0

I am planning to deploy a Remote Desktop Services Gateway on Windows Server 2012 R2 on AWS with the following configuration in the security group (the RDS Gateway should authenticate users against an Active Directory:

  • Inbound port open: only 443 (0.0.0.0/0)
  • Outbound port open: RDP (for example, 172.30.0.0/16) to local network + ports necessary to authenticate to the Domain Controller but only to AD destination (for example, 172.30.3.5/32)

Is this still a high risk configuration? How unsafe is this configuration compared to having a UTM firewall forward the port 443 requests to a RDS Gateway behind the firewall?

By avoiding the firewall if the security risks are not high I want to avoid occasional interactivity issues with RDP Host Session users, for example if the firewall is swamped parsing other non-interactive stuff such as web filtering.

Pep
  • 197
  • 1
  • 7
  • Your AWS EC2 instance is protected by a security group. To quote from Amazon: *A security group acts as a virtual firewall that controls the traffic for one or more instances* - so I don't know why you would need another firewall. If it makes you more comfortable you could configure ACL's on your VPC to give you an additional layer of security. – joeqwerty May 28 '16 at 13:54
  • My question tries to gauge if IIS (which is the one that listens on port 443) is a lot more exploitable when connected directly to the Internet than it is when it's behind a firewall with malware filtering capabilities. – Pep May 28 '16 at 16:56

1 Answers1

1

IIS continues to be one of the most popular web servers on the internet with literally millions of sites sitting directly on public IP addresses. If it was "a lot more exploitable" in that configuration, it simply wouldn't be used.

Bottom line. It's a web server. It's supposed to sit on the Internet. Just like any other web server, it will have security bugs that need to be patched in order to remain as secure as possible. Adding an extra malware filtering appliance in front of that is very likely more trouble/cost than it's worth for very little additional protection.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64