Securing Windows Firewall connections for Windows Server 2012

Question

I have Windows Server 2012 at Amazon EC2 in non-domain environment.

I need to remote desktop into it and also connect to Microsoft SQL server instance running on it.

In addition to opening these ports in Windows Firewall I'd like to make that more secure. I can't limit connection to specific IP because I have dynamic IP address from my ISP.

What I was thinking about is to use something that would exist both on my client computer and on the server as a required condition for connection. Perhaps some kind of SSL certificate?

I found this for Windows Server 2003:http://www.alkia.net/index.php/faqs/106-how-to-secure-remote-desktop-connections-using-tls-ssl-based-authentication which seems to be similar to what I am looking for but it assumes Active Domain environment is in use and only covers remote desktop as opposed to any connection via firewall. Plus GUI for Terminal Services Configuration doesn't even exist on Windows Server 2012.

I see that in Windows Server 2012 on "General" tab of any firewall rule there is an option "Allow the connection if it is secure" that can be enabled and further configured. There is also"Connection Security Rules" folder under "Windows Firewall with Advanced Security". I suspect what I am looking for is related to these 2 options but I am not sure how they work together.

Is what I am trying to achieve even possible in non-domain environment? Are there any step-by-step guides on how to set it up for Windows Server 2012?

Answer 1

IMHO, by far the quickest and easiest solution would be to use an IPSec setup using transport mode only and certificate based authentication.

This would allow you to connect to the public IP of your server from only your specific laptop (or wherever you install your custom certificate).

VPN is great but it is really overkill if all you need is the transport mode - most VPN guides assume needing to set up tunneling and that is overkill in your use case.

If I were going to do this:

1. Create a local self signed certificate on both the server and workstation.
2. Import the workstation cert on the server and visa versa. They need to be in the trusted root store.
3. Create a connection security rule using the settings 'any remote ip' for endpoint 1 and 'your server ip here' for endpoint 2, using certificate authentication. This will let the server optionally use IPSec. The same rule would also need to be set up on your workstation.
4. Create a Windows Firewall rule on the server using the 'allow the connection if it is secure' option. I'd start with a single protocol such as Remote Desktop. You could broaden it later.

Note there might be a couple AWS specific steps such as ports required to be opened I haven't covered. You might want to spin up a test instance to try this out on.

Answer 2

The article that you pointed out does not necessarily apply only to domain environments. As noted at the end:

The steps covered in this article assume you are running terminal services in an Active Directory domain environment, and also running your own Microsoft based PKI. It should be noted however, that this is not a requirement, as long as you focus on the security when computers need to trust the CA hierarchy.

However, as you stated, it will only secure your RDP connections.

I guess a VPN is an obvious solution, but since you didn't mention it I assume that is not what you are looking for. You can reduce the attack surface with one or more of these:

• Port Knocking. Here's a nice resource.
• Ask your ISP the block of addresses that they own, adding only these to the source addresses in the firewall rules will greatly reduce the number of script kiddies trying to attack your server. They may not give you this information, in that case you are going to have to figure out the range yourself.
• Change the default ports of your exposed services. This also reduces a lot of automated attacks.

Although some of these options are just security through obscurity, they are still better than nothing, and a nice layer of defense when used all together.