Best Practices - Securing your Windows Server 2016 VM on Vultr

bigbear

Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.

I would guess those who are scanning would also discover those higher number ports.

Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.

I would guess those who are scanning would also discover those higher number ports.

Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?

Well general rule of thumb is that RDP should never be exposed directly, it's not considered a secure protocol and it is the absolutely number one target of attacks because being exposed flags you as being on Windows (making you a high profile target because you are less likely to be properly secured), flagging you as not following security best practices (making you a high profile target because you are less likely to be properly secured) and lets people know that you are paying a premium over UNIX, so you have money to spend and something to lose (the poor can't consider Windows.) So if attackers see RDP, they go after it like crazy. And the expectation from the Microsoft side is that it will never be exposed to the Internet.

This is where a proxy or VPN are expected, always. Not that those won't also get attacked, but they have a different exposure profile, provide another layer of defence, use stronger security, can fail closed, and provide stronger authentication. Same as we were discussing in the other thread about Exchange the other day.

bigbear

I have no idea of a fail to ban for windows... do you have something in mind?

If RDP is running on port 50000+ can it still be identified as RDP?

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

I have no idea of a fail to ban for windows... do you have something in mind?

https://rdpguard.com/

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

If RDP is running on port 50000+ can it still be identified as RDP?

Yes. Moving ports does nothing.

bigbear

Thanks for the link.

Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.

I am not sure if Vultr firewall has VPN. That could be the roaming solution though. Or Windows DirectAccess?

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Thanks for the link.

Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.

Yes, that will do a lot. you should have the firewall on teh Windows box doing that already anyway as a best practice. So this would only be additional to that, hopefully.

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

I am not sure if Vultr firewall has VPN. That could be the roaming solution though. Or Windows DirectAccess?

It does not, but you are free to implement anything that you want. OpenVPN is very good. ZeroTier is very good. Loads of options. Most are free.

bigbear

@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Thanks for the link.

Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.

Yes, that will do a lot. you should have the firewall on teh Windows box doing that already anyway as a best practice. So this would only be additional to that, hopefully.

Firewall is on but not configured to allow RDP from a specific range. Honestly I didn't have trouble with Azure but I planned to go through some security best practices before launching it to my employees. Not surprised its happening though.

black3dynamite

https://github.com/glasnt/wail2ban

scottalanmiller

@black3dynamite said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

https://github.com/glasnt/wail2ban

nice find. Anyone using it?

bigbear

@scottalanmiller Since I'm in testing phase, and because the logo is basically a photo of a drawing, I am going all in...

DustinB3403

/sarcasm

Turn it off

sarcasm/

Dashrender

JB was using a Windows version of fail2ban awhile ago.

JaredBusch

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

JB was using a Windows version of fail2ban awhile ago.

I looked into and tested. Did not deploy.
Related: I completely forgot about that project. WTF server was I testing that on.

bigbear

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

black3dynamite

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

Maybe a jump server could be an option?

Dashrender

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

scottalanmiller

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

VPN or VPN-like reverse proxy are basically the only possible options.

bigbear

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol