Any IT pros here familiar with Direct Access?

Catfish

straight-up ninja'n
2A Bourbon Hound 2024
Supporting Member
Multi-Factor Enabled
Joined
Dec 16, 2016
Messages
12,390
Location
Charlotte
Rating - 100%
71   0   0
I'm looking to pick the brain of someone smarter than me W.R.T. Windows servers and Direct Access.

I have a small office network with a single server and we're looking to improve our work-from-home capabilities. VPN is working but I'm also looking into Direct Access to see if it may be a better solution. Is there a good reason NOT to add this role to my office DC?
 
You would use rdp to access and manage your server. Not sure if you want your users accessing the server but not a good idea. There are many remote control desktop solutions out there if that is the goal.
 
You would use rdp to access and manage your server. Not sure if you want your users accessing the server but not a good idea. There are many remote control desktop solutions out there if that is the goal.
What he said...RDP exploits are out there. I had 1 customer get hit a couple years ago. Server hacked, passwords changed, roles stolen... had to pull it offline to fix. Luckily, it was just a backup server and someone had opened up the RDP port on it.

Sent from my SM-N975U using Tapatalk
 
Sent you a text.
 
Right now I'm using VPN to access the server then RDP to access desktops on the office network. I started looking into switching to DA because I'm getting "I have to keep logging in every time my Internet drops" complaints.

I am trying to learn if there is a better way to configure Server 2012R2 and what it came with, as my budget for new software is nil.

The only port that the world can see on that server is for the VPN. No other outside services are open on it. Am I still vulnerable?
 
Last edited:
Right now I'm using VPN to access the server then RDP to access desktops on the office network. I started looking into switching to DA because I'm getting "I have to keep logging in every time my Internet drops" complaints.

I am trying to learn if there is a better way to configure Server 2012R2 and what it came with, as my budget for new software is nil.

The only port that the world can see on that server is for the VPN. No other outside services are open on it. Am I still vulnerable?

Yes. What Vpn are you using as certain router vpns have security flaws in them? DirectAccess and RDP have security concerns & I wouldn’t run them unless you firewalled your network off to a whitelist of IP addresses at a minimum. I’m assuming there’s local software that your access from PCs at work and the server?
 
I like the whitelist idea - I need to learn more about that. My people have dynamic addresses at home though...
I am using native Windows VPN in L2TP/PSK mode. My network is behind an older firewalled NAT with the VPN port forwarded. I would do the same setup with DA if I switch to that. I could set up PKI for improved security but that looks like another headache.

It's the CAD licenses residing on fixed workstations which are the whole reason for this reach-around. I can't move them or buy new ones. I can physically relocate the machines, but I'd rather not carry those full size workstations back and forth.
 
You could try https://www.vpn.net aka hamachi

I know you said software budget was nil but if it were me I’d pay $49 for it. This essentially creates an internal network but encrypted over the internet. This software is installed on each pc and when you need to connect traffic routes over the internal tunnel adapter. Then you can do rdp to each desktop via their internal up through hamachi. This limits your security exposure from rdp and enabling passthru ports on your router.
 
That looks interesting - I have some reading to do thanks!
 
If you're looking to give multiple people access to their physical desktops running in the office while they are remote. You're prob going to have needs along the lines of user X can only connect to their desktop, you want 2 factor for a secured login, you don't want any open incoming ports either at the office or from the remote location. Look at something like logmein they've been running specials during all this.
 
If you're looking to give multiple people access to their physical desktops running in the office while they are remote. You're prob going to have needs along the lines of user X can only connect to their desktop, you want 2 factor for a secured login, you don't want any open incoming ports either at the office or from the remote location. Look at something like logmein they've been running specials during all this.

We use Kasaya for support but I liked logmein better for dual monitors.
 
You could try https://www.vpn.net aka hamachi

I know you said software budget was nil but if it were me I’d pay $49 for it. This essentially creates an internal network but encrypted over the internet. This software is installed on each pc and when you need to connect traffic routes over the internal tunnel adapter. Then you can do rdp to each desktop via their internal up through hamachi. This limits your security exposure from rdp and enabling passthru ports on your router.

Outstanding recommendation. Agree to keep things withing the budget, the real question is how much will it cost you if your system goes down for 24 hours or longer.
 
I started looking into switching to DA because I'm getting "I have to keep logging in every time my Internet drops" complaints.
I wonder if you could use Kerberos for authentication so that they only have enter their credentials once and then the reconnect happens automatically with the ticket.
 
Back
Top Bottom