Licensing RDS cals on Server 2019

[timeshifter]

Speccing a Windows Server 2019 Standard machine that will have an undetermined number of users that will connect to it with RDS. Might only be one at any given time up to as many as four simultaneous connections.

I know I can buy RDS user cals in packs of one or five, but I recall someone telling me that you can connect one or two sessions without additional licensing. I've looked but can't find any clarification online anywhere.

 

[YeOldeStonecat]

The up to 2 freebie remote desktop sessions allowed by Windows Server is for administrative purposes only....not for end users.

You'll need 1x Windows Server "user" or "device" CAL per user...just to access normal server resources..the same license you use for a networked user to access a server from their workstation.
Additionally you'll need a Windows Remote Desktop User CAL for the remote desktop session on the terminal server.

The RD licensing service tracks the concurrent usage and allocates license resources.
And of course..the server license itself.

If this is exposed to the internet, highly recommended you make only port 443 avail and use the TSGateway role. Don't expose RDP..even if you try to mask the port through an alternate port..it will be found...and busted into.

 

[Sky-Knight]

Honestly, it doesn't matter if you expose RDP via HTTPs or directly, if you aren't deploying a multifactor on top, you're going to get broken into.

My clients have a choice, Duo or VPN... I'll never expose RDP, SSH or anything else that can provide remove administrative access without two factor, this includes my RMM tools.

As for the rest, Stonecat is correct on the licensing, you need Server CALs, and RDP CALs. I use User CALs instead of device CALs, I find them easier to track.

 

[timeshifter]

Only will be used on local LAN or remoted into local LAN by VPN. So much less need to worry, right?

 

[Sky-Knight]

Only will be used on local LAN or remoted into local LAN by VPN. So much less need to worry, right?

VPN or two factor, either way I have yet to have an RDS server hacked. But if I have anything single factor exposed, anything at all... problems. Thinks like Emotet are too strong, and ubiquitous.

Oh, and the VPN is only really useful if it uses separate authentication than AD, otherwise it all may as well be single factor.

 

[YeOldeStonecat]

While we've seen exploits against RDP listen ports...I've yet to even hear about any exploits against TSGateway.
TSGateway does pass through security audits no problems. ..so long as you keep the SSL levels updated.

However..I will say, it's Microsoft..probably just a matter of time.
We have less and less terminal servers out there these days.....out of my clients I'm down to just 1. My colleagues here at the office...I know theirs have dwindled down too. With sooo many apps moving to the SaaS model..so those software vendors are hopping on the trendy recurring revenue model too.

 

[Sky-Knight]

It's not exploits, it's Emotet... Every exposed RDS platform I've got has been breached because some numpty either got phished, or something like Emotet stole his credentials. The hacker found the RDS, logged in, broke the user's permissions isolation, and crypto'd the server.

But yeah, this SaaS thing is annoying, I'm honestly tired of it. It doesn't serve our client's needs most of the time, very few vendors are using it to drive value, and instead only using it to drive the quarterly earnings up. But my clients are done with it, I can't even get them to bite on O365 anymore, even though that one actually drives value. They're done with the whole pay this $x / month or your business shuts off extortion racket. And I honestly cannot blame them.

 

[YeOldeStonecat]

Ya gotta embrace Office 365...so many people make the mistake of thinking it's just email. Or just a way to get Office apps. It's so much more than that! So much more! And actually useful! And when you add up the features/benefits/services....and compare them to having to purchase each of those separately like we did in the old days...it really does save the client money. And save the client money again by making our (the IT guy) work so much easier and quicker!

 

[Sky-Knight]

@YeOldeStonecat None of that matters when all they want / need is email, and office.

I maintain it's worth it just for the hosted Exchange, the support they have on it fantastic. But the whole SaaS thing is turning toxic in my market.