none
Exposing RDS to outside world RRS feed

  • Question

  • We are running server 2008 R2 and I have a default install of RDS. Is it "safe" out of the box to just expose to the outside world? Or is there special configuration "best practice" to apply in order to have an extra layer of security as far as the connection goes. I wouldn't want the user to have to authenticate more than once.

    Any ideas?

    Thursday, January 10, 2013 9:39 PM

Answers

  • rd gateway and/or rdweb
    Friday, January 11, 2013 1:10 AM
  • Hi,

    It is better to have the RDSH server placed behind a RD Gateway at least.  Strong passwords are a must in any case.

    For additional security you may have RD Gateway server behind a firewall that performs ssl bridging.  In this way Internet clients connect to firewall using https, firewall examines packets and re-initiates a new https connection to RD Gateway on internal LAN, then RD Gateway connects to RDSH server on port 3389.

    If you do choose to expose the RDSH server directly to the Internet then I strongly recommend you change rdp listening port to something else, require Network Level Authentication (NLA) if possible, and make sure the RDSH server is current with all security patches.

    -TP

    Friday, January 11, 2013 4:52 AM
    Moderator

All replies

  • rd gateway and/or rdweb
    Friday, January 11, 2013 1:10 AM
  • Hi,

    It is better to have the RDSH server placed behind a RD Gateway at least.  Strong passwords are a must in any case.

    For additional security you may have RD Gateway server behind a firewall that performs ssl bridging.  In this way Internet clients connect to firewall using https, firewall examines packets and re-initiates a new https connection to RD Gateway on internal LAN, then RD Gateway connects to RDSH server on port 3389.

    If you do choose to expose the RDSH server directly to the Internet then I strongly recommend you change rdp listening port to something else, require Network Level Authentication (NLA) if possible, and make sure the RDSH server is current with all security patches.

    -TP

    Friday, January 11, 2013 4:52 AM
    Moderator
  • Hi,

    It is better to have the RDSH server placed behind a RD Gateway at least.  Strong passwords are a must in any case.

    For additional security you may have RD Gateway server behind a firewall that performs ssl bridging.  In this way Internet clients connect to firewall using https, firewall examines packets and re-initiates a new https connection to RD Gateway on internal LAN, then RD Gateway connects to RDSH server on port 3389.

    If you do choose to expose the RDSH server directly to the Internet then I strongly recommend you change rdp listening port to something else, require Network Level Authentication (NLA) if possible, and make sure the RDSH server is current with all security patches.

    -TP

    Could you point me to documentation that details how to setup an RD Gateway server in the manner that you're talking about? The ssl bridging is not an option at this point, unfortunately.
    Tuesday, January 22, 2013 11:14 PM
  • Hi,

    Please see this:

    Deploying Remote Desktop Gateway Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/dd983941(v=ws.10).aspx

    In the step-by-step guide they are showing you how to have RD Gateway on a separate server, which is preferred, but if you need to you can install RDG on the same server as your RDSH.  The guide has you create a self-signed ssl certificate, which is not good for production use.  You need to obtain a ssl certificate that matches the public FQDN of your server from a trusted public authority such as GeoTrust, GoDaddy, Thawte, Symantec, Globalsign, etc.  Single-name certs are available for less than $10/year.

    Thanks.

    -TP

    Wednesday, January 23, 2013 12:24 PM
    Moderator