Best Practices - Securing your Windows Server 2016 VM on Vultr
-
@scottalanmiller Since I'm in testing phase, and because the logo is basically a photo of a drawing, I am going all in...
-
/sarcasm
Turn it off
sarcasm/
-
JB was using a Windows version of fail2ban awhile ago.
-
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
JB was using a Windows version of fail2ban awhile ago.
I looked into and tested. Did not deploy.
Related: I completely forgot about that project. WTF server was I testing that on. -
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
Maybe a jump server could be an option?
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
FYI, Direct Access (DA) is a VPN solution.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
VPN or VPN-like reverse proxy are basically the only possible options.
-
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
FYI, Direct Access (DA) is a VPN solution.
Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol
-
This https://rdpguard.com/ @scottalanmiller posted looks like something worth trying out first. Also appears to be actively developed. Anyone else using it?
-
@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.
I would guess those who are scanning would also discover those higher number ports.
Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?
Well general rule of thumb is that RDP should never be exposed directly, it's not considered a secure protocol and it is the absolutely number one target of attacks because being exposed flags you as being on Windows (making you a high profile target because you are less likely to be properly secured), flagging you as not following security best practices (making you a high profile target because you are less likely to be properly secured) and lets people know that you are paying a premium over UNIX, so you have money to spend and something to lose (the poor can't consider Windows.) So if attackers see RDP, they go after it like crazy. And the expectation from the Microsoft side is that it will never be exposed to the Internet.
This is where a proxy or VPN are expected, always. Not that those won't also get attacked, but they have a different exposure profile, provide another layer of defence, use stronger security, can fail closed, and provide stronger authentication. Same as we were discussing in the other thread about Exchange the other day.
it does suck that that is the case. There is no reason that RDP should be any less secure than SSH.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
FYI, Direct Access (DA) is a VPN solution.
Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol
MS says what it does and the description is EXACTLY a VPN. It's as VPN as VPN gets. No different than Pertino or ZeroTier.
-
@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
FYI, Direct Access (DA) is a VPN solution.
Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol
MS says what it does and the description is EXACTLY a VPN. It's as VPN as VPN gets. No different than Pertino or ZeroTier.
This was my point. There's no reason to list it separately from a VPN, because it is a VPN.
-
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.
FYI, Direct Access (DA) is a VPN solution.
Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol
MS says what it does and the description is EXACTLY a VPN. It's as VPN as VPN gets. No different than Pertino or ZeroTier.
This was my point. There's no reason to list it separately from a VPN, because it is a VPN.
Exactly. It's the middle of the VPN field.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?
This.
-
Or you could use the Vultr firewall to block everything and use something like ZeroTier as the VPN component.
-
@dafyre said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Or you could use the Vultr firewall to block everything and use something like ZeroTier as the VPN component.
Yup, any VPN will work, but ZT has a lot of cool flexibility.
-
With ZT, you can use the AD on the RDS server to provide AD to the end points as well.
-
@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@dafyre said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Or you could use the Vultr firewall to block everything and use something like ZeroTier as the VPN component.
Yup, any VPN will work, but ZT has a lot of cool flexibility.
Sure, but brings long DNS issues, that Pertino had to solve with an AD client "fix."
-
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@dafyre said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Or you could use the Vultr firewall to block everything and use something like ZeroTier as the VPN component.
Yup, any VPN will work, but ZT has a lot of cool flexibility.
Sure, but brings long DNS issues, that Pertino had to solve with an AD client "fix."
If it's juts one server, you don't need the DNS bits. Just point everybody at the IP address.
Edit: Or use a HOSTS file.