RDS License Needed clarification - windows

just want to know want do I need to license with RDS CAL based on the work flow below. We have this Server A where users connect to it to select the application they want to access by login their credentials. Once the users was approved on Server A it will communicate with Server B (where application
and RDSH also installed) to server the application needed by the user. Server A uses it's own account when communicating with RDSH server. My question is do I need RDS User CAL for those users or just the RDS Device CAL is enough?

Related

More simultaneous RDS into a Windows VM on GCP without AD

I have spun up a Windows VM compute engine to host a software application(exe) from a 3rd party vendor.
Multiple users (>15) will need to use this application simultaneously so they will need to RDS into the VM through their user accounts.
We have set up Cloud IAP. Currently 2 users can access the VM simulatenously as is expected because the VM provides 2 RDS licenses.
We are trying to get more licenses but apparently an Azure AD is required for those licenses to work. Is there away to have more licenses without the Azure AD or without hosting a new AD on google?
I just want to be able to have >15 people simultaneously accessing the application on the server.
It is possible to configure Windows RDS without a domain, keep in mind that you need to purchase Device CAL's - User CALs can only be used in an AD environment; and you are limiting your options for high availability.Check the following links for guidance:
Deploying a RDSH Server in a Workgroup – RDS 2012 R2
Windows Server 2019 Remote Desktop Services without Domain
RDS Without Domain

Is it possible to prevent the leakage of the original data of the database even if it is hacked?

We want to build a web application and deploy it on AWS.
EC2: Laravel
RDS: MySQL
I will use Laravel's encrypter to encrypt the data of database. Even RDS got hacked, the data have encrypted. Hacker can't know the contents. But if EC2 got hacked, hacker can get the database credential and the encryption key on the source code and decrypt the encrypted data from database.
My Boss (maybe client) think that it is not enough because of the database contains sensitive informations of users. He want to prevent the leakage of the original data of the database even if the web server (EC2) got hacked. Is it possible?
If not, I think we should focus on make the web server more difficult to be hacked:
Set Security Group to limit ssh access by IP address.
Or any other measures?
Here are a few safety measures you can do to reduce your blast radius.
Move your credentials for the RDS database so they are not directly on the instance, use a credential store such as:
AWS Secrets Manager
HashiCorp Vault
Rotate your database credentials frequently, and use IAM roles for your EC2 applications and not IAM users.
Keep your EC2 and RDS within private subnets, add an ELB in front of the EC2 so that public traffic can only access this device only.
Configure security groups to scoped to only what they need, limit inbound access to your AWS VPC to a VPN or direct connect connection.
Restrict access to who can do what in your AWS account, if a user does not need to perform certain actions for their role then just remove those permissions. This will prevent an accidental action on a service the user should not be using.
AWS have a large number of actions you can do in the security pillar too, so make sure to take a read of that.

is it possible to implement kerberos authentication in azure web app?

We have an application which is hosted on the on-premises Windows server (IIS) server
now I created a windows server on azure and building a web app for it.where the application needs to authenticate the user by windows server (DC) using kerbrose protocol but I couldn't find any documentation regarding this from Microsoft's side
Is the above query possible to be implemented in the azure web app?
No, it's not possible. Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN.
For more information, follow this SO which also discussed about this.
If your intention is to join the VM hosting the website to a domain then as others have mentioned, this isn't possible.
However, doing Kerberos authentication itself within an Azure website isn't particularly difficult, but it does require manual implementation. Windows natively handles all of this for you on domain joined machines and and IIS exposes that functionality. Since you can't domain join you have to manually do all that heavy lifting and request and validate the tickets yourself.
This involves creating a service account in Active Directory and keeping the account password in sync. Once you have that you need to indicate to the browser that it needs to negotiate auth, which is done with the WWW-Authenticate: negotiate header on a 401 response. The client, if configured to send tickets, will send a ticket in the Authorization: Negotiate YII... request header on a subsequent response. At this point you need to shove that negotiate header and that original service account password into something that can validate Kerberos tickets. Windows SSPI will do this for you, but it's a pain. I built a library that'll do this for you: Kerberos.NET. YMMV with what works best for you.
All of that said, it may be more beneficial to switch over to a more modern authentication mechanism like OAuth/OpenIDConnect/SAML.
There are several ways depending on if you have to allow access to users who are associated with a on-premise Active Directory or not.
You should have a look at this service: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/
It will offer an Active Directory within Azure where you can domain join your VM to and then using Kerberos as authentication protocol (should work the same way like on prem).
The other option would be to create a new Active Directory within your Virtual Network (via 1 or 2 small Windows Server VMs where you create the AD).
The good thing if you are using Active Directory Domain Services would be that you could extend it to your on-prem Active Directory by synchronizing or federating your on-prem AD.
There are more informations regarding these scenarios here:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
For a Azure App Service - Web App you would connect it to your Azure Active Directory (AAD) and use the hybrid identity model to allow users who originate from an on-prem AD access to it:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Hope this helps a bit, it is a rather complicated topic you are digging into.

Allow user to access SQL using ado.net windows authentication but restrict them using SSMS

We have a windows application which allow users to connect to SQL using windows authentication.
The problem is the users of that application also have SSMS installed on their desktops so they can also connect to prod db using windows authentication.
Is there any way wherein we can restrict users from accessing prod db using windows authentication on SSMS but they should be able to access windows application from their local system using windows authentication?
If I understand your scenario correctly:
You have an internal local database on Server 'A'
You also have a production database on Server 'A'
Using your custom windows application, users can only see the local non-production databases
However, using SSMS users can see both production and local databases on Server 'A', and you would like only authorized users to be able to see production databases.
If this is the case, what you want to do in SSMS is revoke database view rights to all production databases unless the user is a sysadmin or owner of the database. Run the following on your server:
USE MASTER
GO
DENY VIEW ANY DATABASE TO PUBLIC
GO
After you run the above statement, you will not be able to see any databases in SSMS unless you are a sysadmin or your login is the owner of a database.
Source:https://www.mssqltips.com/sqlservertip/2995/how-to-hide-sql-server-user-databases-in-sql-server-management-studio/
Maybe you could restrict access to your database objects by using application roles ... Msdn: "You can use application roles to enable access to specific data to only those users who connect through a particular application."

Microsoft SQL Server on a VPS for hosting multiple client databases - Is this the right way to go?

Good morning,
I have found that many of my customers have MS Access already installed on their PCs. Although Access is very limited as a data store, I have found that it is great for deploying low-cost front-ends for entry level customers.
I want to start renting a VPS, so I can host customer databases using Microsoft SQL Server 2008, which they can access using a locally stored Access front-end. I do have a few questions though:
In order to access the remotely hosted databases, and use the security features, would the VPS need to be set up as a domain controller, using AD DS? If I am hosting multiple customer databases, this is not an option.
What I envisage is being able to set up a simple MS Access front end, to access a MS SQL Server database on my VPS. For security, I would want the database to use the Windows account on the client machine to authenticate, and also to provide basic data change tracking.
Is this possible? Or, will I need to set up a server for each client and have it configured as a domain controller, etc?
You can have many databases on the same server, so for each client you d not need to setup a separate domain controller. Only the connection strings will be different.
You can use SSL for establishing connection with the remote server to make the process more secure. You can also make a few web services to play with the data (CRUD operations), this would also make things more manageable.
take care :)

Resources