The Internet is Infected! The Ultimate Cyber Security Guide for Small Business and Home Computing!

If you find the information on this blog valuable you will find my upcoming three volume cyber security books infinitely more so! Visit my website at http://thatcybersecurityguy.com. My 8 years of research and 900 written pages are about much more than just cyber security as my writing presents valuable small business and general home computer knowledge. Visit me on Twitter @ThatCyberSecGuy. See the ACLU video "Invasion of the Data Snatchers" at YouTube to understand why you need my books and PDF files on the infected Internet.


Sunday, February 5, 2017

How To Setup your Windows 10 VPN Server behind your Router Hardware Firewall

Reading the previous blog entry about port forwarding we have opened up a security hole that is now routing traffic to our Windows 10 Pro server behind our firewall. Crackers know this is port 1723 and will scan for it being open on your router. If you watch your router logs you will be surprised at how many attempts are being made to break into your network. I know you are a little fish but crackers consider (little fish) ripe targets! This begs the question of whether using a PAID service might not be a better solution for your small business. Opening up holes in a Windows 10 Pro server that is super important to your business might not be a good idea. Right now everything is OK because your VPN server is not listening but we are about to change that.

In our first post I highly encouraged you to watch Eli the Computer Guy’s video on what a VPN is and how it works. You may discover that doing your own VPN is not going to work for a verity of reasons which he describes very well. (See:  https://www.youtube.com/watch?v=q4P4BjjXghQ) For example, your ISP upload speed is very important if you are going to set up, use and manage your own VPN. Before we punch a hole in out SOHO local network and computer server make sure your set up and ISP speed are good enough for a Windows 10 Pro VPN. 

Another thing to consider is server uptime and power costs. When you, an employee, a family member are traveling you have to have everything powered up and working. Not to mention your ISP can change your modem IP at any time rendering all your hard work moot unless you pay for a dynamic DNS service. A paid dynamic DNS service will map a domain name to your modem and update the IP as your ISP does making sure you can always connect to your network. Of course, if you have a computer savvy person you can contact they can tell you the new DHCP ISP IP address by simply typing, “What is my IP address?” in the Type or talk to search box and give it to you over the phone, or have them log in to your router and view it there. (See: http://dyn.com)

Therefore, once you have evaluated your needs and have determined that you want to configure and manage your very own Windows 10 Pro VPN, read on. For example, in my case I only need a VPN occasionally while traveling or visiting a customer. I mostly use it with hotspots to keep my laptop safe or to bypass a firewall or proxy so I can do things on my home network that are not allowed where I am at. Paying for a monthly VPN service does not make sense for my business and personal needs. If you are a visual person watch this How To VPN YouTube video which is excellent. (See: https://www.youtube.com/watch?v=6ZCiXx6KYtA)

On your VPN server, if you have not already done so, you will need to set up a standard user with very limited privileges. In my book I detail how to do this on all your Windows 10 computers because you should use a standard user ID when venturing out onto the infected Internet. You can skip the following and go down to the Change Adapter Settings but you should learn how to create a standard user the non-VPN way.

Click in the lower left Type or talk to search box type user > click on User Accounts Control Panel > select Manage another account > click on Add a new user in the PC settings > under Other people click on the + sign to Add someone else to this PC . Another method you can employ is type Settings > click on Accounts > click on Family & other people > click on the + sign to Add someone else to this PC.

From here there is a multitude of ways you can add a user with the default being Microsoft’s most invasive invasion of someone’s privacy. To bypass all that and just add a local user which is all you need:

  • At the bottom of the page, select I don’t have this person’s sign-in information, and at the bottom of the next page, select Add a user without a Microsoft account.
  • On the Create an account for this PC screen, enter a user name, password, and password hint, and then select Next. You're done!

You are now ready to setup your VPN server to use this account to connect to and tunnel into your local network. As I said you could just start here where as you can see from the screen shot you can click on the Add someone… button at the bottom and accomplish everything we detailed above but then you wouldn’t have learned how to add a Window 10 user the standard way. You can also do this using Computer Management which is where you should check on what types of users exist on your PC. In the Type or Talk box type Computer Management and open up the app > click on Local Users and Groups > under Name on the right double click on Users > right click on any user and select Properties and view their power. (See: http://www.howto-connect.com/windows-10-create-local-user-account-group-view) 

Open up the Network and Sharing Center by typing in the Type or talk box type Network and Sharing  > select Network and Sharing Center, or go to your desktop > right click on the desktop Network icon > arrow down to select Properties at the bottom of the menu.
 

On the left menu click on Change Adapter Settings > (NOTE: by default the File menu is not available, click on the Organize drop down on the top left > arrow down to select Layout > check Menu bar), click on the File menu and arrow down to select New Incoming Connection… > the Allow connections to this computer dialog will appear. 




  • Under User accounts on this computer: select the user(s) that you want to have access to your Windows VPN server, Next. (Warning:  Make sure the accounts you select are NOT administrative accounts). 
  • In the next dialog leave Through the Internet checked, Next > the next dialog will ask you to check the type of networking for which you want to allow incoming connections for > leave Internet Protocol Version 4 (TCP/IPv4) selected and I think you should check Internet Protocol Version 6 (TCP/IPv6). I don’t see anything wrong with enabling IPv6 for incoming connections to your VPN server. If anything, we should uncheck IPv4 but let’s keep things simple and go with the default. Checking IPv6 may require a change in your router to enable that.

Windows also selects File and Printer Sharing for Microsoft Networks and QoS Packet Scheduler by default. The File and Printer Sharing allows VPN connections to access shared files and printers on your network, and QoS prioritizes network traffic, which will improve streaming video or playing music through a VPN connection. As we discussed in detail in my book, QoS provides an intelligent allocation of bandwidth between applications so if you do not plan to use your VPN connection to stream or play music, disable this; the same holds true for File and Printer Sharing. Any service you enable that is not needed is a security hole that can be exploited.
  • Click on the Allow Access button at the bottom and now your VPN server will allow incoming connections > the next screen will ask you to make note of your Computer name: and suggests that you will need this to connect, Close. You may have to refresh the screen by right clicking on the white space in the window and selecting Refresh for the connection to show up. 
  • Windows 10 Pro then displays your Computer name: xxxxxxx which you have to make note of because clients will need to know this to connect so write it down > Close.

WARNING

Anytime you go mucking around with your network settings things can go wrong. If you lose your Network Connection try doing a system recovery back to your last known settings.

If you right click on the Incoming Connections icon that you just created and select Properties you will see three tabs at the top titled General, Users and Networking. On the General tab make sure that under Virtual private network, that Allow others to make private connections to my computer… is checked > on the Users tab check the users that you are going to allow to connect > decide how you want to allow them to connect by checking Require all users to secure their passwords and data or Always allow directly connected devices such as handheld computers to connect without providing a password.

Above is the bare minimum you should do to ensure the security of your VPN server. If you really want to lock things down consider creating a port forwarding rule that forwards a random "external port" to the "internal port" 1723 that the Windows VPN server is listening on. This will protect you from crackers who use automated hacking tools that attempt to connect to VPN servers through the default port.

In my book's chapter on how to set up your router, we went into detail about how to lock down your local area network. We did things, such as only allowing wireless devices with known MAC addresses to connect to your router, disabled SSID Broadcast, and much more. If you know you will be using the same hotspot that has a static IP address we can configure our router to only accept a connection from that specific IP address. Log in  to the router as 'admin' > click on the Advanced tab > on the left expand Advanced Setup and select Remote Management > check Turn Remote Management On and begin entering the IP addresses that you want to allow to connect to your router and VPN server in your local network. You can also use your VPN server firewall rules to only allow connection from specific IP addresses.

Now you need to set up your VPN Windows 10 Pro firewall to accept connections on port 1723. The website http://www.thewindowsclub.com/configure-vpn-connection-windows has an excellent description of how to do this but you will miss all the fun with cryptic Windows error messages getting your VPN client working... just kidding. After all, why go through all that pain when you have ThatCyberSecurityGuy, LLC to plow the road for you.

At this point I suggest you just disable your Windows 10 Pro server firewall and make sure you can establish a local client VPN connection behind your hardware firewall. With the client establishment we will cover all the things that can go wrong is you skip any of the steps I covered above.

No comments:

Post a Comment

Please leave a comment so I can improve my writing and content!