Hyper-V server with Two NIC

sglee
sglee used Ask the Experts™
on
Hi,
 
I have a Windows 2016 Hyper-V server box that came with two network cards. First NIC is connected to internal LAN (192.168.1.x) and 2nd NIC is connected directly to ISP Internet modem (therefore, it receives a dynamic public IP address given by ISP DHCP server). On 2nd NIC,  I intend to create a virtual machine ("TESTVM") where I like to try to open some suspicious email attachments or click on website links (to find out whether they are malicious). I have installed Malwarebytes Anti-Exploits/Anti-Malware/Ransomware on this VM and it sends me email alerts whenever it detects "suspecious" activity.
I plan on connecting to this VM thru remote desktop connection program (port# 3389, 3390 .. etc) using Dynamic DNS.
Having said that, I know a lot of experts would go against the idea of exposing the server to public internet.

I know that I could put another router (192.168.2.x) between 2nd NIC and ISP internet modem to enhance security, but what I like to know is how am I venerable as it is?
How could hackers penetrate to this server when the only account is "administrator" with secure password?

Thanks you for your insight.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Systems Admin
Top Expert 2010
Commented:
Administrator is a well-known Security principle on Windows servers and is attacked on a regular basis. If you expose the Remote Desktop ports to the Internet, hackers *will* attempt to connect and break in. They may not be successful, but if you have the administrator account enabled, they can attempt to log in using that account even if you rename it. Better to disable it and create a different account as a domain admin, which will improve the security significantly (needing to guess the username and password is much more difficult and time consuming than just the password). But, since this is a lab system, that may not be such a big deal. Just make sure it's on a different subnet than the rest of your network, which it seems you have configured already.

I would also recommend that you make sure only the ports you need to access remotely are open through a firewall to this server, since a lot of ports have vulnerabilities that will make it easier for attackers to get in. Windows Firewall is not a great solution for having a server right on the Internet. A hardware firewall is way better.

Author

Commented:
@Adam
"Better to disable it and create a different account as a domain admin" -->  Say I create a new account called "newadmin" and add this to administrators group, would "newadmin" have exactly same permission as default "administrator" account?
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Adding it to the Local Administrator's group will give it all permissions needed to act in the same way as the default Administrator account, so yes.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
I have an EE article that should help clarify how to set up Hyper-V: Some Hyper-V Hardware and Software Best Practices.

Where is the network edge (SonicWALL, FortiGate, ETC)? The ISP modem should be plugged into the WAN port of the edge device with the appropriate rule sets configured to protect internal assets. I'm not sure that that is the case here.

The best thing to do with a decent corporate edge is to:
1: Team the two NIC ports, set your management IP to the team, and bind the vSwitch to that team (shared)
2: Alias a second IP on the WAN port of the edge
3: Configure a VLAN on the edge that is bound to that alias IP
4: Configure the edge gateway IP and DHCP for that VLAN
5: Set up the test VM
6: Set the VM's vNIC to the above VLAN
7: Create an RDP rule between production subnet and VLAN subnet pointing to the VM

If the switch the host is plugged into cannot do VLAN tagging then plug the two Hyper-V host ports directly into the edge.
Seth SimmonsSr. Systems Administrator

Commented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Adam Brown (https:#a42172895)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial