this post was submitted on 28 Jul 2023
9 points (76.5% liked)

Sysadmin

7640 readers
1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS
 

My company is about to shift a large workload to a vendor that uses an RD Gateway hosted at Amazon to serve access to the front-end application. It's open to the internet at 443. There's no MFA. How worried should I be?

top 8 comments
sorted by: hot top controversial new old
[–] xylogx@lemmy.world 4 points 1 year ago

It’s pretty bad. You are going to be vulnerable to password spraying at the very least and a phishing email or credential leak, both incredibly common, will result in a bad day.

You need MFA and preferably FIDO based MFA with conditional access.

[–] BlackEco@lemmy.blackeco.com 2 points 1 year ago

From what I understand, Remote Desktop Gateway acts as a proxy to route Remote Desktop connections inside a VPC. So authentication will be delegated to the Windows machines, which appears to be outside the scope of Remote Desktop Gateway. I haven't set up Windows on EC2, maybe there's a way to tie authentication to AWS Identity Center to get some form of 2FA or SSO?

The deployment guide mentions that you can use Network ACLs to limit access to the gateway to certain IP ranges, so here's that.

[–] slazer2au@lemmy.world 2 points 1 year ago (1 children)

Is there no conditional access for the rds portal?

Time for a CYA email to your manager, project manager, and legal voicing your concerns about the lack of security for an rds Gateway and lack of best practices.

[–] YourHuckleberry@lemmy.world 2 points 1 year ago

Wide open to the internet.

[–] KingSlareXIV@infosec.pub 2 points 1 year ago

Yeah, I hate it. I'd want some sort of SAML SSO auth in front of the actual RDS Gateway to allow you to use whatever identity provider and MFA you already have.

You really don't want to allow all manner of auth attempts able to be made against your actual workload servers, which is what it sounds like you are describing.

[–] wmassingham@lemmy.world 1 points 1 year ago (1 children)
[–] YourHuckleberry@lemmy.world 2 points 1 year ago (1 children)

Hosting critical proprietary data.

[–] SheeEttin@lemmy.world 2 points 1 year ago

On its own, sure. Unlike straight RDP, RD Gateway is meant to be exposed to the Internet.