Ms licensing for a windows jump server
-
Hey guys,
i'm a little confused with MS licensing for a jump box. As we need more than 2 concurrent RDP sessions, we need RDS role installed and CALs assigned. For obvious reasons the server is not joined to a domain, so according to MS i can only use device (not user) CALs.
https://blogs.technet.microsoft.com/askperf/2015/05/08/multiple-per-device-rds-cals-are-issued-the-same-device-issue/ - a certificate is transferred from the server to a connected client.
But some of the clients use Macs instead of pcs, not sure how this is going to work out.
Is anyone else using a similar setup?
Thanks! -
@kris_k said in Ms licensing for a windows jump server:
Hey guys,
i'm a little confused with MS licensing for a jump box. As we need more than 2 concurrent RDP sessions, we need RDS role installed and CALs assigned.Just to be clear, there is no "up to two" allowance. A graphical jump box is a normal RDS server and requires RDS licensing even for two. The "two user limit" on Windows Servers is exclusively for the administration of the local box, not for any other purpose. And CALs are needed for every user, even if you only have one.
-
@kris_k said in Ms licensing for a windows jump server:
For obvious reasons the server is not joined to a domain, so according to MS i can only use device (not user) CALs.
I thought RDS requires AD. In any case, just add it to AD. It's that simple. There is nothing obvious about not having it on AD. It should be the obvious, "We have RDS, so obviously we are using AD."
If there is a reason (and I can't think of any possible) to not have RDS on AD, you'll need to really spell it out, because I literally can't think of a possible reason to not have it on there.
-
And by no possible reason, that includes things like "we don't use AD otherwise" and "we don't want more Windows licensing"... neither of which are applicable because they aren't relevant. Those would be common misconception reasons.
-
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
-
It's recommended to have AD for RDS, but it's not a requirement - https://www.dell.com/support/article/us/en/04/sln268318/how-to-deploy-windows-2012-remote-desktop-services-in-a-workgroup?lang=en
-
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
If I was in front of a computer right now instead of my phone, I'd insert a facepalm.
In what possible way could running RDS not joined to a domain make any difference security wise? If users are going to access any resources on the domain, it's just making life harder on IT for zero benefit. The only way this makes sense it's if someone doesn't trust the security of the authentication mechanism already in use, which is a whole other can of worms to open.
-
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
You're actually increasing the attack surface of the RDS server by having the accounts local to the server instead of on the AD server. You're increasing the attack surface of the AD server by allowing the RDS server on the edge. This might seem like a splitting of hairs, but if you have a proper DMZ and your AD server is properly isolated and secured it is a reasonable exposure. If it is AD joined the accounts are on the AD server and there is no additional access granted. However if they are local there is the potential of having additional accounts compromised aside from the one that was used for the initial access. Does that make sense?
-
@kris_k said in Ms licensing for a windows jump server:
It's recommended to have AD for RDS, but it's not a requirement - https://www.dell.com/support/article/us/en/04/sln268318/how-to-deploy-windows-2012-remote-desktop-services-in-a-workgroup?lang=en
Recommended because you have additional security solutions in place by using AD to trust who is using your RDS server.
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
@travisdh1 I got you
-
@scottalanmiller There are "ways" to make a RDS setup work without AD. They are not officially supported but can be done.
For a Jump box set up an isolated Private virtual network that both the DC and the RDS Broker/Gateway/Web and Session Host sit on.
Use a *NIX freebie edge VM with two NICs with a VLAN structure set up to allow communication from the outside (I suspect this is needed?).
Cloud/Internet HTTPS --> Production Edge --> VLAN to *NIX Edge vNIC ---> Edge --> Gateway subnet vNIC --> RD Broker/Gateway/Web --> Session Host --> Jump endpoint.
-
@phlipelder said in Ms licensing for a windows jump server:
@scottalanmiller There are "ways" to make a RDS setup work without AD. They are not officially supported but can be done.
That's normally the case with most requirements. But .... why?
-
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
No additional attack surface.
-
@travisdh1 said in Ms licensing for a windows jump server:
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
If I was in front of a computer right now instead of my phone, I'd insert a facepalm.
In what possible way could running RDS not joined to a domain make any difference security wise? If users are going to access any resources on the domain, it's just making life harder on IT for zero benefit. The only way this makes sense it's if someone doesn't trust the security of the authentication mechanism already in use, which is a whole other can of worms to open.
There are benefits to it being on a DIFFERENT domain. But not to having no domain at all.
-
2FA ought to be a part of this consideration.
-
@scottalanmiller said in Ms licensing for a windows jump server:
@travisdh1 said in Ms licensing for a windows jump server:
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
If I was in front of a computer right now instead of my phone, I'd insert a facepalm.
In what possible way could running RDS not joined to a domain make any difference security wise? If users are going to access any resources on the domain, it's just making life harder on IT for zero benefit. The only way this makes sense it's if someone doesn't trust the security of the authentication mechanism already in use, which is a whole other can of worms to open.
There are benefits to it being on a DIFFERENT domain. But not to having no domain at all.
Concur.
-
@kelly said in Ms licensing for a windows jump server:
You're actually increasing the attack surface of the RDS server by having the accounts local to the server instead of on the AD server.
Because of caching, local is just as secure. Local is actually more secure. But you can run AD locally, making it both AD and local at the same time. While making it not part of the existing AD.
-
@dustinb3403 said in Ms licensing for a windows jump server:
@kris_k said in Ms licensing for a windows jump server:
It's recommended to have AD for RDS, but it's not a requirement - https://www.dell.com/support/article/us/en/04/sln268318/how-to-deploy-windows-2012-remote-desktop-services-in-a-workgroup?lang=en
Recommended because you have additional security solutions in place by using AD to trust who is using your RDS server.
AD is not "extra" security. AD offers "ease of management" of accounts, but not more security.
-
@phlipelder said in Ms licensing for a windows jump server:
For a Jump box set up an isolated Private virtual network that both the DC and the RDS Broker/Gateway/Web and Session Host sit on.
endpoint.You'd absolutely still want AD in that scenario. No matter how isolated it is, that's never a reason for dropping AD for RDS.
-
@phlipelder said in Ms licensing for a windows jump server:
@scottalanmiller said in Ms licensing for a windows jump server:
@travisdh1 said in Ms licensing for a windows jump server:
@kris_k said in Ms licensing for a windows jump server:
@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.
If I was in front of a computer right now instead of my phone, I'd insert a facepalm.
In what possible way could running RDS not joined to a domain make any difference security wise? If users are going to access any resources on the domain, it's just making life harder on IT for zero benefit. The only way this makes sense it's if someone doesn't trust the security of the authentication mechanism already in use, which is a whole other can of worms to open.
There are benefits to it being on a DIFFERENT domain. But not to having no domain at all.
Concur.
This is all that I'm thinking... run a single AD instance on the RDS server itself to hand out AD for RDS, but AD that is 100% isolated to the RDS box. No open ports, no shared AD.
-
@scottalanmiller said in Ms licensing for a windows jump server:
@kelly said in Ms licensing for a windows jump server:
You're actually increasing the attack surface of the RDS server by having the accounts local to the server instead of on the AD server.
Because of caching, local is just as secure. Local is actually more secure. But you can run AD locally, making it both AD and local at the same time. While making it not part of the existing AD.
As I understand it, caching stores verifiers rather than the whole of the account.
