1. Understanding Virtual Private Networks (VPNs) in Windows 10
I want to spend some time now talking about the concept of a VPN. Okay? So you’ve seen this drawing before. In this case, you’ll notice we’ve got our Microsoft domain here. We got our client computers, and we got a file server. We could have other servers involved. We’ve got domain controllers and all that fun stuff. But imagine a situation where we have somebody who is outside the environment, and this person needs to be able to remote into our environment and get access to resources.
Okay? Previously, people would simply open up all of their ports on their router, firewall, or whatever. A lot of companies didn’t even have firewalls, so anyone could connect and access the file server and everything. That’s really dangerous. I remember one of the very first companies I ever worked for in It was able to share a folder on my office computer and had a public IP address, allowing me to remote in from home. I was able to dial up to my ISP from home and connect to that computer. That’s super dangerous nowadays, right? You don’t ever want to expose all of your stuff internally like that. So the way we do that is we’re going to allow people to get in from the outside world, but we need a way to police that. Now the way you do that, if you’re talking about traditional Microsoft here, is the way we would do that traditionally in Microsoft: we would set up a server called a Raz server.
Raz servers can support VPNs. You can also do this thing called “Direct Access,” which is another secure way to do it. However, this Raz server will allow someone to connect securely, okay? And even if you have somebody sniffing traffic, let’s say that this guy right here is going to be this little guy I’m going to draw; he’s going to be our hacker. All right? So let’s give him some devil horns and make him look mean, right? All right, so here’s our little bad guy. Here’s his little devil tail. Okay? All right, maybe I’m getting a little carried away here, but anyway, that’s our hacker. So we’re attempting to ensure that this person does not listen in on what your user is doing while passing through here. So the great thing about it is that if you establish a VPN connection, it’s called a “virtual private network tunnel.” And that VPN connection is going to encrypt all of your traffic. Okay?
So what would happen is that you would only open the firewall here to allow this VPN connection to come in. The person could then connect to the file server, talk to domain controllers if necessary, and so on. The person will have to authenticate. You could combine it with smart cards and biometrics. You can do all sorts of things to secure that, but that’s what this tunnel is going to do. So even if this person is eavesdropping on what you’re saying, they’re not going to be able to understand all the stuff that’s going back and forth because it’s all going to be encrypted. Okay? Now, how does Microsoft go about doing that? Microsoft has what are called VPN tunnelling protocols. All right, I’m going to put these in order on the screen. From oldest to newest, the first one is called PPTP, and this is the oldest one. It stands for point-to-point tunnelling protocol. This one was created in a joint venture between Microsoft and Cisco back in the mid nineties.
It was the very first protocol that supported it. The problem with it is that this one does not provide integrity or authenticity for your traffic. That means that if this hacker was to do what’s called a “man in the middle” attack and they got between you and the inside world, they could trick you into thinking you’re talking to the inside world, and then they could alter what’s being said. Your information does get encrypted, which is good, but it doesn’t provide the level of security that you would want in a high-security environment. So you really shouldn’t use PPTP, okay? It is vulnerable to man in the middle of attacks because it lacks integrity. So in Windows 2000, in the year 2000, Microsoft released the Layer 2 tunnelling protocol. And it actually wasn’t just Microsoft; it was Cisco as well. Cisco and Microsoft worked on this one together. So this one uses what’s called IPsec, which is very secure. IPsec is going to provide encryption integrity. All that. The only downside to L2TP is that you have to open up a couple of extra ports on your firewall to get it to work. And it’s also not the fastest protocol out there, but that one has been around for over 20 years. Then, in 2008, Microsoft came out with SSTP. This is the secure socket tunnelling protocol. And what this will allow you to do is use SSL or TLS, which is newer and more secure, for encryption. This is now the fastest VPN protocol available.
One of these is going to be the fastest and most secure of the three. Now there is a downside toall three of these protocols. These protocols, if you’re connected through a VPN and you’re copying a file across the network or something, and you’re 99% done copying that file, and then your connection drops for a few seconds, guess what? You’ve lost your connection. You’re now going to have to establish that whole connection again. So they do not support the ability to automatically reconnect these three. But in the year 2010, when Windows Seven came out, Microsoft also released another VPN protocol called IKEv2, which stands for Internet Key Exchange Version 2. Basically, it uses IPsec. IPsec is the Internet Security Protocol. Security. And it provides all the encryption, authentication, and integrity. It’s not vulnerable to replays or any of that. And it supports something called VPNReconnect, which is really cool. If you lose your connection, it will auto-reconnect, and you won’t actually lose any files or any of that stuff that you’re connecting into. Okay, so you have a good bit of support from Microsoft.
This is the PPTP, which is the oldest, and then all the way down to Ikev 2. Now, Ikev-2 is a little slower than SSTP, but you get all these features with it. You can always do that with VPN and all that. So it will detect whether the VPN is always on and, more broadly, whether you are a laptop user on the on-premises network or outside; it can turn the VPN on when you are outside. If you’re a laptop user, and if you bring your laptop to the office, it doesn’t have to use a VPN, so you get a lot of functionality out of that. Okay? Okay, so hopefully that gives you a good understanding of VPN. In this next little example, I’m going to go into my virtual machine, which is coming up here, and we’re going to pretend like we have a VPN server set up in our company, VPN examlabpractice.com. Let’s say that that server has been exposed on the Internet so that we can get to it. When I say exposed, I mean that you can hit this address over the Internet through this firewall and get to this VPN server. All right? And I’m going to configure the Windows 10 computer to connect to that.
2. Configuring the Virtual Private Network (VPN) settings on Windows 10
And then right here, I’ve got a network and the internet. And then I’ve got a VPN button right here. So I’m going to click the VPN button, and at that point, I would click Add VPN. Alright. I would specify my VPN provider. Now of course there’s not really a lot of options here. You’ll see that you have windows. That’s your only option. Now granted, I will say this: If you were connecting via a Cisco VPN or something, you could install and use the Cisco VPN provider.
There are other providers you can install, but by default there’s only one. And then I would put in the name of the VPN connection. So I’m going to say this is This is my VPN for exam lab practice. I’m going to give it that name. And then I’m going to put in the server address that you saw in that drawing I did. So I’m going to do VPN at examlabpractice.com. At that point, you would select the type of VPN you want to go with. PPTP, L, two TP with a certificate, and two TP with a pre-shared key, which is just a password. That’s all that is. You can do SSTP or Ikev 2, which is the one I’m going to select. Okay? And then from there, you can say, “Type the username and password.” If you want to use a smart card, you can even use those one-time password scenarios where it sends a code if your company has one of those services set up. Or you could use a certificate technology where you provide a digital certificate.
But I’ll use a username and password. If you want to go ahead and put your username and password in here, you could, and then you could say, “Remember my sign-in info? I’m going to hit Save.” Now this little VPN is going to show up here. It will also show up in the lower right-hand corner. I can click on that. And you’ll see I’ve got an exam, lab practice, and a VPN. I can click on that. So let’s say I was a laptop user. I was at home, and I wanted to connect to the company’s VPN. I could click that and click connect. And then, at that point, if the actual VPN server was really there and existed, I could remote into it. We don’t really get into this class. We don’t get into setting it up on the server side. But if you did have a server set up and a VPN going, you could not only have a Razzserver, but you could also have what’s called a VPN concentrator, which is a unit you could buy as an appliance. You could get one that supports VPN. Some companies go that route. Okay, keep in mind that you can also specify allowVPN over metered networks. And we talked earlier in the course about cellular and mobile settings. Perhaps you don’t want VPN to be supported over a metre network because they might charge you.
if you’re going over a certain rate. So I could turn that off if I wanted to. I could also say “allow VPN while roaming.” That would allow me to jump around. And if I had a cellular connection that was using a roaming connection, I could have that turned on or off. I’m going to turn that off as well. That was the newer method for configuring a VPN in Windows 10. You can still do it the old way, which is the way we did it in Windows Seven and Eight. If I go to Control Panel, type “control” down there under the search bar, and then if I go to the Network and Sharing Center, from there I can click “Setup a network connection” or “Set up a new connection or network,” and then click “Connect to a Workplace.” Okay? At that point, I could say, “No, I want to create a new connection and then specify a VPN.” You could even select dial-up if you wanted, but I would say “new VPN” and then I would put in my VPN info here. So it’s the same thing, just done slightly differently.
You end up doing the exact same thing, though. If you go through here, you’ll get the same type of VPN connection and everything else. Okay. Also, once a VPN is created, you have a VPN adapter. So you’re going to notice that I have that adapter, and I can actually go to the properties of that adapter and configure things on this adapter, such as the IKE connection here. I can even configure the authentication protocol I can use. The EEP extensible authentication protocol is the standard one that everyone uses. EAP is a very powerful protocol because it can support pretty much every type of authentication. Password encryption, password authentication, pin number authentication, smart card authentication, and biometric authentication (such as facial recognition, fingerprint matching, and retina scanning) are all options if your company has the necessary hardware. So you can really lock down authentication if you want. And all of this can be managed through provisioning packages, autopilot in tune, and group policies. So you can control all these settings on people’s machines if you need to.
3. Remote Connectivity with Remote Desktop, Remote Assistance, and Quick Assist
So start the system. We’re going to click on Remote Settings and then notice that it’s turned off. We’re going to turn this on. You also have a little feature called “Allow Connections.” only from computers running Windows Remote Desktop within Louisiana. Network-level authentication allows a computer to authenticate before it can connect to another computer. This is a security feature that’s going to improve your security. We didn’t really have that back in the Windows XP days. We didn’t have that little feature. Okay, so NLA is going to provide you with some more security, give you better security, and make it so computers have to authenticate before they can get in.
And then the user would also have to enter their password in.So, unless you have an extremely old operating system that needs to be accessed or a non-Windows supported device that requires remote access but does not support in La, Then you would turn it off. But it’s a good feature, so you don’t want to turn it off. Now we also need to specify who we’re going to let get in. So we’re going to click Select Users. Windows has a group called the Remote Desktop Users Group. Anyone who belongs to that group has the authority to connect in. Right now, the group is empty. So nobody can get in unless they’re an administrator, such as my user account, which is Instructor. This Instructor user account, being an admin, can get in. But if I wanted to allow a user like Jane Doe, who’s not an admin, to get in, I could click Add and add Jane Doe, and Jane Doe would now be able to get in. Okay, so this is how you turn it on. Now remember, you’ve got remote assistance up here as well. Both technologies—remote assistance and remote desktop—use port 3389, which is the RDP protocol, or remote desktop protocol. To do this, you have to make sure your firewall is not blocking any of that or all of that as well, so that the connections can be allowed in.
You can check your firewall. Let me zoom out here. You can also check your firewall by going to Control Panel and selecting Windows Defender Firewall, and then clicking here to allow an app or feature through the firewall. And then, if you look closely at the list here, you’ll see you have Remote Desktop. You just kind of scroll down, and you want to make sure that RemoteDesktop is open on your firewall coming in. You can select which profile you want if you allow people to remote into it. I talked about all the profiles back in the firewall section of the course, on a different computer, and I want to remote into that client. The client’s name is NYC Co. So I’m going to click “start.” I’m going to type the word “remote” into the search bar. And you’ll see I have a tool called Remote Desktop Connection. So I’m going to click that tool. At that point, I’m going to type in the name of the computer I want to get into—NYCL One, an IP address, or whatever—and I could connect. Now you can also expand on this out.You could save this as an icon on your desktop so you can get in all the time. Okay? You can alter your display settings to maybe get better bandwidth or change the color.
Granted, the higher the graphics you have, the slower the connection will be. Then you could use local resources. You’d have sound play through your speakers or the speakers on the destination computer. Keyboard shortcuts would be used on your computer or the destination computer. You can even print to a printer on the destination computer or copy and paste text. You’ve also got the Experience tab, which lets you adjust some of the bandwidth options here based on how fast your Internet connection is. It will adjust your settings to give you better bandwidth, and then you’ve advanced. This will let you make the computer on the other end authenticate back to you, or just warn you if it doesn’t. And your company can also implement this thing called a Remote Desktop Gateway, which is a secured server that will let you get into a bunch of computers internally if you want. That’s more of a server thing. We don’t really talk a lot about that here, but if you had a large amount of computers, you’d need people to be able to get into them. Using Remote Desktop, you can implement something called a Remote Desktop gateway. I’m just connecting to one machine.
So I’m going to put in that NYCCL one. I’m going to click “connect.” At that point, it’s going to let me put my password in. It’s going to authenticate, and eventually it’s going to pop up on my screen. And here I am. As you see in this little connection bar, it’s showing me who I’m connected to. If I wanted to minimise or disconnect, I could actually do that here. I can minimise this if I want. I’m back over here on my other computer. but it’s no longer on the desktop anymore. The screen has been locked. Okay? Now if I were to log back on to this computer right now, it’s going to disconnect this guy right here. So if I do that right now, if I actually go and put my password in, it’s going to log this computer on again. It’s going to disconnect this last thing I want to show you.
Just a quick reminder. Another way we deal with remote access to computers is with PowerShell. Remember that we can remote into other computers by using commands like “Get service,” all right, as I showed you? Let me up the font here. You can refer back to my PowerShell lesson if you want more details on this. But please give me the computer name of something I want to remote into, such as Nyccl. I also have that command called “Enter PSsession” that lets me remote into computers as well, don’t forget, which is really cool. Interp sessions are kind of like telnet or SSH. It will allow me to remote into a computer and run commands as if I were physically sitting at it. Okay, so we talked about that. If you want more information on that, refer back to my PowerShell lesson that I did earlier in the course. But hopefully that gives you guys a decent understanding of some of the different ways that we remote into computers and run commands or use the desktop when we’re not there.
