Paid Consult Request: Secure RDS Environment on New Server

[Mainstay]

Hi All,

I have a brand new Dell T430 w/ Server 2016 Standard that has not yet been touched.

It is going into an environment that has never had a DC or any commercial grade server before.

The client would like to use the RDS capabilities of this server and I have been highly unsuccessful in creating a stable, properly locked down, remote environment in the past.

So I turn to you!

Is there a TN member that would be interested in setting this up? I would need a quote so that I can get approval to move forward.

The RDS would need to be secured with the proper VPN services, gateway services (and encryption certificate) and would need to be integrated with O365 Pro Plus for Office applications.

They will also be using accounting software: Caseware, QuickBooks, and Sage 50.

Please let me know if any of you are able to assist!

--Matthew

 

[CLC]

What kind of vpn are you using here, windows built in or an appliance? Do they clients need roaming profiles, redirected folders, or just plain remote desktop? Do they currently have E3 O365 licenses? Are the client machines all over the place or in a satellite office? I'm interested, I have multiple setups like this in play already.

 

[Mainstay]

no vpn in place at the moment... no proper appliance in place.

no roaming profiles (have never had success with those).

just plain RDS (not the new apps concept)... but TS as a session.

They do not have the e3 licenses purchased, but do have an O365 account for their standard business licenses.

The client machines are centralized in a single office but they want remote workers (only 5) to be able to work from home / abroad.

 

[YeOldeStonecat]

n
They do not have the e3 licenses purchased, ..

Needed for the "shared computer activation" requirement MS Office has on Terminal Server.

 

[CLC]

PM sent.

 

[fencepost]

Just as a guess I'm thinking that there may need to be 2 VMs with Hyper-V running on the host, because you probably don't want the DC to also be the TS.

I'd have the DC and file services (with shadow copies on a second volume so they can't get easily stomped) as one VM and terminal services on the other VM. I never like to see data stored directly on a machine that users have interactive access to, because that road leads to ransomware.

 

[CLC]

I'm wondering, how is having multiple vm's going to stop ransomware? Are you just saying if one gets infected the other doesn't in this scenario? If you keep files on the dc and have vm running ts then wont the ts users still need access to the dc which in turn will not stop it anyways? The way I've always understood it is you are only as secure as your least secure device that has access to your shares.

 

[fencepost]

If all data is on the shares, you're more likely to be faced with a problem of encrypted data but not an infected file server. I don't think I've ever heard of any malware that looks for privilege escalation, then uses that to get access to other accounts, then attempts to use those accounts for access to other systems - I'm sure it's possible, but it's not what you're going to find in the wild unless you're serving some very sensitive and highly-targeted clients.

If there's no local access on the file server, there's no clearing of restore points or shadow copies. If shadow copies are configured with a volume of their own, there's also no loss of shadow copies by filling the drive. Finally, if you have an on-site backup to a NAS or something else that's only reachable from the file server/DC then anything that happens on the TS doesn't hit any level of local backups, be that 2-3x/day scheduled shadow copies or nightly (or more often) backups to the NAS. File restoration in case of problems is quick.

 

[YeOldeStonecat]

Just as a guess I'm thinking that there may need to be 2 VMs with Hyper-V running on the host, because you probably don't want the DC to also be the TS.

Without question. Never put terminal services on a DC.

Not sure the size of the environment here...but accounting software, I try to have the server components on a database server. Your remote desktop services box will have the desktop setup/workstation client installed. Folder redirection to yet another server...such as a file server.
Depending on how many users hitting the terminal server...possibly a separate box running just the TSGateway services if not opting for VPN.

 

[fencepost]

Never put terminal services on a DC.

Yeah, we've had that in the past, but probably not in the past 12+ years. We had that on small clients with a single 2003 server, before virtualization was viable and when the licensing didn't allow instances.

Standard should allow 2 VMs on top of Hyper-V not running much of anything else, and 5 TS clients shouldn't strain much of anything.

 

[CLC]

I know running ts in a vm is best practice but with small clients I put the ts on the dc and had never had any issues. I can see how this would be a problem with larger companies though.

 

[fencepost]

My expectation is just that having the TS separated makes it much easier if it needs to be rolled back due to "stupid user tricks." If the machine gets infected but not with something capable of actively spreading on a business network, it may be easier to simply restore a day-old backup than to clean it particularly if there's no significant user data on it that needs to be saved.