Ms licensing for a windows jump server

PhlipElder

2FA ought to be a part of this consideration.

PhlipElder

@scottalanmiller said in Ms licensing for a windows jump server:

@travisdh1 said in Ms licensing for a windows jump server:

@kris_k said in Ms licensing for a windows jump server:

@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.

If I was in front of a computer right now instead of my phone, I'd insert a facepalm.

In what possible way could running RDS not joined to a domain make any difference security wise? If users are going to access any resources on the domain, it's just making life harder on IT for zero benefit. The only way this makes sense it's if someone doesn't trust the security of the authentication mechanism already in use, which is a whole other can of worms to open.

There are benefits to it being on a DIFFERENT domain. But not to having no domain at all.

Concur.

scottalanmiller

@kelly said in Ms licensing for a windows jump server:

You're actually increasing the attack surface of the RDS server by having the accounts local to the server instead of on the AD server.

Because of caching, local is just as secure. Local is actually more secure. But you can run AD locally, making it both AD and local at the same time. While making it not part of the existing AD.

scottalanmiller

@dustinb3403 said in Ms licensing for a windows jump server:

@kris_k said in Ms licensing for a windows jump server:

It's recommended to have AD for RDS, but it's not a requirement - https://www.dell.com/support/article/us/en/04/sln268318/how-to-deploy-windows-2012-remote-desktop-services-in-a-workgroup?lang=en

Recommended because you have additional security solutions in place by using AD to trust who is using your RDS server.

AD is not "extra" security. AD offers "ease of management" of accounts, but not more security.

scottalanmiller

@phlipelder said in Ms licensing for a windows jump server:

For a Jump box set up an isolated Private virtual network that both the DC and the RDS Broker/Gateway/Web and Session Host sit on.
endpoint.

You'd absolutely still want AD in that scenario. No matter how isolated it is, that's never a reason for dropping AD for RDS.

scottalanmiller

@phlipelder said in Ms licensing for a windows jump server:

@scottalanmiller said in Ms licensing for a windows jump server:

@travisdh1 said in Ms licensing for a windows jump server:

@kris_k said in Ms licensing for a windows jump server:

@scottalanmiller The reason for having a jump server not connected to AD is to reduce the attack surface if the jump server gets compromised.

If I was in front of a computer right now instead of my phone, I'd insert a facepalm.

In what possible way could running RDS not joined to a domain make any difference security wise? If users are going to access any resources on the domain, it's just making life harder on IT for zero benefit. The only way this makes sense it's if someone doesn't trust the security of the authentication mechanism already in use, which is a whole other can of worms to open.

There are benefits to it being on a DIFFERENT domain. But not to having no domain at all.

Concur.

This is all that I'm thinking... run a single AD instance on the RDS server itself to hand out AD for RDS, but AD that is 100% isolated to the RDS box. No open ports, no shared AD.

Kelly

@scottalanmiller said in Ms licensing for a windows jump server:

@kelly said in Ms licensing for a windows jump server:

You're actually increasing the attack surface of the RDS server by having the accounts local to the server instead of on the AD server.

Because of caching, local is just as secure. Local is actually more secure. But you can run AD locally, making it both AD and local at the same time. While making it not part of the existing AD.

As I understand it, caching stores verifiers rather than the whole of the account.

Kris_K

@scottalanmiller This is not recommended, nor supported by MS as well
Thanks for all the ideas and thoughts everyone!

scottalanmiller

@kelly said in Ms licensing for a windows jump server:

@scottalanmiller said in Ms licensing for a windows jump server:

@kelly said in Ms licensing for a windows jump server:

You're actually increasing the attack surface of the RDS server by having the accounts local to the server instead of on the AD server.

Because of caching, local is just as secure. Local is actually more secure. But you can run AD locally, making it both AD and local at the same time. While making it not part of the existing AD.

As I understand it, caching stores verifiers rather than the whole of the account.

It's all of the part that matters, though, AFAIK. What part isn't there?

scottalanmiller

@kris_k said in Ms licensing for a windows jump server:

@scottalanmiller This is not recommended, nor supported by MS as well
Thanks for all the ideas and thoughts everyone!

But it is "more" supported