gtOrenoPC - Secure Remote Desktop Gateway

[To Japanese page]

gtOrenoPC is a Windows application that enables very secure remote desktop access over the Internet. If you have a Windows XP Professional or already installed a VNC (free remote desktop application), you can install gtOrenoPC onto your home PC in a few minutes and your PC is ready to be made accessible over the Internet in a very secure way.

On PCs that you will use to access your home PC, you don't need to install anything besides a standard Java 5 or later. Just point your browser to gtOrenoPC running on your PC and log in.

Threats Are Real

Windows Remote Desktops and Terminal Services are gaining popularity, so are the security (cracking) tools for them.

Password Guessing Tools for RDP

There are several tools that can be used for cracking into RDP systems. TSGrinder, and TSCrack are famous ones. These tools can be readily used to find the password for "Administrator".

By the way, when was the last time you typed Administrator's password on your Windows XP Professional? Oh, you don't have "Administrator" account on your Windows? You should have it unless you already renamed it. Windows XP just hides it not to confuse end users, but WITHOUT DISABLING IT. And because it has administrative privilege, "Administrator" can log in via Remote Desktop by default. "Administrator" is also immune to account lockout that results from excessive login attempts.

Password Guessing Tools for VNC

Standard VNC passwords are just too weak it's not worth describing it here. There are a couple of VNC variants that have enhanced password mechanisms but most are set up by default to accept standard VNC passwords for compatibility with wide range of VNC client programs.

Security features offered by gtOrenoPC:

Authenticates users who try to remotely access your desktop.
Lets you to define multiple users and their own passwords.
Encrypts communication channels for remote access with SSL.
Logs all remote access attemps to your desktop.
You only need a single public IP address and need to open only a single TCP port(443) even if multiple remote desktop applications or PCs are to be remotely accessed.
Powerful IP-based access control.
IIS is not needed for Remote Desktop Web Connection (TSWeb). gtOrenoPC will serve the TSWeb component and also tunnels RDP protocol in HTTPS port.
You will use existing unmodified versions of your remote desktop products.

For technical details, see Technical Comparison section down below.

Download

As of version 1.0, gtOrenoPC has become a shareware product from Orenosv.com.

Go to Orenosp Secure Reverse Proxy Download Page to download latest version of gtOrenoPC. You can purchase a license on the same page.

Windows XP SP2 Compatibility Issue: please see here

Required software other than gtOrenoPC

Since gtOrenoPC itself is not a remote desktop software, you have to have either one of the following remote desktop applications on your home PC.

Windows Remote Desktop or Terminal Services
Windows Remote Desktop comes with Windows XP Professional. Terminal Services come with Windows Server 2003 or Windows 2000 Server.
a VNC software
A VNC application is a free alternative remote desktop applications for both Windows and Unix. Ultr@VNC is a Windows optimized version of VNC. There are other VNC programs, like TightVNC and RealVNC.

On your client PCs (connecting to your home PC via the Internet), you need to have a Java Run time installed.

You can download Java from http://www.java.com/. Required Java Version (Detail) : Java Version 5 (JRE 5.0) or higher.
You also need a client-side software for remote desktop acess. For Windows Remote Desktop, client software comes with Windows XP or later.

Documentation

Readme (English) - Installation and Configuration

System Requirements

Your home PC

Windows XP SP2 or later
Windows Server 2003
(Windows NT 4.0 SP6a, no longer supported unless requested)
(Windows 2000 SP1 or later, no longer supported unless requested)

PCs you use to access your home PC

A browsesr with Java runtime 5 or later installed.

Discussion forum

BBS forum for questions/discussions regarding gtOrenoPC:
New Orenosv.com Forums: http://orenosv.com/bb/

Developed and Offered by

gtOrenoPC is developed and marketed by Kousec Software, Inc.. For the transfer from Orenosv.com in May, 2009, please see this notice.

Other Information

The core of gtOrenoPC is based on Orenosp Secure Reverse Proxy. gtOrenoPC is intended as a demonstration of how you can create a customized solution based on Orenosp Secure Reverse Proxy.
"gtOrenoPC" is pronouced as "Go To Oreno PC" :-)

Credits and Copyrights

gtOrenoPC uses OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/).
A full package of TightVNC java client is bundled with gtOrenoPC package for your convenience. You can find copyright information for TightVNC client under "vnc_orig" directory.

Technical Comparison

	Without a centrally managed security gateway	With gtOrenoPC
Firewall / Router Configuration	Each time a new PC is added for remote access, you need to configure your firwall to 1) open up a dedicated TCP port for the PC, 2) define a forward rule for the TCP port to a fixed IP address.	Simply open a single fixed TCP (usually 443) and forward it to the gtOrenoPC gateway PC, and you are done with FW. You do need to configure gtOrenoPC, but it can give you many flexible options. gtOrenoPC maps a "destination label" to a hostname and resolves the hostname into an IP address which may be assigned by DHCP.
User Authentication	Not centrally managed. End users may use a simple shared password. Also, how user authentication data is sent across over the Internet is very important. Even when session data is encrypted, generally the user authentication occurs before that. If your vendor says that only password hashes are sent and does't give more details, you should just ask for SSL/TLS for safety.	You can specify multiple users with their own passwords, all centrally managed on gtOrenoPC gateway. You can optionally use Windows passwords to validate users passwords. All user authentication data will be sent over SSL/TLS.
User Access Control	Once you configure your FW, the end user for the PC decides all. You can only enable or disable forwarding on FW.	You can specify a unique access control list for each remote desktop PC in the LAN, all centrally managed on gtOrenoPC gateway. Of course, the end user can additionally restrict access to their PC.
Encryption	Maybe proprietary "encryption". Generally, if your vendor says they have "N-bit encryption" or "Famous-Crypto-Algorithm-Name encryption" without giving you details about how enryption key are generated/exchanged, you should just ask for SSL/TLS support, or you may want to wrap it around with IPSec or SSL tunnels. See RDP encryption vulnerability	Uses open-standards based SSL/TLS, which is proven by crypto and IT security experts
Audit Logging	Access records are accumulated on every remote-accessed PC. If the disk overflows, the end user may simply disable access logging or erase the access log.	Two kinds of access records are logged on gtOrenoPC gateway, one is in industry-standard Web server format (CLF), the other is for usage statistics (useful for accounting, etc). You can control how much access records will be retained.

Specific Comparison with VNC-only Scenario

	VNC alone	VNC + gtOrenoPC
User Authentication	Many VNC variants only have a simple single password protection, which isn't protected over the communication channel.	In addition to the VNC authentication, gtOrenoPC can enforce centrally managed user identification and authentication.
Encryption	Many VNC variants don't have any encryption. Many people use SSH tunneling, whose security is pretty good but lacks FW-friendly port aggregation and it's not suited to wide range of end users.	SSL/TLS.
Audit Logging	Some VNC variants have access logging.	Access log is centrally retained on gtOrenoPC gateway.

Specific Comparison with Remote Desktop or Terminal Services only Scenario

	Windows Remote Desktop or Terminal Services alone	RDP + gtOrenoPC
Firewall / Router	Open one TCP port on firewall and done. Windows Remote Desktop (or Terminal Services) Web Connection will not solve firewall or NAT issues. It's just like VNC Java applet client, that is, it is just a package to allow you to download necessary client files from IIS. After that, you are on your own.	gtOrenoPC will solve firewall, NAT and proxy issues both at server side and client side.
Encryption	A custom encryption protocol using RC4.	SSL/TLS.
Audit Logging	Does Windows Remote Desktop have a logging feature? I haven't even cared. Terminal Services, probably yes.	If you manage several Remote Desktop and Terminal Services PCs, you will need centralized access log management. See general comparison

Kousec Software, Inc.