question

AdamTyler-3751 avatar image
0 Votes"
AdamTyler-3751 asked AdamTyler-3751 answered

RD Web and IIS - security

So I am in the process of building an on premise Windows RDS implementation on Server 2019. Complete with redundant servers for all roles, including the RD Broker. I opted to go with the Azure hosted database for the broker rather than building an on-premise SQL cluster.

The RD Gateway and RD Web roles are installed on the same set of servers. I've actually implemented DUO MFA for the Gateway service and it is working well.

One concern I have with pointing the internet directly at our RD Web services using TCP:443 is the monitoring of failed username and password attempts against IIS. It's crazy to me that Microsoft hasn't included any out of the box comparison to the Linux Fail2Ban product. Can anyone suggest methods of automatically banning IPs after so many failed login attempts against IIS (/rdweb) or perhaps automatically throttling bw for sources that have a certain number of failed login attempts?

What if I wanted to take this a step further, not allow any computer that doesn't meet certain security requirements to login to RD Web or GW? Say the computer has to have Sophos AV and it has to be up to date. Or only computers joined to specific domains can connect, etc..

Regards,
Adam Tyler

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AdamTyler-3751 avatar image
0 Votes"
AdamTyler-3751 answered

No one responded to this. Best option I could come up with is putting a reverse proxy out in front of the IIS /Rdweb site. Azure has something called the Azure AD Reverse proxy now that allows you to do M365 pre-authentication before logging into this IIS site. I'm having some trouble getting it fully working, but may be worth a look.

https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.