This https://rdpguard.com/ @scottalanmiller posted looks like something worth trying out first. Also appears to be actively developed. Anyone else using it?

@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

FYI, Direct Access (DA) is a VPN solution.

Yes but that's not how MS markets it. Its a magical "always-on" connection. That does seem to be part of RRAS.... lol

Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.

Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.

Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.

Could JumpCloud be used to sync passwords from multiple Office 365 Clouds (different companies and tenants) to an on Premise Active Directory server?

Mostly just interested in passwords. And I guess outside of JumpCloud I am guessing there are other products that could do it?

Example:
[email protected]
[email protected]

[email protected]
[email protected]

sync to

[email protected]
[email protected]
[email protected]
[email protected]

@scottalanmiller Since I'm in testing phase, and because the logo is basically a photo of a drawing, I am going all in...

@Dashrender If you do it in workgroup mode, from what I have seen, its a pretty ugly setup.

Honestly I may endure the expense of Azure AD. It was a really nice setup, but $90 for the DC in the cloud was a surprise I didn't expect and the D11 instance is $220/month or so (on sale right now). So $300/month.

I can do the whole thing on a single box with more power on Vultr for $96 (Windows 2016 license included). Another $52 and I can run an AD box but I found several Microsoft articles stating that in a small single server environment it is acceptable to run AD on the RDSH box.

In our case we have no other AD servers.

@gregorymkeller Problem is RDSH requires an AD server or some hacks to get it in workgroup mode, in which case the users session security is very lax.

Does JumpCloud actually contract/sync AD?

@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:

Thanks for the link.

Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.

Yes, that will do a lot. you should have the firewall on teh Windows box doing that already anyway as a best practice. So this would only be additional to that, hopefully.

Firewall is on but not configured to allow RDP from a specific range. Honestly I didn't have trouble with Azure but I planned to go through some security best practices before launching it to my employees. Not surprised its happening though.

@gregorymkeller do you have any customers who have implemented your "DaaS" with an RDSH server?

Thanks for the link.

Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.

I am not sure if Vultr firewall has VPN. That could be the roaming solution though. Or Windows DirectAccess?

I have no idea of a fail to ban for windows... do you have something in mind?

If RDP is running on port 50000+ can it still be identified as RDP?

Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.

I would guess those who are scanning would also discover those higher number ports.

Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?

I a little past day 2 and I realize my server is getting bombarded with login attempts, to the point that it crashed the entire system. Some of you may have seen my posts about deploying RDSH on Azure and I have now moved it to Vultr.

It is a Domain Controller and RDSH server all-in-one.

I would guess its a brute force attempt to access my system vs a DDoS attack. So I am trying to decide what the best way to block these attempts (which I imagine are more common on Vultr than Azure) would be.

I have copied the administrator account to create a new admin username and disabled the default administrator account.

Reminds of Novell days, sorta.

There IS a way to provision RDSH on a workgroup, so I suppose you could use JumpCloud from there, but it's much more of a hack than simple provisioning a AD on RDSH.

DaaS may have been a poor choice for an acronym for this guys.

I'm guessing jumpcloud doesn't provide ntlm but is more of a aws style directory service?

Has anyone here tried to use Jump Cloud with an RDSH deployment? Is it possible?

I am about to just deploy AD and then RDSH on the same virtual server then sync to Office 365 to suit my needs. It is supported by Microsoft (will link support articles if you don't believe that) and for a 10 to 20 person office I think it will do fine.

When installing RDSH it only says you must be part of a domain, not AD particularly. There are instructions from Microsoft to run RDSH in on a server in a workgroup, but there are too many holes in controlling the user desktops for me.

So I thought I would ask. I have googled around for JumpCloud with RDSH but nothing has turned up.

As I side note, non-Microsoft RDP clients suck so far. winterminal and thinlinx both are barely usable. Have tried to Azure and Vultr as well as a remote Win10 box. Horrible.

I have a couple HP thin clients arriving tomorrow to test out.

I am also going to give Citrix a try.

Running on vultr I can stream youtube seamlessly just fine. Stunning actually.

So I am assuming there is no RemoteFX being used since Vultr is KVM and it requires Hyper-V.

Or some other changes have taken place in 2016. Its actually more responsive than the Azure VM.

@scottalanmiller said in Azure AD and OnPrem Windows Server 2016:

@bigbear said in Azure AD and OnPrem Windows Server 2016:

Which I think isn't bad, if we had 20 or 30 users I would say it justifies the cost. But spinning up 2016 on a virtual vultr vm now to see how it performs. I had one running before but did not pay attention to the streaming video/audio stuff.

The real trick here is, once you realize what it is and it is just a hosted AD server. Then that you can do that better on Vultr. Then you realize... WAIT, why am I using Windows for this? I can do it for $2.50 on Vultr with Linux!

In every case I agree except this one, lol. Giving winblows desktops to my team with access to all the CAD/Office drawings that run in windows apps is what I need.

Which I think isn't bad, if we had 20 or 30 users I would say it justifies the cost. But spinning up 2016 on a virtual vultr vm now to see how it performs. I had one running before but did not pay attention to the streaming video/audio stuff.