Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 83
Reply with quote  #1 

Did you ever fall asleep at your computer, with half a command-line string typed out...?  Those are some goog times!!

Anyhoo, I have a few "derf" questions... my first is about remotely accessing a server.

Lets' say I have a small network... like maybe just a handful of servers... something that one admin (or two, max) can handle day-to-day.

(I need chocolate right now...hang on.... okay back. nom nom nom)

My question:
How would you handle remotely accessing the servers?

I know that having RDP access enabled is a security risk, so I'd think that disabling RDP access is smart.
But I've seen servers with Team Viewer installed, and.... well.... that just feels so wrong.

If you keep RDP enabled, but harden it, how do you do it?  I haven't played around with it, but I'm assuming you can lock it down to certain IP addresses or accounts.
(Can you change the port from 3389?  That would help avoid being found by some types of port scanners, no?)

If you disable RDP, how do you remotely access servers?  And remember, this isn't a "data center" setup...lol... I'm talking about a domain where the sole admin has to wear many hats, and has had more than one dinner interrupted by server alerts  😃

~spammy


__________________
If at first you don't succeed, destroy all evidence that you tried.

0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 186
Reply with quote  #2 
To use another port would not add security imho.

I assume access from outside the network? For me I’d just add the rdweb/rdgateway services and go from there. You’d just need to open port 443 on the outside
Example: https://www.virtualizationhowto.com/2020/05/windows-server-2019-rd-web-access-configuration/

__________________
Have SpaceSuit, Will Travel

0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 83
Reply with quote  #3 
Quote:
Originally Posted by Infradeploy
To use another port would not add security imho.

I assume access from outside the network? For me I’d just add the rdweb/rdgateway services and go from there. You’d just need to open port 443 on the outside
Example: https://www.virtualizationhowto.com/2020/05/windows-server-2019-rd-web-access-configuration/


Cool.

Yes, from outside.

Actually, no.  It's not from outside.  The server would probably be about .....hang on.... ummmm.... lessee..... that's 12 plus 36 plus another 13, so that makes....61... 61 divided by 12 is....okay....it's from about 5' away.
(lol...jk... yes, my question was meant as if I was connecting from outside the local intranet.)


I'll be digging into what you mentioned/suggested.

Thanks!!!

~spammster

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 94
Reply with quote  #4 
If the server is next to you, you could probably setup a KVM switch, which lets you select different inputs.

If you want to use RDP, you could setup FW rules and set the server to allow only RDP from your admin IP/vlan. Also, you can setup AD policies who lockdown accounts for a period of time if there are multiple false logins (good for brute force attacks). This is a good measure with or withour RDP anyway.

__________________
-----
Home is where is sleep
360ict.nl/blog
thegood.cloud
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 431
Reply with quote  #5 
Yep, not allowing RDP from client VLAN to server VLAN, allowing HTTPS and RD Gateway. You don't need RDWeb or brokers for this to work, just a server instance with two legs and RDG role enabled on it. A certificate trusted by the clients without any pop-ups or warnings is a must, though. Can be self signed, signed by your PKI or coming from an external trusted CA.
__________________
Evgenij Smirnov

MVP Cloud & Datacenter Management
My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 83
Reply with quote  #6 
Quote:
Originally Posted by dennis-360ict
If the server is next to you, you could probably setup a KVM switch, which lets you select different inputs.


I was just joking about it being right next to me...

However...in all seriousness.... someone in the old forums (Wobble_Wobble?) turned everyone on to Synergy way back in the day.  It's a free keyboard/mouse sharing program that works and I almost NEVER get an argument from it.  Not only do I still use it, it's one of the first things I install on any system I'll be using.  Back then, it was free.  Then they started charging $$, but the newer versions have less features (?!?) than the old free version(s), so I keep using the last free version. 

(I have the executables for all OS'....but the Linux versions don't seem to work.  [frown]... )

~spamms

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 83
Reply with quote  #7 

Quote:
Originally Posted by cj_berlin
Yep, not allowing RDP from client VLAN to server VLAN, allowing HTTPS and RD Gateway. You don't need RDWeb or brokers for this to work, just a server instance with two legs and RDG role enabled on it. A certificate trusted by the clients without any pop-ups or warnings is a must, though. Can be self signed, signed by your PKI or coming from an external trusted CA.



What's a VLAN?



































ROFL.... I had to!!!

Actually, what do you mean by two legs?
(I'd guess, but the last time I guessed at the meaning of tech jargon, I was soooooooo freeking wrong... I mean, who knew "RIM roaming" was a real thing?  ROFL)

Anyhoo, I'm sort of confused.

Are you saying:

  1. DO NOT allow RDP connections between VLANs.
  2. DO allow HTTPS protocol between VLANs
  3. DO allow RD Gateway Protocol between VLANs
while also:
  1. Enabling RDG role on server
Do I have that correct?

I haven't dug into RD Gateway yet, so without knowing any specifics about it, it sounds like enabling RD Gateway allows that server to act as intermediary between an RDP client connecting to a machine with RDP enabled.  If that's true, does running RD Gateway on a machine automatically also make that same machine accessible via RDP?  (Sort of like a transparent VLAN...)

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 431
Reply with quote  #8 
Hi,

RDG encapsulates RDP into HTTPS so there is no 'RDG protocol' as such.

On the RDG, you can control who can access what by means of resource authorisation policies and who can connect at all by means of connection authorisation policies.

__________________
Evgenij Smirnov

MVP Cloud & Datacenter Management
My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 83
Reply with quote  #9 
Quote:
Originally Posted by cj_berlin
Hi,

RDG encapsulates RDP into HTTPS so there is no 'RDG protocol' as such.



Yikes.  My bad on that!  I was like... "RDG protocol?"

I re-read my response and realized I had written "protocol" when I didn't mean to.  I was intending to write "service", but I see now that that is also wrong (I was envisioning how it'd work as if I was building an ACL permit/deny statement).  So, "protocol" was a typo, but as luck would have it, what I meant to type was also wrong.  What a derf I am today!!  lol [bawl]

Quote:
Originally Posted by cj_berlin
On the RDG, you can control who can access what by means of resource authorisation policies and who can connect at all by means of connection authorisation policies.



Yo!  What does "two legs" mean?


Sounds like I have some playing around with RDG to do. (yippie!!!)




__________________
If at first you don't succeed, destroy all evidence that you tried.

0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 431
Reply with quote  #10 
Two legs = Two NICs in different IP segments/VLANs.
__________________
Evgenij Smirnov

MVP Cloud & Datacenter Management
My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
spam spam bacon spam

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 83
Reply with quote  #11 
Quote:
Originally Posted by cj_berlin
Two legs = Two NICs in different IP segments/VLANs.



Hah!!!! 

Ya' know what?!?!

That's EXACTLY what I wasn't thinking!

__________________
If at first you don't succeed, destroy all evidence that you tried.

0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.