Best Practices For Securing Windows Server 2012 R2's Remote Web Apps

I am looking at publishing Windows Server 2012 R2's Remote Desktop Web Access Role to the internet.  The main thing I was concerned about was security and the added vulnerability this would add to my network.  How can I mitigate some of these vulnerabilities and make this a sound deployment?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Some off the top items:
 + Two Partitions
 + Mask C: in Group Policy
 + User Profile Disks either on Partition 2 or UNC
 + Network Level Authentication is mandatory
 + Use RDGateway to proxy via HTTPS/443 (never open 3389 to the Internet - TSGrinder)
 + Third Party Trusted SSL for RDGateway/RDWeb/RemoteApps
 + Group Policy Settings
 ++ Turn Off Store
 ++ Lock down screensaver time, name (scrnsvr.scr), mandatory lock
 ++ Max 2 Monitors, 16 bit colour depth
 ++ Disable EasyPrint in both a Computer and User GPO and ENFORCE it
 ++ Use Universal Print drivers for printers and make sure they are set to ISOLATED

btanExec ConsultantCommented:
Reduction of attack surface
- Enforce single "Gateway" server like use of RD Gateway (or RDG)
E.g. Avoid direct access and opening of unnecessary protocol like RDP default using TCP 3389 for internet access)
- Restrict to HTTP/S access and filters incoming RDS requests according to a Network Policy Server (NPS).
E.g. consider this VPN network address pool to your RDP firewall exception rule
- Hardening of server (core services only),
E.g. Use of tool to check setting like Best Practices Analyzer for Remote Desktop Services in
- Regimental patching and monitoring of the RD Host/infra,
E.g. enabling and auditing automatic Microsoft Updates
E.g. Enabling Audit trails for all login account (look out for remote and network login type, including account lockout event)

Data Confidentiality / Integrity
- minimally VPN/IPSec or even SSL/TLS for channel end to end encryption
E.g. enforce end to end appl data encryption (avoid Man in the middle event intercepting channel)
E.g. enforce app sandbox (avoid data sharing among other apps data and segregate the storage)

Account and Access Control
- Require Secure RPC Communication (GPO - only authenticated and encrypted requests from clients allowed)
E.g. Using Network access e.g. NPS to enforce policy via the traffic through the RD Gateway (RDG).
E.g. NPS policy: Connection Authorization Policy (CAP) lists which users can access the RDG
E.g. NPS policy: Resource Authorization Policy (RAP) specifies which devices which CAP user connect via the RDG
- Strong authentication for sensitive remote apps via Two-factor authentication
E.g. authentication via two factor certificate based smartcards, YubiKey or SecurID
- Enforce least privileged principal
E.g. using “Restricted Groups” via GPO (avoid local admin access as the placement of any user/admin group into this setting as compared to just putting those into “Administrators” and “Remote Desktop Users”. This removed the issue of still having administrative access remotely, including local administrator account” having RDP access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ollybubaAuthor Commented:
What is the difference between redirected folders and user profile disks?
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

btanExec ConsultantCommented:
I don't see any difference as a whole.

User Profile Disk is actually Microsoft successor of Roaming Profiles and Folder Redirection. Technically, it’s a VHD (Virtual Hard Drive) file that is streamed into the (pooled) image of Session Host during logon to create a personalized experience. At the logoff process the user changes are streamed back into the VHD file, so user settings are retained.

Folder redirection is likewise similar but in the file context and not the VHD fact the performance impact can be greater if the VHD file are huge and real time streamed to remote. Can be applicable for redirection if not found in local machine and has to be redirected from remote site...

However, we may want to bring in Roaming Profile as well in the comparison for complete picture the better of Profile disk
The User Profile Disk is mounted and user data is available immediately, while with Roaming Profiles the data is copied from a file share to the RDS server/VDI workstation (and vice versa) which will take a longer period before the user can actually starts working.

From an end user perspective also the locations of the folders are located locally as they are used on their private PC, I still see users who do not understand home drive concepts.

Both Roaming Profiles and the User Profile Disk are easy to configure and you don’t need to care where applications and/or the users are storing data in their profile.

Normally Roaming Profiles are combined with Folder Redirection to store some user folders directly on a file share to improve the logon/logoff times and secure the data in those folders. Technically both the User Profile Disk as Folder Redirection user folders are actually storing the data on a network share, which can cause performance issues from an user experiences.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Redirected folders have a central shared set of folders that users can store their data in. My Documents and its subsidiaries along with Desktop are the key folders we redirect. Offline Files keeps a local cache of anything redirected.

User Profile Disks are an AVHDX (virtual hard disk) that hosts their entire X:\Users\UserName folder within the virtual hard disk. Because everything is in this vDisk users can log on to any RDSH and receive exactly the same local profile.

UPDs are a lot simpler to work with in a highly complex RDS environment or even a single RDSH environment.
ollybubaAuthor Commented:
So would you recommend to use both redirected folders in combination with UPDs?  I'm definitely going to be using redirected folders no matter what.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
No. UPDs make redirected folders for users that are only logging into RDSH redundant.

If you have an RDS farm then those UPDs would be network hosted anyway.

Having redirected folders enabled for RDS users creates an extra storage burden for their CSC (file cache). Please keep this in mind.
btanExec ConsultantCommented:
I rather choose either one but definitely not both UPD and Roaming User Profiles. Folder Redirection can be on top of UPD, however, it is rather redundant as redirection also does not covers all the folders and looks like more "duplicate". The performance will be further impacted if both used concurrently, that I foreseen unless you tested it out. Eventually UPD is still preferred especially using Win2012 and Virtual Desktop Infra.  

It is really to know that in UPD, it covers more than redirection. It is introduced to basically have everything that would normally be stored in C:\users\<username> on the local cached copy to make immediately saved to the .vhdx on the central location. As UPD works on a lower level there are no compatibility issues. The OS is still writing settings to C:\users\<username>.

The past roaming profile and redirection has issues and sometimes can corrupt the folder local cache and remote transfer with mobility support that is not totally seamless as expected, hence UPD is the successor. The user logoff and login and with folder in write mode complicates the use case in the past but UPD strives to better it though I will not say it is error free per se. UPD surpasses and makes easy personalization of a pooled VM in your Windows Server 2012 for either virtual machine-based or session based desktop deployments.....

as a whole, since UPD operates at a lower layer, it should already be transparent and works with existing Roaming User Profiles and Folder Redirection still.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.