Verify you can connect to your Windows instances through RD Gateway.Reconfigure security groups on the RD Gateway instance and all other Windows server instances to control which connections are allowed.Install and configure RD Gateway on that instance.Create a Windows EC2 instance and configure a security group rule to allow RDP access.The basic steps for configuring RD Gateway are: Only users who authenticate to your RD Gateway instance are allowed to proceed on to the protected Windows instances behind the proxy. RD Gateway can be configured to accept connections via HTTPS (TCP/443) from every IP on the Internet, then proxy them to your other Windows instances using RDP port (TCP/3389). One solution to this problem is to protect your Windows instances at the network layer using Microsoft Remote Desktop (RD) Gateway server set up as a bastion. As a result, we often see customers setting security groups for RDP access to allow every IP (0.0.0.0/0), thereby failing to enforce least privilege at the network layer. However, in cases where an administrator could be connecting from anywhere on the Internet, however, trying to determine which IPs to allow can be difficult. When configuring your security groups, it’s a best practice to apply the principle of least privilege, allowing only connections to the RDP port from IP addresses your administrators will be connecting from and denying all others. To define the source IPs that are allowed to connect to your EC2 instances’ RDP port (TCP/3389), you configure the instance’s security group rules. If you run Microsoft Windows instances in EC2, then you most likely use the Remote Desktop Protocol (RDP) for remote administration. Future posts from Ryan will describe how to configure a bastion in front of your Linux EC2 instances. This week’s guest blogger, Ryan Holland, AWS Solutions Architect, describes how to configure a bastion in front of your Windows EC2 instances to proxy administrative requests to your instances. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances. A best practice in this area is to use a bastion. Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances.
0 Comments
Leave a Reply. |