Securing Windows Server RDS with ZeroTier



  • It is very common to increase security for terminal services like Microsoft's Remote Desktop Services by adding a layer such as a VPN to further encrypt and obscure traffic. One of the options for this is the ZeroTier software defined network system which is essentially a powerful peer to peer VPN system with central management and heavy obscurity due to near total end point obfuscation via a "reach out" rather than a "reach in" VPN design to a shared, central aggregator.

    If you have users outside of your physical LAN, ZeroTier can be an excellent way to drastically improve security while also potentially improving accessibility. In order to expose RDS functionality we need to publish it in some manner. Most "typically" this means simply passing port 3389, the RDP port, to the outside. This is generally seen as being unnecessarily risky, however, as it makes the existence of the RDS server rather obvious making it an easy target for attacks, especially denial of service attacks.

    It is very common to approach the need for additional security using a traditional VPN, such as OpenVPN or Cisco VPN. It is also common in larger organizations with a large investment in Microsoft products to leverage DirectAccess, but this comes with high cost and large limitations. ZeroTier brings us many of the benefits of both of these approaches either for free or for very low cost in a fully open source package that can be deployed by the individual organization or can be used as a hosted system from ZeroTier themselves.

    Key benefits to ZeroTier are how easy to implement and use the system is and how secure it is. One of the most secure options for locking down RDP. The best part is that neither RDS nor the VPN infrastructure are ever directly exposed, there is no direct means of even identifying where the RDS infrastructure is located and can easily be hidden behind a dynamic IP address! No inbound ports need to be opened on the client or the server side. This makes the service essentially impossible to "find" or discover, while also giving no open ports against which to attack.

    Installing ZeroTier is quick and simple and very easily controlled centrally for enhanced security, especially in the case of a remote, stolen or lost device. ZeroTier is broadly cross platform being available for most Linux OSes, Windows, Mac OSX, Android and Apple iOS. It requires no end user management once the simple initial configuration is complete making it very popular with end users due to the ease of use and transparency.

    ZeroTier is a technology built on VPNs under the hood, and as such all transmissions of RDP are fully encrypted, end to end. The use of keys, 100% on ZeroTier enhances security as well, versus password and related systems. Because of single IP address space, ZeroTier can make use of multiple servers and even DR sites effectively transparent to end users as all locations appear as a single IP scheme to the end points.

    ZeroTier is one of the easiest and most effective means of security RDS systems for a wide variety of deployment scenarios.



  • The caveat to this though, is that you either have to install ZT on every endpoint device (all servers and workstations/laptops) or create separate zones (I need a more correct word because of the implications of the term zone) that allows DNS to not have issues on the internal network.



  • @Dashrender said in Securing Windows Server RDS with ZeroTier:

    The caveat to this though, is that you either have to install ZT on every endpoint device (all servers and workstations/laptops) or create separate zones (I need a more correct word because of the implications of the term zone) that allows DNS to not have issues on the internal network.

    Actually you don't, in this case. The ZT can be used only between the "thin clients" and the RDS server.



  • @scottalanmiller And connects via IP address.



  • @dafyre said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller And connects via IP address.

    exactly!

    If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.



  • @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller And connects via IP address.

    exactly!

    If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.

    This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.



  • @dafyre said in Securing Windows Server RDS with ZeroTier:

    @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller And connects via IP address.

    exactly!

    If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.

    This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.

    You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.



  • @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller And connects via IP address.

    exactly!

    If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.

    This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.

    You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.

    Not use the ZT Gateway... I think @scottalanmiller is just thinkg of installing ZT on the RDS Server, and ZT on the clients that need to access it... Then instead of setting up DNS and all of that, just telling the clients to connect to the ZT IP of the RDS server.



  • @dafyre said in Securing Windows Server RDS with ZeroTier:

    @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller And connects via IP address.

    exactly!

    If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.

    This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.

    You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.

    Not use the ZT Gateway... I think @scottalanmiller is just thinkg of installing ZT on the RDS Server, and ZT on the clients that need to access it... Then instead of setting up DNS and all of that, just telling the clients to connect to the ZT IP of the RDS server.

    Exactly. Or an entry in the /etc/hosts file. Or you can even make a public entry for it with a private IP address. Lots of options.



  • @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @Dashrender said in Securing Windows Server RDS with ZeroTier:

    @dafyre said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller And connects via IP address.

    exactly!

    If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.

    This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.

    You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.

    No, nothing more than what is described. RDS cuts off the VPN side, it's a gateway of sorts. It's where you can break the VPN if you want.


  • Banned

    @scottalanmiller said

    ZeroTier is one of the easiest and most effective means of security RDS systems for a wide variety of deployment scenarios.

    But not ready for deployment....yet.

    Had lots of very hit and miss reliability issues with connecting to machines over RDP. Sometimes it works, sometimes it does not and the portal shows all machines as online and working every time.



  • @Dashrender, there are no DNS issues with something like this. You are conflating ZeroTier issues that occur when you put ZeroTier on a Windows Domain Controller with a simple VPN work around.



  • @Breffni-Potter said in Securing Windows Server RDS with ZeroTier:

    @scottalanmiller said

    ZeroTier is one of the easiest and most effective means of security RDS systems for a wide variety of deployment scenarios.

    But not ready for deployment....yet.

    Had lots of very hit and miss reliability issues with connecting to machines over RDP. Sometimes it works, sometimes it does not and the portal shows all machines as online and working every time.

    I've not see any issues with RDP yet. What client versions were you running? Did you determine what was causing the issues? I've yet to see any networking blips with ZT.


  • Banned

    @scottalanmiller said

    I've not see any issues with RDP yet. What client versions were you running? Did you determine what was causing the issues? I've yet to see any networking blips with ZT.

    Latest client versions (though we did get the whole network wiped out when ZT upgraded the controller without email alerts, so all devices lost connection a few weeks ago as the installed agents were too old....)

    Nope, issue still unresolved. A feature request was for some kind of troubleshooting or error alerts in the client. Even pings were not working so it's not just an RDP related problem.



  • I had some weirdness with ZT this week. Wonder if it is similarly related.



  • I've not seen any weirdness, and I've still got some clients that are running 1.0.4.



  • Only the other night for me and it was all on one project so I'm not sure what it was, yet.