M50 - Remote Access: Advanced

SysAdmin

Remote Access: Advanced

Use safer remote-access patterns for SSH, RDP, and PowerShell remoting, and understand why bastion hosts and VPNs reduce exposure.

40 min INTERMEDIATE BOTH Curriculum-reviewed

Prerequisites

Module M30A - SSH Foundation Module M33 - Firewall: GUI and CLI Module M47 - Services Management

What you should be able to do after this

Use safer remote-access patterns for SSH, RDP, and PowerShell remoting, and understand why bastion hosts and VPNs reduce exposure.

Remote Access Is a Trust Boundary

Remote administration is useful because it lets you manage systems without standing in front of them.

It is also risky because it exposes administrative entry points.

That is why the real learning goal here is not “open remote access.” It is:

decide what should be reachable
reduce unnecessary exposure
verify access before making stricter changes

1. SSH: Safer Defaults for Linux

SSH is often the main remote-access path for Linux systems. A few basic choices improve safety a lot:

do not allow root login if normal user plus sudo is enough
prefer key-based authentication over passwords
limit exposure with firewall or network placement

sudo nano /etc/ssh/sshd_config

PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes

After editing:

sudo systemctl restart ssh

The safety rule matters more than the exact lines:

verify key-based login works in a second session before disabling passwords
make sure the firewall still allows the port you actually need

Changing the port can reduce noise from opportunistic scans, but it is not a substitute for key authentication or sound network design.

2. Windows: RDP and PowerShell Remoting

Windows gives you both graphical and command-line remote administration.

RDP

Remote Desktop is convenient, but it should be treated carefully. A common safer pattern is to place it behind a VPN or keep it on an internal network instead of exposing it broadly.

Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Control\Terminal Server” -Name “fDenyTSConnections” -Value 0 Enable-NetFirewallRule -DisplayGroup “Remote Desktop”

PowerShell Remoting

For repeatable administration, PowerShell remoting is often a better fit than clicking through many servers manually.

Enable-PSRemoting -Force Enter-PSSession -ComputerName WebSRV01 Invoke-Command -ComputerName SRV1,SRV2 -ScriptBlock { Get-Service }

Linux often solves the same “indirect access” problem with bastion hosts or jump boxes.

The deeper lesson is that remote administration should be deliberate and observable, not just convenient.

3. Bastion Hosts and Indirect Access

Many environments do not give every server a public door.

Instead, they use a safer pattern:

one hardened entry system
private internal systems behind it
controlled onward access

That entry system is often called a bastion host or jump box.

ssh -J admin@bastion.example.com admin@10.5.20.99

This pattern matters because it:

reduces the number of public administration endpoints
centralizes monitoring and policy
keeps backend systems off the public edge

Safer Access Usually Means Less Direct Access

The strongest remote-access design is often the one with fewer exposed services, fewer direct entry points, and a clearer path for auditing who connected and how.

What You Just Learned

Remote access should be designed as an exposure decision, not just a convenience feature.
SSH is safer with key-based access, limited exposure, and careful daemon configuration.
RDP is most comfortable when kept behind VPN or internal network controls.
PowerShell remoting is useful for repeatable Windows administration.
Bastion hosts reduce the number of public entry points and help keep backend systems private.

Next, you will connect these access patterns to backup and recovery thinking, where planning matters before failure happens.

Study flow

Read for understanding first, practice immediately after, then mark complete only when you can explain the idea back in your own words.

Security labs Monitoring labs Command library

Self-check

Why is remote access safer when you reduce direct exposure instead of simply trusting defaults?
What are the first hardening decisions for SSH, RDP, or WinRM?

If not yet, do one more practice pass before you move forward.

Move on when

Explain how you would make remote access safer on a lab server without locking yourself out.
Describe when to use a bastion host, VPN, or internal-only remote access pattern.

Completion matters only if you can do these without leaning on the page.

Review rhythm

After you finish, come back tomorrow for a short no-notes recall pass.

Use spaced recalls around day 1, day 3, day 7, day 14.
Try to explain the main idea before reopening the page.
Do one related lab or command lookup from memory, not recognition alone.
Re-read only the parts you could not retrieve cleanly.

Learning context

Best for

Need structureDeveloper expanding into systemsIT / support / sysadminSerious hands-on operatorExpert refresh / reference

Pathways

Career operator pathDeveloper to systems fluencyFoundations with structured review

Study fit

Beginner-safe Prerequisites are strongly recommended Balanced lesson and reference

This lesson is paced to support newer learners without assuming too much prior system experience.

This lesson is meant to teach the idea and still leave you with usable command and workflow recall.

Topics

sshrdpwinrmpowershell-remotingsshd_configbastionvpn

Use right after this lesson

Lab LAB-SEC-01 - The UFW Firewall Lab LAB-SEC-03 - SSH Key Authentication Library ssh Library systemctl Library Enable-PSRemoting Library Enter-PSSession Library Invoke-Command

On this page