Tag: RDP

Azure Bastion Windows VM

Azure Bastion – Private RDP and SSH access to Azure VMs

Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure virtual machines. If you wanted to access your Azure virtual machines using RDP or SSH today, and you were not using a VPN connection, you had to assign a public IP address to the virtual machine. You were able to secure the connection using Azure Just in Time VM access in Azure Security Center. However, this had still some drawbacks. With Azure Bastion you get a private and fully managed service, which you deploy to your Virtual Network, which then allows you to access your VMs directly from the Azure portal using your browser over SSL.

Azure Bastion Architecture

Source: Microsoft Docs

Azure Bastion brings a couple of advantages

  • Removes requirement for a Remote Desktop (RDP) client on your local machine
  • Removes element for a local SSH client
  • No need for local RDP or SSH ports (handy when your company blocks it)
  • Uses secure SSL/TLS encryption
  • No need to assign public IP addresses to your Azure Virtual Machine
  • Works in basically any modern browser on any device (Windows, macOS, Linux, etc.)
  • Better hardening and more straightforward Network Security Group (NSG) management
  • Can remove the need for a Jumpbox

If you want to know more directly here is the link to the Azure Bastion announcement blog and the Microsoft Docs.

Public Preview

Azure Bastion is currently in public preview. The public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

To participate in this preview, you need to register. Use these steps to register for the preview:

Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
 
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
 
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

To use the Azure Bastion service, you will also need to use the Azure Portal – Preview.

How to set up an Azure Bastion host for a private RDP and SSH access to Azure VMs

Create Azure Bastion Host

First, you will need to deploy Bastion Host in your virtual network (VNet). The Azure Bastion Host will need at least a /27 subnet.

AzureBastionSubnet

Access Azure virtual machines using Azure Bastion

Azure Bastion integrates natively in the Azure portal. The platform will automatically be detected if Bastion is deployed to the virtual network your virtual machine is in. To connect to a virtual machine, click on the connect button for the virtual machine. Now you can enter your username and password for the virtual machine.

Azure Portal connect to Linux VM SSH

This will now open up a web-based SSL RDP session in the Azure portal to the virtual machine. Again, there is no need to have a public IP address assigned to your virtual machine.

Private access to Azure Linux VM

 

Roadmap – more to come

As Yousef Khalidi (CVP Azure Networking) mentions in his preview announcement blog, the team will add more great capabilities, like Azure Active Directory and MFA support, as well as support for native RDP and SSH clients.

The Azure networking and compute team are doing more great work on creating a great Azure IaaS experience. I hope this gives you an overview of how you can get a private RDP or SSH access to your Azure VM. If you want to know more about the Azure Bastion service, check out the Microsoft Docs for more information. If you have any questions, feel free to leave a comment.



Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

If you run virtual machines with a public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Azure JIT virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

To find more about Just-in-time virtual machine access in Azure Security, check out the Microsoft Docs.

How does Azure Just in Time VM Access work

In the Azure Security Center, you can enable just in time VM access; this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure JIT VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been set to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH, and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now choose the ports you want to be open for a specific time and a particular IP address. This will open up the ports, and after 2-3 minutes, you will be able to access the virtual machine.

To send such a request, the user who requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing access activity

Of course, all the request get logged and can be reviewed in the Activity Log.

Licensing

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea of how you can leverage Just in time VM access in Azure for your workloads.



E2EVC Copenhagen

Speaking at E2EVC 2015 Lisbon

After a great time in the US visiting VeeamON 2015, the Microsoft MVP Summit 2015 and the MMS 2015, I am happy to announce that I will speak tomorrow at the E2EVC (Experts 2 Experts Virtualization Conference) in Lisbon. Together with Alex Cooper (Microsoft MVP Remote Desktop Services) and Dr. Benny Tritsch (Microsoft MVP Remote Desktop Services), I will speak in one of the keynote about updates in the Microsoft Virtualization Technology.

What’s new with Microsoft Virtualization & Remote Desktop Services – Windows Server 2016 T3 Update

We will cover what is new in Hyper-V, Remote Desktop Services and Azure RemoteApp.

E2EVC Virtualization Conference is a non-commercial, virtualization community event. The main goal of the E2EVC is to bring the best virtualization experts together to exchange knowledge and to establish new connections. E2EVC is a weekend crammed with presentations, Master Classes and discussions delivered by both virtualization vendors product teams and independent experts. I am happy to be part of the community and listen to other industry leading experts, hopefully see you in Lisbon.



Windows Server 2008: Allow multiple Remote Desktop sessions per user

In Windows Server 2003 you could have multiple Remote Desktop session with the same user. In Windows Server 2008 this is not possible by default. If you login with the same user account the first session will be taken over by second session.

But you can allow multiple Remote Desktop sessions per user by changing a registry key.

  1. Start regedit
  2. Check out the follwoing registry key
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer
  3. If the fSingleSessionPerUser value doesn’t exist, create a new DWORD value named fSingleSessionPerUser
  4. Open the fSingleSessionPerUser value. The possible values for this setting are as follows:
    0x0 Allow multiple sessions per user
    0x1 Force each user to a single session
  5. save this

Found this on remotedesktoprdp.com



Still love my iPad

iPad

I still love my iPad. Now I really start to work with it. It keeps my life simple and easy.

First I start with a daily briefing with my todos (Things) and events for today. I also read a lot of news with my Google Reader app (Newsrack) which also syncs with my iPhone, so I always see whats new around the tech world.

Through the day I need it to get quick information about tech or other stuff. I also use it for social networks like facebook, twitter and so on.

iPad iTap RDP

With Apps like iTap RDP I can use it to control Windows Server in our Datacenter and create and read notes with Evernote. There is also a pretty cool Powershell Guide for the iPhone and the iPad called iPowershell.

iPadAt home I use it as a Remote Controller for iTunes, my Dreambox and other things. And if I have a moment i don’t need it, I use it as a Picture frame.

Important to note, the iPad does not replace my notebook or my iPhone, but there are a lot of new things, I never thought about I could do this way.