • Windows (most versions are possible)
  • Windows Server (most versions are possible)

At first

After building a Windows environment on the Internet in the cloud or VPS, you often use a remote desktop connection to operate the remote Windows destination.

In remote desktop connection, the communication content is encrypted, and if the user name and password are not leaked, others will not log in without permission. There is always the concern that people will try to log in from anywhere.

Some major clouds have firewalls separate from virtual machines, and there is a function to restrict the connection source. These features may not be available in all services. Especially in environments built on a low budget, there are many cases where such functions are not available.

Therefore, this time, I would like to limit the connection source as much as possible by adding the SSH function. Since the private key and public key are used, as long as the private key is not leaked, the possibility of logging in remotely from another environment can be minimized as much as possible.

In this case, we will use OpenSSH to build the SSH environment.

Build a remote destination Windows environment

Build a Windows environment that allows you to connect remotely over the Internet. It doesn't matter where it is built as long as it goes over the Internet, but for this verification, it will be built as a virtual machine on Microsoft Azure. The steps to build on Azure are not relevant to this tip, so I will omit them. Since port 22 will be used this time, if you use Azure, make sure that port 22 communication passes through the settings of the virtual machine on Azure.

If you're building in an environment other than Azure, make sure that you're in a position where you can make a remote desktop connection to Windows for your environment.

In addition, the Windows version targets Windows 10 or later, or Windows Server 2019 or later, which makes it easy to build an OpenSSH environment. It can be implemented in an earlier environment, but it takes a little more time and effort because you need to download and set up OpenSSH separately.

In that case, the procedure is the same as for SFTP, so please refer to the following tips.

Setting up OpenSSH

From here, we will work in the remote Windows environment. First, connect to the remote destination with a remote desktop connection. If your cloud or VPS provides a console, you can use it. Since we are operating in a Windows 11 environment this time, the steps may be slightly different in other versions.

Open the Start menu and select Settings.

Select an app.

Select Optional Features.

Select Show Features.

There is "OpenSSH Server" a little lower in the list, so check it and click "Next".

Click Install.

When the installation is complete and "OpenSSH Server" is added to the list below, you are done.

Service configuration for OpenSSH

Right-click on the Start menu and select Computer Management.

Select Services from the list on the left.

Find "OpenSSH SSH Server" in the middle list, right-click and select "Properties".

When connecting remotely, we want the OpenSSH server to be running, so set the "Startup type" to "Automatic".

Since it is not running at the moment, I will start it here, including setting it.

Once launched, click the OK button to close it. It should be running in the list.

Configuring OpenSSH

In the initial state, authentication by private key is disabled, so set it. Open the following folder in Explorer.

  • C:\ProgramData\ssh

However, the above folder may be a hidden folder, so please make it visible by setting the Explorer options.

There is a file called in the sshd_config folder, so open it with a text editor such as Notepad. Since we will be making changes this time, please copy and duplicate as a sshd_config_old backup before the change.

PubkeyAuthentication yes Search for: This item is a setting for whether to enable secret key authentication. By default, it is disabled and it says , but it is commented out, yes so uncomment it.

Before the change

#PubkeyAuthentication yes

After the change

PubkeyAuthentication yes

PasswordAuthentication yes Search for: This item is a setting for whether to enable password authentication. It is enabled by default, and even if you enable private key authentication, it is meaningless from a security point of view if it remains enabled, so uncomment it and no set .

Before the change

#PasswordAuthentication yes

After the change

PasswordAuthentication no

Comment out the following line near the end: This is the key setting for the administrators group, and we will disable it because we will support per-user logins in this case.

Before the change

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

After the change

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

After saving the file after OpenSSH SSH Server the change, restart the service to reflect the settings.

If you want to change the port

If you want to change the SSH port, change the following.

Before the change

#Port 22

After the change

#Port <任意の番号>

By changing the port number, the default port will not be attacked, which will lead to stronger security. On the other hand, it increases the complexity of the operation, so you need to be careful.

If you change the port number, you must specify a port other than 22 when connecting.

Creating Private and Public Keys

This is a client-side task. However, it doesn't really matter where you work in. However, be careful not to leak the private key you created.

If you have Windows 10 or later, Windows Server 2019 or later, the OpenSSH client is installed by default, so you can easily create it with a command. In other environments, you will need to install a separate OpenSSH client or use a separate tool.

The following tips are for SFTP, but please refer to them for setting up an OpenSSH client.

In the client environment, launch a command prompt, PowerShell, terminal, or any tool that can execute commands.

Since you will be creating a file, move cd to any directory with a command.

Run the following command:

ssh-keygen -t rsa -f id_rsa

You can set a passphrase (password) for the key, so please enter it if necessary. If you set a passphrase, security will be enhanced, but it will increase the time and effort of entering the passphrase in the later process.

A public key (id_rsa.pub) and a private key (id_rsa) have been created.

The public key (id_rsa.pub) will be placed on the remote destination later. The private key can be located anywhere on the remote client, but it must be located in a folder that can only be accessed by the account that is used for security purposes. Basically, I think there is no problem if you place it in the following folder on the client side. If you use the OpenSSH client, it will browse to this folder by default.

  • C:\Users\<ユーザー名>\.ssh

If you can't create the above folder in Explorer, you can create it with the following command.

cd C:\Users\<ユーザー名>
mkdir .ssh

Placement of public keys

This is a remote operation. Place the created public key (id_rsa.pub) on the remote destination. Move this file to the following folder: <ユーザー名> is the name of the user account that you will log in to when you actually connect remotely.

  • C:\Users\<ユーザー名>\.ssh

If you don't have a folder and can't create a folder in Explorer, you can create a folder with the following command.

cd C:\Users\<ユーザー名>
mkdir .ssh

Change the deployed public key file authorized_keys to . That's it.

Depending on your environment, you may already authorized_keys have the file. This may be the case if you have set up an SSH connection for other purposes. In that case authorized_keys , you have registered the file by opening the file and file with Notepad, etc., and id_rsa.pub listing the contents of the id_rsa.pub on the next line of the authorized_keys. You can register multiple public keys in authorized_keys.

Connect with SSH

When connecting with the OpenSSH command

There are various ways to connect with SSH, but let's start with a command-based connection. In fact, the connection with the least number of steps is by command. As a prerequisite, you must have the OpenSSH client installed.

Launch the command tool of your choice (Command Prompt, PowerShell, Terminal).

Enter the following command:

Command Format

ssh -i <秘密鍵ファイルパス> -L <ローカルの空いているポート>:127.0.0.1:3389 <接続先のユーザーアカウント名>@<接続先サーバーIPアドレス、またはホスト名>

The following is an explanation of the parameters. Set it according to your environment.

Variable Parameter Name Description
ssh A declaration to use SSH with OpenSSH.
-i A declaration to use a private key file.
< private key file path> Describe the location of the private key file that you created. C:\Users\<ユーザー名>\.ssh The path is optional. Otherwise, an absolute or relative path is required.
-L This declaration specifies the port to be used locally and remotely when connecting to a remote destination.
< local free port> Remote Desktop Connection typically uses port 3389, but you can connect using any port. It doesn't matter what number it is, as long as it's free.
127.0.0.1 This is the host IP address that recognizes where the remote destination is connected from. Basically, 127.0.0.1 is fine.
3389 The port number to be used at the remote destination. The remote destination is usually connected by port 3389 with a remote desktop connection, so it can be left as it is.
< name of the user account to which you want to connect> Specify which account you want to connect to at the remote destination.
< IP address or host name of the server to connect to> Specifies the remote destination server.

Example Input

ssh -i id_rsa -L 13389:127.0.0.1:3389 TestUser@52.140.221.194

The first time, you will be prompted for a key, so yes type and press Enter.

If you have a passphrase set for your private key, you must enter it.

The following will be in a connected state. You can see that the user on the server side is being displayed, not the client. While this window is displayed, it is connected, so please do not close it. If you close it, the connection will be broken.

When connecting with PuTTY

Here, we will try to connect to SSH with a tool called PuTTY.

Converting the private key

First, if you use PuTTY, you will need to convert the private key. I think there is "puttygen .exe" in the attached tool, so please start it.

Select "Conversions -> Import key" from the menu.

Select the private key you created, in this case, "id_rsa".

If you have set a passphrase, enter it.

Select "File -> Save private key" from the menu.

「. .ppk" file.

Once created, you're done.

Configuring PuTTY

Launch putty.exe.

Enter the IP address of the environment you want to connect to. If you have a domain, you can connect with a domain name.

Select Connection -> Data from the menu on the left. In the Auto-login username field, enter the account name of the environment you want to connect to.

From the menu on the left, select Connection -> SSH -> Tunnels. Enter each of them in the input field below and click the "Add" button.

Parameter Name Value Remarks
Source port 13389 Any free port will do. I'll use it later
Destination 127.0.0.1:3389

When added, it should look like this:

Next, select "Connection -> SSH -> Auth -> Cledentioals" from the menu on the left and click the Browse button for "Private key file for authentication".

Select the private key that you have saved.

Select "Session" in the menu on the left, enter a name of your choice for Save Sessions, and click the Save button. From the next time onwards, it is OK if you load this setting.

After confirming the save, click the "Open" button.

The following screen will be displayed when connecting for the first time. Click the Accept button.

You will see a screen that looks like a command prompt. If you have a passphrase for the private key, enter it.

If the display content changes as shown below, it will be connected. You can see that the user on the server side is being displayed, not the client. While this window is displayed, it is connected, so please do not close it. If you close it, the connection will be broken.

Make a remote desktop connection with SSH

Now, let's make a remote desktop connection while connected with SSH.

When connecting, the computer portion is not the actual remote address, but "localhost:< > the port name specified in the SSH connection". In the example, 13389 was specified, so here we will connect to "localhost:13389".

If the authentication screen is displayed, you can judge that the connection is complete. Enter your username and password to connect.

If you can connect like this, you've succeeded.

Disable regular remote desktop connections in firewall settings

At the time of the previous item, you can now connect with a remote desktop using SSH. However, in this state, "Remote Desktop Connection by SSH" has only been added to "Normal Remote Desktop Connection". In terms of security, it doesn't add anything. So the next thing to do is to prevent a "normal remote desktop connection".

If you make this setting, you will not be able to connect except for "remote desktop connection by SSH", so if you mess with the settings, you may not have the means to connect remotely. Therefore, be sure to check in advance that "remote desktop connection by SSH" is possible, and be able to operate the remote environment by other means even if the client you are trying to connect to disappears.

Here, configure the firewall settings in "Remote Desktop Connection via SSH". This is because if you perform the operation with "normal remote desktop connection", it will be disconnected the moment you set the firewall.

View Windows Defender Firewall with Advanced Security. Depending on the version of Windows, the location of the display will vary, so please display it according to that version.

Select Inbound Rules from the menu on the left.

In the middle list, find "Remote Desktop - User Mode (TCP In)" and open its properties.

Select the Scope tab, change the local IP address to These IP addresses, and click the Add button.

Enter 127.0.0.1 and click the OK button. This will prevent remote desktop connections from anywhere other than 127.0.0.1. 127.0.0.1 is the IP address that points to your machine. If you enter the wrong value, you may not be able to connect from anywhere, so be careful.

Click the OK button to confirm.

For the time being, this alone is a countermeasure, but let's also set "Remote Desktop - User Mode (UDP Receive)".

Verify that you can't connect remotely with anything other than SSH

Now, try making a remote desktop connection from another PC that isn't using SSH.

If you can connect, the authentication screen will be displayed. It is OK if you can confirm that the connection cannot be made as shown below.

Summary

With the latest Windows, it is now easy to introduce an SSH server. By adding settings, you can now easily increase the security of your remote desktop connection. However, since it is only responsible for security measures in Windows itself, If you want to make it more secure, I think it is preferable to set up a separate SSH server or firewall before connecting to Windows.

Also, you can set security tightly using SSH, but when it is too hard, no one can connect due to an operational error. Be careful not to end up with that.