Blog

Using the Cloud to Simplify and Secure Microsoft RDS Deployments

Using the Cloud to Simplify and Secure Microsoft RDS Deployments

Microsoft Remote Desktop Services (RDS) is a Windows feature that businesses use to provide remote access to their desktops and applications. However, securing and simplifying RDS deployments can be complicated and time-consuming. This is where cloud-based solutions come in. By leveraging the power of the cloud, businesses can simplify and secure their RDS deployments with no VPN or firewall exposure, while also gaining access to a wide range of additional features and benefits, such as integrated security, reduced latency, and improved disaster recovery. 

In this article, we explore three popular solutions that can help businesses secure their RDS deployment, and gain access to new capabilities such as Automatic Scaling, Zero Trust, and Identity Management. Whether you’re a small business just starting out or a large enterprise looking to improve your RDS deployment, this article will provide you with the information you need to make an informed decision. 

Cloud-Based Solutions for Remote Desktop Services

Cloud-based solutions for Remote Desktop Services are often referred to as Secure Services Edge (SSE) or Cloud Access Security Broker (CASB). Essentially, they eliminate the need for any type of “gateway” on or behind the on-premises firewall, thus eliminating the need to open any inbound port on the firewall. This effectively makes the RDS deployment invisible over the public internet. Moreover, cloud-based solutions eliminate the need for VPN, thereby preventing ransomware traversal between remote VPN clients and networks hosting the RDS servers. 

Among the benefits of SSE and CASB solutions for RDS is the increasing requirement by Cybersecurity Insurance companies for Microsoft RDS solutions with no inbound firewall exposure of any kind. 

Below are three very popular solutions for achieving Zero-Trust access to Microsoft RDS environments, including references on how to learn more about the solutions. 

Microsoft Azure AD Application Proxy

Azure AD Application Proxy provides secure remote access to on-premises applications, including Microsoft Remote Desktop Services (RDS). Here’s a summary of how it works: 

  1. Pre-Authentication: Azure AD Application Proxy integrates with Azure AD to handle user authentication before they access the RDS deployment. This ensures only authenticated users are allowed to connect.
  2. Conditional Access and Multi-Factor Authentication: Azure AD supports conditional access policies, including multi-factor authentication, for an extra layer of security. For instance, end users can be required to provide additional proof of their identity when they sign in, or limit access to certain locations or devices.
  3. Secure Access Without VPN: Application Proxy creates a secure tunnel between the user’s device and your RDS deployment without the need for a VPN. This reduces the attack surface by not exposing RDS servers directly to the internet.
  4. Scalability and Availability: As a cloud service, Application Proxy automatically scales to meet demand, and it’s available wherever Azure AD is available.

Please see end of this article for additional resources about Azure AD Application Proxy.

TruGrid SecureRDP

TruGrid SecureRDP is a solution specifically designed to simplify ad secure remote access to Microsoft Remote Desktop Services (RDS) and Windows Virtual Desktops. Here’s a general overview of how TruGrid SecureRDP works to secure RDS:

  1. Simplified and Secure Setup: TruGrid simplifies the setup and management of secure RDP connections. It establishes a secure, encrypted connection between the end user client device and the RDS server without the need for open inbound firewall port or Virtual Private Networks (VPNs), thereby making RDS servers invisible over the internet.
  2. Multi-Factor Authentication (MFA): TruGrid includes built-in MFA, which adds an additional layer of security by requiring users to provide at least two forms of identification before they can access RDS. This can help prevent unauthorized access even if a user’s primary credentials are compromised.
  3. Fast Connections / Latency Reduction: TruGrid SecureRDP reduces RDS lag with its use of multiple fiber-optic relays all over the world. Unlike Azure AD Application Proxy, TruGrid end users can connect to RDS servers across continents without experiencing slow connections or RDS lag.
  4. Geo-Blocking: TruGrid has Geo-Blocking / whitelist feature that allows organizations to restrict countries where RDS users can connect from. In addition to its enhanced security feature of cloud authentication, zero firewall exposure, integrated MFA, TruGrid can further reduce attack surface by allowing connections only from certain countries.
  5. Hybrid Authentication: TruGrid supports hybrid authentication, whereby end users can use their Azure AD credentials to connect to RDS servers and RemoteApp in Active Directory environment.
  6. Multitenant Dashboard: The TruGrid SecureRDP allows Service Providers to manage multiple clients and settings from a single dashboard.

Please see end of this article for additional resources about Azure AD Application Proxy.

ZScaler

ZScaler Private Access (ZPA) provides secure access to internal applications, which includes Microsoft Remote Desktop Services (RDS), without exposing them to the internet. 

ZPA operates on the Zero Trust Network Access (ZTNA) principle, which means that no user or device is inherently trusted. Instead, the system verifies the identity and security posture of each user and device before allowing access.

Here’s a high-level overview of how ZPA might be used to secure RDS: 

  1. Identity and Access Management: ZPA integrates with existing identity providers, like Azure AD, to authenticate users. It then uses that identity information to determine what services a user can access based on policy.
  2. TLS Tunneling: After a user is authenticated and authorized, ZPA establishes a secure, outbound-only, TLS-encrypted tunnel between the user’s specific device and the requested application (such as an RDS server).
  3. Application Segmentation: Rather than allowing users broad network access, ZPA uses application segmentation. This means users can only access the specific applications they’re authorized for, reducing the potential attack surface.
  4. Inspection and Logging: All traffic going through ZPA can be logged and inspected for threats, helping to provide additional security.
  5. Cloud-Based and Scalable: As a cloud service, ZPA can easily scale to accommodate large numbers of users and applications.

 

Automatic Scaling in RDS Deployments

Automatic Scaling is a critical feature for optimizing resources and ensuring cost efficiency in RDS (Remote Desktop Services) deployments. With the dynamic nature of workloads in modern environments, the ability to automatically scale resources based on demand is invaluable.

Cloud-based solutions such as Azure, AWS, and Google Cloud provide robust mechanisms for Automatic Scaling. They offer features like Auto Scaling Groups (ASG), Azure Virtual Machine Scale Sets, and Google Cloud’s Managed Instance Groups, which automatically adjust the number of instances based on predefined conditions such as CPU utilization, network traffic, or custom metrics.

Businesses can benefit from Automatic Scaling in various ways:

  • Cost Optimization: By automatically scaling resources up or down based on demand, businesses can avoid over-provisioning and reduce costs associated with idle resources.
  • Improved Performance: Automatic Scaling ensures that the infrastructure can handle spikes in workload without degradation in performance, maintaining a seamless user experience.
  • Flexibility and Agility: With Automatic Scaling, businesses can adapt to changing requirements and respond quickly to fluctuations in demand, improving agility and responsiveness.

For example, a retail web portal may experience a surge in traffic during holiday seasons or sales events. With Automatic Scaling, the website can automatically provision additional resources to handle the increased load, ensuring uninterrupted customer service without manual intervention.

Zero Trust Security Model for RDS

In today’s threat landscape, traditional perimeter-based security models are no longer sufficient to protect against sophisticated cyber threats. Zero Trust is an alternative security model that assumes breach and requires strict identity verification and continuous authorization for every user and device attempting to access resources.

Each cloud-based solution implements the Zero Trust model in its RDS environment, emphasizing the following principles:

  • Identity Verification: Users and devices are authenticated in the cloud before accessing resources on-premises or behind firewalls, using multi-factor authentication (MFA), device health checks, and strong authentication protocols.
  • Least Privilege Access: Access policies are based on the principle of least privilege, ensuring that users have only the access they need to perform their job functions and nothing more.
  • Continuous Monitoring and Risk Assessment: Zero Trust environments continuously monitor user behavior, device health, and network activity to detect anomalies and potential security threats in real time.
  • Micro-Segmentation: Network segmentation is employed to isolate workloads and restrict lateral movement within the network, minimizing the impact of a potential breach.

Implementing the Zero Trust model in Remote Desktop Services environments is essential for protecting sensitive data, mitigating the risk of insider threats, and ensuring compliance with regulatory requirements such as GDPR and HIPAA.

For example, Azure’s implementation of Zero Trust includes features like Entra IDConditional Access, Azure Policy, and Azure Security Center, which enable organizations to enforce strict access controls and continuously monitor for security threats in their RDS deployments.

Identity Management in RDS Environments

Identity management is critical to Remote Desktop Services environments, ensuring that only authorized users can access protected desktops. Cloud-based solutions offer robust identity management capabilities, including integration with identity providers, multi-factor authentication (MFA), and access control policies.

Entra ID, Microsoft’s cloud-based identity and access management service, plays a central role in identity management for RDS environments. Entra ID provides features such as:

  • Azure AD Application Proxy: Allows organizations to securely publish internal web applications and Remote Desktop Services (RDS) to the internet without VPN connectivity.
  • Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring users to verify their identity using a second authentication factor, such as a phone or token, in addition to their password.
  • Conditional Access Policies: Enable organizations to define access control policies based on user identity, device health, location, and other factors, ensuring that access to resources is granted only under appropriate conditions.

Similarly, TruGrid SecureRDP and ZScaler offer robust identity management capabilities for RDS environments, including integration with identity providers, role-based access control (RBAC), and granular access control policies.

Robust identity management is essential for enhancing overall security in RDS environments and reducing the risk of unauthorized access, data breaches, and insider threats.

Disaster Recovery Strategies for RDS: What is RDS Server

Disaster recovery is critical for RDS deployments, ensuring business continuity during hardware failure, natural disasters, or cyber-attacks. Cloud-based solutions offer various features and capabilities to support robust disaster recovery strategies, including geographical redundancy, data replication, and automated failover.

Geographical Blocking:

  • TruGrid offers geographical blocking capabilities, allowing organizations to restrict access to RDS resources based on users’ geographic location. This helps prevent unauthorized access from regions with a high risk of security threats or regulatory compliance issues.

Inspection and Logging:

  • TruGrid logs all Active Directory authentication, including successful and failed authentications, and the IP address of the location where the user is connecting from.
  • ZScaler provides advanced threat protection through inspection and logging capabilities, allowing organizations to monitor network traffic in real time and detect potential security threats. In the event of a security incident, detailed logs enable forensic analysis and incident response to identify the root cause and mitigate the impact.

Scalability:

  • Azure AD Application Proxy offers scalability features such as Azure Traffic Manager, which automatically routes traffic to the nearest available data center based on network latency and availability. This ensures high availability and performance for remote desktop web access resources, even during peak usage periods or regional outages.

Disaster recovery strategies leveraging these cloud-based solutions enable organizations to minimize downtime, reduce data loss, and maintain business continuity in the face of unforeseen events.

In the context of enhancing security and performance for Microsoft Remote Desktop Services (RDS), it’s important to consider the role of the windows client operating system. Ensuring that the windows client operating system is up-to-date is crucial for maintaining a secure and efficient remote desktop experience. This not only helps in safeguarding against vulnerabilities but also ensures compatibility and optimal performance when accessing remote desktops and applications.

 

Since all of the three popular solutions— Microsoft Azure AD Application Proxy, TruGrid SecureRDP, ZScaler require varying degree of knowledge for successful implementation, please see additional resources.

Additional Resources

Microsoft

TruGrid SecureRDP

ZScaler Secure Private Access