Lockdown Remote Desktop

For a while, I was a brilliant human and exposed my 3389 port to the world (3389 == Default Remote Desktop Port). So what alternatives do you have to securing yourself while enabling remote desktop over the interwebs? There are 6 main ways to accomplish this:

1. VPN

You knew this one was coming, didn’t you? And this is not the most eloquent way to say this, but: if you don’t want STDs or kids, wrap it up. Now convert STDs to attackers on the internet and kids to the lifetime of un-recoverable data in some cases or things published to the world you didn’t initially intend to have published. But wait, how did that relate to a VPN? VPN is the condom, you are… the other part in the condom. Sincerest apologies for the analogy. The future bullet points won’t be so crude.

2. SSH Tunnel

Took me a long time to actually USE this method, but it is SO FREAKING EASY! Set up a server/ firewall/ switch to have port 22 exposed. Download and install Putty. Type in the port of your exposed SSH port. Before clicking anything else, expand Connection>SSH>Tunnels, then type in the source port field 3388. Destination type: where 192.x.x.x is the IP of the device you want to connect to, 3389 is the RDP port. Click Add.

Now go back to Session, make sure you have the ip address or domain you will connect to port 22 on. I’d recommend clicking “save” at this point so you don’t have to type all of that in again. Now click open and connect to your remote device. You DO have to log in!! Once you’ve logged in, just open remote desktop and type where 3388 is the port you chose in “source port” in the previous step. Congratulations, you’ve connected over an SSH tunnel.

3. Firewall

Firewalls are good stuffs. You can use the built in Windows Firewall, your network firewall (like PFSense), or something further out of bounds. Regardless of your choice, if you limit it to only the IPs you need, this is a fairly safe route as well. And while your at it with this one, why not add a custom rdp access port in there?

4. Alternative software

There are software utilities like RDSKnight out there that you could technically use to accomplish this same thing. It has a few more built in tools than just a firewall like Geo blocking, user restrictions, time restrictions, etc. Or maybe Teamviewer/ Screen Connect/ or some other utilities similar in function?

5. Two Step Authentication

Let’s say you do decide to leave yourself exposed. At least try something like Duo.

6. Don’t open it at all.

Admittedly, you don’t have to open it at all. At the end of the day, you do you!

Change all users to an alternate domain suffix

In Active Directory users and computers, right click Queries> New. Give it a name, click “define query”. Stay on the “Users” tab. Select “Is not” and type an invalid name like testtesttest. Click ok, ok. It should return a result with all users whose name is <<not>> testtesttest. Select all, right click> Properties. Go to Account tab> check “UPN Suffix” and change it to the appropriate suffix. That’s it! There are PowerShell methods to do this too but when handling hundreds of user accounts, you have to be absolutely careful in PowerShell. There are solutions online that work fine that I am not going to post here. This is purely for the GUI. Good luck!

Set up Blue Iris Surveillance software with IFTTT

I have two cameras in which I’d like to always have a notification for if I’m not home. Initially I set this up to always send me an alert but I’m sure as you can imagine, my phone blew up with me walking around. Blue Iris has a neat feature which is simply a traffic light. If red, it will disable various things including recording (not desired for me in this case), but it can also disable alerts. I selected to only disable alerts if the traffic light is red. In the past, I had never used this feature. So here’s a brief how-to.

Click settings button and modify the settings as illustrated.

Set User Account that will perform this action.

Set Traffic Signal to Alerts Only

Verify web server port & disable Secure only for the web server

  1. On your server computer (Blue Iris Windows machine), install something like WAMP or XAMPP to handle web requests.
  2. After install set up a script similar to this one in PHP (create a php file with the name of your choice and .php extension):
    1. After you’ve created the script, drop it in your HTDOCs directory in WAMP or XAMPP
      1. For example, my directory is here: C:\Bitnami\wampstack-7.1.19-0\apache2\htdocs
$home = $_GET['home']; //get and set variable for the home status.
$my_file = 'log.txt'; //store logs so we know if our server is being used improperly and by whom

if($home == 'true')
	$handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
	$data = date("Y.m.d.h.i.s") . ' on requesting ip: ' . $_SERVER['REMOTE_ADDR'] . ' Request to set RED.' . "\r\n";
	fwrite($handle, $data);
	echo "home";
elseif($home == 'false')
	$handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
	$data = date("Y.m.d.h.i.s") . ' on requesting ip: ' . $_SERVER['REMOTE_ADDR'] . ' Request to set GREEN.' . "\r\n";
	fwrite($handle, $data);

	echo "away";
	$handle = fopen($my_file, 'a') or die('Cannot open file:  '.$my_file);
	$data = date("Y.m.d.h.i.s") . ' on requesting ip: ' . $_SERVER['REMOTE_ADDR'] . ' FAILED REQUEST!!! Request: ' . $home . "\r\n";
	fwrite($handle, $data);
	echo "invalid";
  1. Now let’s explain the URL in there so you can get an idea of what is happening and how Blue Iris is interpreting it.
    1. Where 8080 is the port you’ve set blue iris to
    2. User is the user account you create in Blue Iris
    3. PW is the password for said account (recommended to restrict this account down to admin tasks only not viewing rights or anything else).
    4. Signal is the traffic symbol where 1 is active (green) and 0 is inactive (red).
  2. Now if you browse to your local host URL you should have a value returned. In this case, you should see “away” in your web browser. If you see this, that means your PHP script is working. Blue Iris at this point should also change the animation in the traffic symbol.

  3. Let’s take a moment to understand all of what just happened and why. You set up a web server with a script to change the alert status on the local Blue Iris machine. Now you’ll need to expose the web server to the internet (or if your security aware, you may also set it to only work with IFTTT IP addresses). This step I will not outline as there are too many router combinations, but you need to port forward to your web server.
  4. IFTTT is super easy! Just log in, select Location for the “this” (set up an enter an area and set it appropriately for your home) and a “that” with a webhook in which you will put in your IP/ domain so something like x.x.x.x:PORT/myphpfile.php?home=true for enter and home=false for exit. You will create 2 webhook applets, one for enter and one for exit, each with the appropriate URL.

This guide is somewhat advanced as it assumes you know/ can port forward and you have a static IP or a domain set to change with your IP.

The Importance of Data Security

Data security is as important now as it has ever been. People don’t realize how imperative it is, and lazy IT personnel don’t care enough to do it right from the beginning. I can’t tell you how many times I’ve been to a Doctor’s office only to see them walk away with their computer unlocked or a network attached storage hard drive array/ enclosure sitting out in the open behind the secretary’s desk. You can’t even begin to imagine how sick it makes me to see these things happen. And the doctor’s response when I point it out? “It’s encrypted”. Ah, okay, so the data at rest is encrypted? The traffic between computer to server is encrypted? And this encryption means that if I fell on the floor and sneakily plugged a flash drive in with malware to compromise your system or a keylogger that I wouldn’t have any useful data? Does this mean if the secretary ran to the restroom leaving the front area unattended that I could grab the NAS and run but I wouldn’t be able to access the data? I feel that at least 1 or 2 questions I just asked have an answer that rhymes with “no”.  This is the same with Equifax’s recent data breach. IT systems are just run and left running because they work. They aren’t reviewed properly and in many cases, finding the right tool to monitor important things is not always easy. Or the tool is there but it is not turned on. Or the tool could be used but produces so much overhead that it doesn’t get turned on at all. Breach after breach, we (as humans) just don’t take the time we should to secure our data.

As the IT for several companies, I do what I can to ensure we aren’t over-exposing our customers and we lock down anything we are able to in order to prevent breaches as much as possible. Hopefully the breach with Equifax will blow over as quickly as possible. Until then, do what you can to protect yourself!

One thing I didn’t see mentioned too well on the sites I was reading about this and “how to protect yourself” is that most banks offer a form of identity theft protection. I’d recommend you take advantage of it. For example, Members Preferred Credit Union offers it for just $1.95 a month (credit union in Idaho Falls).

CNBC Provides a decent infographic of what you can do to protect yourself:


To place a fraud alert, these are a couple of the sites you might use:



I’d tell you the one for Equifax, but I’m not feeling confident about entering data on any of their forms for some reason. Aside from the obvious large elephant in the room, I’m not sure why anyone would feel that way?

To find your current credit report on any of the 3 agencies, use the following (you should check this periodically anyways to stay in control of your finances) annualcreditreport.com.

Use links above at your own risk.

Surveillance Cameras & Software Reviews

Surveillance is becoming increasingly popular in households in the United States. I’m not actually basing that on stats online though. I take walks in the evenings and every other house has cameras. It’s definitely a new thing of the future. Cameras are getting cheaper and better. Software is becoming more available and more affordable. I’m just going to discuss quickly a few cameras and the software I’ve used as well as my thoughts on them. Let’s first discuss cameras.

The question to ask is “Digital/IP or Analog/Coax”?

Designed by Freepik
CCTV security camera in city of China.

The first system I bought for my house about 3 years ago was a LaView analog system for about $300 on Newegg that came with 4 bullet cams. Quite honestly compared to other cameras I’ve used in the past, I thought the quality was pretty amazing. Over time, I added cameras to fill up the 8 channel system. The quality is good for a basic home system. Not so good for catching the details. It records on a 3TB hard drive for about 2 years on high quality for each of the cams. The support for LaView is by far the worst I’ve experienced and I’d have to recommend against their brand simply for that reason. Today, the cameras are still running and I still like them. Occasionally the DVR stops recording but continues streaming live feeds so you don’t actually know until you want to look up video. Thankfully, the RTSP streams keep working during this time. How does that help exactly? The stream can be fed to a network recording software such as iSpy or Blue Iris. It gives you that redundancy over the cameras in case one of the systems fail. The software is also what you might use to record video streams from Digital/ IP cameras.

Let’s talk about Digital or IP Cameras. I started off purchasing ELP cameras (cheap Chinese versions) for about $30-40. They work and the quality is clearer than that of my LaView analog system, but due to the quality, the angle was not as wide as advertised and getting them to work initially was…. involved. I didn’t gain confidence in those cameras at first since I wasn’t recording to a dedicated machine. I later discovered it is really only capable of broadcasting a low and high quality stream. Once each of those two streams are attached to a recording device, another recording device cannot pick up the streams anymore. (IE: Surveillance software as well as a remote viewer for the camera) As of recently, I’ve purchased a 4MP camera for about $80. The quality of that camera when compared to the ELP cameras is outstanding. First of all, these guys have done AMAZING work at making the camera visible over the network. Second, I’ve had it connected to 3 systems simultaneously and the stream just doesn’t fail. It’s one of the most resilient cameras I’ve found so far within the home camera systems. As a matter of fact, it is always the first camera to connect to my software.

What software should I use?

Speaking purely in terms of home use, there were 3 major contenders in the race. There are many brands, but these were the ones I found to be affordable, easy to use, and reliable.

  1. iSpy | This software is free unless you want to have remote viewing enabled. I’ve used this software for probably 3-5 years now and it has been great for what I’ve needed.
    • Pros: It is free. There is a local viewing through a web browser (sometimes flaky). It seems to keep running. It has crashed a few times, but it restarts itself quickly. Supports many cameras. Ability to buy a subscription to get some additional features. Many options available.
    • Cons: The software can take a while to connect to all cameras (outside of the fact the cameras sometimes take time to connect). It’s updated regularly (seemingly too often actually) and new features are seldom added from what I’ve seen. There have been some minor interface changes, menus combined, lots of new cameras supported (all great things), but just no new face lift to the interface. I think their main focus is making it work online more so they can bring in cash flow through subscriptions (I don’t blame them). It takes a long time to get the settings tuned in just right to get the effect you are after. Sometimes video doesn’t record correctly and renders a corrupt recording file.
  2. Blue Iris | I am definitely not for paying software usually, so it took me a long time to actually test out this software. It is about $60-70 for a full license (no subscriptions thankfully). This is my new first choice.
    1. Pros: Fast, sleek looking, web interface for remote viewing, updated regularly, works with a wide range of cameras, lots of features, lightweight on computer resources, high quality recordings, user friendly GUI, 64 bit, inexpensive, great online documentation and user manual.
    2. Cons: No free version. The light edition only supports 1 camera or you buy the full version supporting 64 cameras. (A little more choice would be great on the pricing model). Support can be somewhat rude (check out the forums and the way the staff member responds to people). No viewing of AVI files through the software or while the file is being recorded. You have to use the native bvr format for easy playback.
  3. Milestone XProtect | Free for up to 12 cameras on a subscription license. Professional software. This would be my second choice. Crazy, I know, but their pricing model doesn’t feel solid. I feel they may attempt to change the plan to restrict what the “free users” get since it’s a subscription model.
    1. Pros: Fast, professional, clean, easy to use, automated, used in large corporations, supports up to 12 cameras with unlimited recording time.
    2. Cons: Expensive. Subscription license. Records to proprietary format that would require having the software to view it. “Lost connection” messages with the client, though it does seem to keep recording.

With the rising popularity of cameras in residential settings and the multitude of options, my personal recommendation would have to be Blue Iris on a dedicated computer with 4 Megapixel Digital IP Cameras. I wouldn’t recommend analog cameras as much anymore unless you want a cheap system to get a general idea of what is happening in an area. Even with the ELP cameras, I can get a license plate number which would be harder to achieve with analog cameras in the home price range. I personally wouldn’t spend a lot of money on a higher quality analog system since the way of the future is in the digital cameras.