How to Secure Amazon RDP Access
Amazon Web Services (AWS) is a key driving force for businesses today. It allows organizations to improve innovation, increase agility, and cut costs via a comprehensive suite of Amazon Remote Desktop Protocol (RDP) tools.
Amazon RDP leverages Microsoft’s RDP to provide organizations with access to secure and highly reliable Windows-based instances without requiring them to configure any virtual private network (VPN) connection. Businesses that want to leverage Amazon RDP can use Amazon Quick Start to deploy and configure a remote desktop (RD) gateway infrastructure automatically.
What Does the Remote Desktop Gateway Environment Setup Provide?
Amazon RDP is increasingly popular with organizations because it helps them set up a secure RD gateway environment. An effective RD gateway management minimizes the attack surface for Windows-based workloads since the connection between remote users, and elastic compute cloud (EC2) instances occurs through RDP over hypertext transfer protocol secure (HTTPS).
Below are typical components that are delivered when deploying RD gateway via AWS Quick Start:
- Highly available infrastructure that spans two availability zones. These zones help deliver low-latency network connections to the same AWS region workloads.
- A virtual private cloud (VPC) that gets configured with public and private subnets. You can use a VPC to create your own secure virtual network that runs code and stores data on AWS.
- An internet gateway. The internet gateway is a redundant, highly available, and horizontally scaled VPC component that allows access to the internet. RD gateway instances use the internet gateway to send and receive traffic.
- Managed network address translation (NAT) gateways. A managed NAT gateway allows private, subnet-based EC2 instances to connect to other AWS services or the internet. However, it prevents the internet from connecting to the EC2 instances.
- Public subnets. Each public subnet has four RD gateway instances to allow a secure connection to private, subnet-based EC2 instances. Each instance is directly reachable from the internet because it gets assigned an elastic internet protocol (IP) address.
- A network load balancer. A network load balancer distributes end-user traffic across multiple AWS resources to ensure high throughput and low application latency.
- A security group for Windows-based instances. By default, the security group permits transmission control protocol (TCP) port 3389 from your IT administrator IP address. You can change the security group ingress rule to allow access via TCP port 443 after deployment.
- An empty application tier for Windows-based instances in private subnets. If you need extra tiers, you can add more private subnets with unique, classless inter-domain routing (CIDR) ranges.
- AWS Secrets Manager. This is a secrets management service that users can leverage to store credentials for accessing Windows-based workloads securely. Remote users can use the AWS Secrets Manager to rotate, manage and access application programming interface (API) keys, credentials, and other secrets.
- AWS Systems Manager (SSM). An AWS SSM is a service that allows users to access and manage their infrastructures on AWS. An SSM Agent enables the Systems Manager to update, control and configure Windows-based instances.
Costs of Deploying a Remote Desktop Gateway in AWS
Organizations are responsible for all costs related to the AWS services you use while running Quick Start reference deployments, including any license fees. However, there is no additional cost for using QuickStart. You can use the AWS CloudFormation template and Quick Start to simplify the provisioning and management of EC2 instances on AWS.
One advantage of using Quick Start is that it automatically launches the Amazon Machine Image (AMI) for Windows Server OSs such as 2012 R2, 2016, and 2019. Since Quick Start includes licenses for these OSs and the AMI gets updated regularly, you don’t need to install any updates.
But that’s not all. The Windows Server AMI includes two Microsoft remote desktop services (RDS) licenses, and as such, you don’t need the client access licenses (CALs) to access Windows-based instances.
Best Practices for Deploying an RD Gateway
Deploying RDS for remote employees is a great way to enhance productivity through secure access to Windows-based instances. However, this can make business sense only when appropriately deployed. Below is a list of five best practices for deploying RD gateways:
1. Always Adhere to the Principle of Least Privilege
Least privilege is a security norm that restricts access rights for various users in an organization, only allowing them to access what is required to get the job done. In AWS, this is possible by exposing as few ports to the network as possible. This limits the source network from accessing the organization’s EC2 instances. AWS has many capabilities, including security groups, subnets, and trusted ingress CIDR blocks that you can use to enforce this principle.
2. Always Use VPC for Business-Critical Workloads
A VPC also ensures you have complete control of the virtual network environment, including selecting your own IP address ranges, subnets and configuring gateways. Amazon recommends the following best practices when deploying critical Windows-based instances:
- Workloads should have at least two availability zones to guarantee high availability.
- You must place instances into individual tiers. For example, you can have distinct tiers for application servers, web servers, and domain controllers when deploying Microsoft SharePoint.
- You must place internal application servers and other non-public network-facing servers in private subnets. This is vital to prevent direct access to instances from public networks.
- You need to deploy RD gateways into public subnets in each availability zone for remote administration. When required, you can place other components like reverse proxy servers in public networks.
- Lockdown the network access control lists with more specific rules
Network access control lists (ACLs) provide permissions for inbound or outbound traffic and are great tools for providing an effective way to block an IP address or a CIDR block. While a default network ACL configuration is still deemed sufficient, locking it down with more specific rules can help you further secure the Windows-based instances at the network level.
4. Use Security Groups to Create Instance-Level Firewalls
Security groups let IT administrators manage open ports and isolate different application tiers. For example, every instance usually executes behind a stateful firewall in a VPC by default. This way, the security group enforces rules for opening inbound and outbound ports on the firewall.
You can also associate a particular security group with multiple instances to isolate application tiers in the AWS environment. When configured this way, security groups minimize the attack surface for EC2 instances. It also allows IT administrators to create secure connections for all the connected workloads via a single gateway.
5. Use SSL Certificates to Improve Security
The RD gateway role relies on transport layer security (TLS) protocol to encrypt the connection between the gateway servers and administrators. To support TLS, IT administrators must install a valid X.509 secure sockets layer (SSL) certificate on each RD gateway. Smaller test environments can implement a self-signed certificate to get started quickly. However, for large environments, Amazon recommends a public certificate.
How to Connect to an EC2 Instance Using RDP
You require an administrator password to connect to Windows-based instances via Amazon RDP. If your instance is part of a domain, you’ll need the AWS Directory Service credentials to connect to the instance. However, unlike the first option, where you enter the local computer name and the generated password, you need a fully qualified username for the administrator and password to access EC2 instances.
Here are steps to help you connect to EC2 instances via Amazon RDP:
- Launch the Amazon EC2 console (https://console.aws.amazon.com/ec2/), and log in as root. You can create a new account with AWS if you don’t have one.
- Select Instances under the navigation pane. This displays a list of all the EC2 instances you have created before, including their statuses and actions. Select your Windows-based EC2 instance and click Connect.
- In the new Connect to instance page, click RDP client, and choose Get password. This generates an administrator password that you’ll need to use when logging into the EC2 session.
- Now choose Browse and navigate to the private key file folder. The private key file gets generated when you launch an EC2 instance for the first time. Choose the file and click Open.
- Click Decrypt Password. Save the password in a location of your choice since you’ll need it when connecting to the instance.
- Next, choose Download remote desktop file. Select the Save option when prompted about whether you want to open or save the file, and return to the Instances page.
- Navigate to the downloaded file’s location and double-click to open the RDP shortcut file.
- You may receive a warning message notifying you that the publisher of the downloaded file cannot be verified. Click Connect to log onto your EC2 instance.
- The program chooses the administrator account by default. Copy/paste the generated password that you had saved previously to log on to your instance.
Simplify Hybrid Cloud Deployments with Parallels RAS
Organizations are looking increasingly to cloud solutions such as AWS and Microsoft Azure to answer their transformation challenges. While this is driven mainly by the need to modernize IT infrastructures, other compelling reasons for the transition include innovating, increasing agility, and cutting costs.
It would help if you also considered a robust virtual desktop infrastructure (VDI) solution as you transition your IT infrastructure from on-premises to the cloud. A perfect VDI can help streamline IT administration tasks and reinforce cloud computing benefits such as increasing agility and cutting down costs.
Parallels® Remote Application Server (RAS) is one such product. As an all-in-one, VDI product, Parallels RAS allows businesses to provide virtual applications and desktops that employees can easily access on any device and platform. Parallels RAS is also cloud-ready, supporting on-premises, public cloud, hybrid cloud, and hyper-converged infrastructure (HCI) deployments.
Parallels RAS increases IT agility with virtual applications and desktops secured—whether on-premises or in the cloud. This allows customers to access corporate resources tailored towards meeting evolving business requirements. Additionally, companies can substantially reduce upfront costs by leveraging cloud computing and the Parallels RAS pay-as-you-go pricing model.