1

Quick overview of system:

I have a business (IT) domain and a process control network (PCN) domain joined via a pair of firewalls and a DMZ (DMZ servers part of PCN domain also). PCN domain servers are 2016. IT is a mix of various workstations and servers.

I want to allow IT users to access a view only session of the plant control HMI from a RDS on the PCN via a RD Gateway in the DMZ. This is straightforward until I get to licensing. These users are already licensed IT RD Users via a RD Licence Server on the IT network. I figured I had two options here, either:

  1. allow 2-way trust between domains so that the RDS on PCN can use the IT license server, or
  2. buy new RDP user CALs and setup a license server on PCN for this.

Concern with option 1 is security being reduced between networks. For option 2 it is cost.

But now I am wondering whether I can set up another RDS in the IT network that becomes the first hop for the clients and then initiates a RDP session from there to the PCN RDS with the HMI app (ie nested RDP sessions). I could then just do a device based RDP CAL assigned to the IT RDS and hosted by a licence server in the PCN (device = IT RDS). I don't think this is multiplexing because I am still allocating a user based RDP CAL in the IT domain (as well as a device RDS CAL in the PCN domain).

Obvious downside of this would be no passthrough of devices, printers etc and a slightly impaired performance - but I think it would work OK.

I don't have a very specific question regarding this other than whether I am missing something obvious that would make it not work or have some other fatal flaw. I guess I am also putting it out there in case someone has a better solution.

RowdyDoc
  • 21
  • 2
  • In what way is a two way trust reducing security (unless you are saying that admin credentials in both forests are compromised)? – Jim B Apr 09 '17 at 05:31
  • Best solutions for having a higher level of security integrity for the more cirtical PCN seem to be (in order from most -> least secure): 1. no connection from IT to PCN (but no functionality :( ); 2. separate forests with no trusts (ie completely independent authentication on each network); 3. separate forests with one-way trusts (PCN-DMZ, DMZ-IT); 4. two separate forests with one-way trusts; 5. two separate forests with two-way trusts; 6. a single forest. – RowdyDoc Apr 10 '17 at 06:08
  • Unless you have a separate account forest, 3,4,5 have the exact same exposure. 6 should be at 3- with an admin forest (which should have a one way trust,only because you will never log into it with "normal" creds. A trust does not give you any additional rights. It simply allows the use of creds from the other forest. One way trusts simply double the amount of admin work you have to do and (unless you have separate admin workstation for each admin login) double the exposure since compromising 1 id compromises both). 2way is the same exposure with active denys on the other forest creds. – Jim B Apr 10 '17 at 18:14
  • Thanks for your comments. We will have two forests simply because the management of the two networks will fall into two separate groups and PCN and IT are so different in their requirements. We will have to look into the best security arrangement for this in more detail I think but for now proceed with establishing trusts between the two forests. – RowdyDoc Apr 12 '17 at 00:01
  • Ok, do a 2-way with selective auth- that solves all your issues and allows an active deny on both sides. – Jim B Apr 12 '17 at 01:26

0 Answers0