• GoDaddy Community
  • VPS & Dedicated Servers
  • VPS & Dedicated Servers

    cancel
    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 

    Workgroup VPS with secure VPN and RDP (managed or self-managed)

    Hey Ho Man GoDaddy Community!!!

     

    Been using self-managed VPS for over a year, this is my first foray into the GD Community....

    After what I have gone through I felt inclined to share a bit, in the end I hope someone at GoDaddy sees this and takes note...

     

    Soapbox

    In both the managed and self-managed Windows Server 2012 R2 VM's, the RDP access is set-up for you via some Parallels  services (User Profiles and Tools). And they use the default unsecured 1389 port, per the normal RDP standard. So you get a VM with 1389 open to the world. You will get Brute Force attacked!!! See attached eventlog to see what it looks like, and how it looks after I fixed it. This is not a good practice and after pointing it out to support and asking about the Parallels services, I get the normal "You are self-managed".OK WHATEVER, either way I need to know what those services are doing "exactly" if I am self-managed. If I turn off RDP 1389 on the server, I cut myself off. And I don't want to screw up any of the hooks to the GD Server Dashboard.

     

    GoDaddy, You need to disclose these services to VPS managed and self-managed owners and also provide some sort of guidelines as to what they are doing and how. It's kind of concerning for an admin to have RDP, but as far as the server knows, Hyper-V isn't even installed, but it's service is running!!?? 

     

    And as one fine gentleman in support said, "There are 100's of web sites about it,..." Well I looked at about 10 maybe before I realize those services are all for the VmWare on their end, and it didn't appear anything was meant to used or re-configured on the VM. So I took too about 100 web pages and figured out how to cut-off my attackers (at least here). It also took about 5 Destroy/Rebuilds as when you screw up, you usually cut yourself off!!!??

     

    I am not providing a step-by-step here, but will lead any interested parties in the right direction and answer what questions I can.

    I believe GoDaddy should provide secure VPN/RDP access to VMs. 

    If a Hack like myself can figure it out, it couldn't be too hard to make it part of a VM image?! And anyways, the Plesk/Parallels VmWare tools should have some VPN solution?!

     

    And BTW - This is running on a WorkGroup Server, NO WINDOWS DOMAIN. Do not believe if someone says you HAVE TO create a Domain. If you already have one, then this will be much easier..

     

    Anyways, off the soapbox. I really love my GoDaddy VPS's!!! 

    There is a specific order to things, as usual. Start with this nice tutorial:

    https://blog.netnerds.net/2015/02/setup-an-sstp-ssl-vpn-in-windows-server-2012-r2/

     

    You have to get VPN up before you can configure RD Gateway!!! Once you have RD Gateway up, you do not need to connect with VPN anymore, but you'll have it for other stuff if so desired.

    You need to do the security steps. I used the GoDaddy cert I use on my websites. So go through the cert registration process and the cert will show up in the config menus.

     

    Once you are set on VPN check out this nice article, concentrating on the RD Gateway. I also changed the account lockout policy as described.

    https://security.berkeley.edu/resources/best-practices-how-articles/securing-remote-desktop-rdp-syst...

     

    The next trick is to enable JUST RD Gateway role.

    If you are on a domain, follow the instructions in the article for RD Gateway setup.

    https://technet.microsoft.com/en-us/library/dd983949

     

    DO NOT SELECT "Remote Desktop Services installation" Unless you are on a domain!!

     

    For Workgroup VPS, just do “Role-based or feature based installation” as usuall and select "Remote Desktop Services" and then select ONLY "Remote Desktop Gateway". Accept all the add-ins. This will install IIS if you haven’t already. The Default Web Site gets configured as the SSL relay for VPN. I believe there are other alternatives, but since I got SSL IIS already… I also believe you can change to a port different from 443, like 444.

     

    Also make sure to set-up VPN split tunnel, simply uncheck “Use default gateway on remote network” in the VPN adapters Properties ->Network->TCP/IP4->Properties->Advanced…

     

     After that, you are in a world of configs and rules. See pics. Don't miss the RD Gateway snap-in which is crucial for configuration. Then you'll have both the Remote Access and Remote Desktop Service in the Server Manager. You will also need the Administrative Tools: Local Security Policy, Remote Access Management and Routing and Remote Access. (phew)

     

      Keep ports 1389 alive until the very end, then shut them down, expect for private (for the relay, and this port can be changed in RD Gateway config).  You should be logged in via RD Gateway RDP settings:

    https://technet.microsoft.com/en-us/library/cc770601.aspx

     

    And cross your fingers. If your session is disconnected, you know something is wrong. Good Luck!

     

    Cheers!

    Eric

     

     !!-Can't seem to attach files here, so sample event log excluded, sorry.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    inbound.JPG

     

     

    roles.JPG

     

     

    status-config1.JPG

     

     

    status-config2.JPG

     

     

    status-config3.JPG

     

     

    status-config4.JPG

     

     

     

     

    0 REPLIES 0