remote desktop access colocated windows server?

I am planning to deploy a Windows server running a web application into a colocation for the first time. I have already run IIS lockdown and done a number of other security tweaks based on advise from the smart folks here on the site.

So now I am wondering what I do for providing secure remote desktop or similar access to the machine for tweaking and manipulating the app online. taking the app offline etc. Do I ask the provider to set up some sort of whitelist allowing my office IP forward to the RDP port or do I need to provide hardware or other software to lock the box?

If there is a similar question or tip, point the way and I will close this question.


When your server's in the colo does it just have Internet access, or do you also have a LAN extension or similar private circuit to manage it over? If so, then it's a non-issue and RDP won't be a problem. If not, then I'd definitely recommend locking RDP down past the defaults; different port, oddly-named Admin account with a strong password and a restriction on which IP addresses can connect to the service.


In principle, RDP uses encryption, so you could just use it over the Internet as-is. However, it has a history of security vulnerabilities, and it's probably best to leave encryption to a dedicated protocol.

So I'd recommend setting up some kind of extra encryption, either a VPN, or a SSH tunnel or similar. Then you can use RDP across that.

See for example

Remote Desktop over SSH to Windows 7 box

for using RDP over SSH. SSH is probably easier to set up if you need it just for RDP. If you need to access other services as well, a VPN might be more appropriate (but then, you can access everything locally over RDP anyway).

Restricting access by IP is an additional security measure, but also severely limits your ability to access the system. With a VPN/SSH tunnel, I don't think it's necessary.