Installing Terminal Server (Remote Desktop Services) on a Domain Controller (Active Directory)
Solution 1
The simplest things I can think of right off the bat: Start a process that fills the hard drives or RAM and crashes the server.
More insidious tactics would use everything from cache and side band attacks to malware and hacking toolkits to derive any and all information from AD, including potentially reversible passwords, security and other sensitive information.
Solution 2
When someone connects to a machine via remote desktop, they are using that machine just like they are sitting in front of it. Doing this with a domain controller would be like putting your domain controller at a user's (or several users) desk for use in their day-to-day work. Everything your users do that might possibly change the state of machine is happening right there to the system hosting your active directory. Forget malicious hackers for a moment (not that they aren't a problem too) — the chances that one of your own users accidentally breaks something important or runs a resource intensive app creating an effective denial of service approach 100%.
Related videos on Youtube
16 : 34
10 : 39
31 : 27
06 : 45
02 : 26
Comments
-
Earls over 1 year
From my research, I've come to understand that "Installing Terminal Server (Remote Desktop Services) on a Domain Controller (Active Directory)" is a cardinal sin - apparently there are some serious security risks.
Could someone please elaborate and explain the risks?
More specifically:
How would someone go about compromising the server? What is the worst that could happen?
Understand these aspects of my particular configuration:
No files are being stored on the server. The directory is only being used to authorize users to use Remote Desktop Services. The server will be accessed by less than 50 users.
Thank you.
-
Earls about 13 yearsTo serve applications. "Just don't do it" - I would like to better understand why not to do so and/or why it would be a disaster. What is the ratio of risk to the conservation of resources? How likely is intrusion likely to occur? How easily can worst case scenarios (malicious user "selects all, deletes") be mitigated by having duplicate standbys? For example, common practice would be to have three servers (two DCs and one TS [or maybe even two TS]), that's four Windows installs vs. two Windows installs if they roles are combined.
-
-
Earls about 13 yearsThis assumes they have compromised a user account, correct? What if users can only run a small subset of authorized applications?
-
Earls about 13 yearsI concur that may be a valid concern, but I assume you were downranked because controlling your users should be a trivial exercise via group policy, no?
-
Joel Coel about 13 yearsThat could be, but if so it's pretty weak: unless your group policy-fu is perfect, you're still in trouble. I suspect the real reason is my assertion that using a terminal services desktop is just like sitting at the console -- while the sentiment is accurate, this is a slight exaggeration.
-
MrGigu about 13 years@Earls - as someone who has spent a lot of time and effort into locking down terminal servers by group policy (especially with some... "power" users who are always finding ways to circumvent it, deliberately or not), it's most definately not a trivial task. We have spent cumulatively maybe 40 hours refining our GPOs on terminal servers.
-
Joel Coel about 13 years@Earls - how 'bout just a compromised user? Most hacks are inside jobs.
-
Philip about 13 years@Earls, there are no absolutes in security. Sounds like you're already decided on doing this, so the only thing you can do is make the situation as reasonably secure as your policies demand. Separating the roles adds a very large security buffer, but doesn't guarantee anything anyway. -
Earls about 13 yearsI'll give it to you for being honest... I guess it's just something I'm going to have to learn from experience. If users wreck their terminal server, they're not going to be using it whether it's a separate server or not. I understand the concern about "l33t users" attempting to flex, but luckily in my case, all of my users are extremely timid and inept - to the point they have to be educated to copy and paste. Hopefully, with due diligence, I can mitigate unintentional catastrophes of ignorance. I'm new to server configuration and deployment, but not GPO. Thanks.
