Best Practices - Securing your Windows Server 2016 VM on Vultr

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

I am not sure if Vultr firewall has VPN. That could be the roaming solution though. Or Windows DirectAccess?

It does not, but you are free to implement anything that you want. OpenVPN is very good. ZeroTier is very good. Loads of options. Most are free.

bigbear

@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Thanks for the link.

Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.

Yes, that will do a lot. you should have the firewall on teh Windows box doing that already anyway as a best practice. So this would only be additional to that, hopefully.

Firewall is on but not configured to allow RDP from a specific range. Honestly I didn't have trouble with Azure but I planned to go through some security best practices before launching it to my employees. Not surprised its happening though.

black3dynamite

https://github.com/glasnt/wail2ban

scottalanmiller

@black3dynamite said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

https://github.com/glasnt/wail2ban

nice find. Anyone using it?

bigbear

@scottalanmiller Since I'm in testing phase, and because the logo is basically a photo of a drawing, I am going all in...

DustinB3403

/sarcasm

Turn it off

sarcasm/

Dashrender

JB was using a Windows version of fail2ban awhile ago.

JaredBusch

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

JB was using a Windows version of fail2ban awhile ago.

I looked into and tested. Did not deploy.
Related: I completely forgot about that project. WTF server was I testing that on.

bigbear

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

black3dynamite

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

Maybe a jump server could be an option?

Dashrender

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

VPN or VPN-like reverse proxy are basically the only possible options.

bigbear

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol

bigbear

This https://rdpguard.com/ @scottalanmiller posted looks like something worth trying out first. Also appears to be actively developed. Anyone else using it?

Dashrender

@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.

I would guess those who are scanning would also discover those higher number ports.

Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?

Well general rule of thumb is that RDP should never be exposed directly, it's not considered a secure protocol and it is the absolutely number one target of attacks because being exposed flags you as being on Windows (making you a high profile target because you are less likely to be properly secured), flagging you as not following security best practices (making you a high profile target because you are less likely to be properly secured) and lets people know that you are paying a premium over UNIX, so you have money to spend and something to lose (the poor can't consider Windows.) So if attackers see RDP, they go after it like crazy. And the expectation from the Microsoft side is that it will never be exposed to the Internet.

This is where a proxy or VPN are expected, always. Not that those won't also get attacked, but they have a different exposure profile, provide another layer of defence, use stronger security, can fail closed, and provide stronger authentication. Same as we were discussing in the other thread about Exchange the other day.

it does suck that that is the case. There is no reason that RDP should be any less secure than SSH.

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol

MS says what it does and the description is EXACTLY a VPN. It's as VPN as VPN gets. No different than Pertino or ZeroTier.

Dashrender

@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol

MS says what it does and the description is EXACTLY a VPN. It's as VPN as VPN gets. No different than Pertino or ZeroTier.

This was my point. There's no reason to list it separately from a VPN, because it is a VPN.

scottalanmiller

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol

MS says what it does and the description is EXACTLY a VPN. It's as VPN as VPN gets. No different than Pertino or ZeroTier.

This was my point. There's no reason to list it separately from a VPN, because it is a VPN.

Exactly. It's the middle of the VPN field.

Alex Sage

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?

This.

dafyre

Or you could use the Vultr firewall to block everything and use something like ZeroTier as the VPN component.