How to Secure Amazon RDP Access

Amazon Web Services (AWS) is a key driving force for businesses today. It allows organizations to improve innovation, increase agility and cut costs via a comprehensive suite of tools such as Amazon remote desktop protocol (RDP).

Amazon RDP leverages Microsoft’s RDP to provide organizations with access to secure and highly reliable Windows-based instances without requiring them to configure any virtual private network (VPN) connection. Businesses that want to leverage Amazon RDP can use Amazon Quick Start to deploy and configure a remote desktop (RD) gateway infrastructure automatically.

What Does the Remote Desktop Gateway Environment Setup Provide?

Amazon RDP is increasingly popular with organizations because it helps them set up a secure RD gateway environment. An effective RD gateway management minimizes the attack surface for Windows-based workloads since the connection between remote users and elastic compute cloud (EC2) instances occurs through RDP over hypertext transfer protocol secure (HTTPS).

Below are typical components that are delivered when deploying RD gateway via AWS Quick Start:

What Are the Costs of Deploying a Remote Desktop Gateway in AWS?

Organizations are responsible for all costs related to the AWS services you use while running Quick Start reference deployments, including any license fees. However, there is no additional cost for using QuickStart. You can use the AWS CloudFormation template and Quick Start to simplify the provisioning and management of EC2 instances on AWS.

One advantage of using Quick Start is that it launches the Amazon Machine Image (AMI) for Windows Server OSs such as 2012 R2, 2016 and 2019 automatically. Since Quick Start includes licenses for these OSs and the AMI gets updated regularly, you don’t need to install any updates.

But that’s not all. The Windows Server AMI includes two Microsoft remote desktop services (RDS) licenses, and as such, you don’t need the client access licenses (CALs) to access Windows-based instances.

What Are Some Best Practices for Deploying an RD Gateway?

Deploying RDS for remote employees is a great way to enhance productivity through secure access to Windows-based instances. However, this can make business sense only when appropriately deployed. Below is a list of five best practices for deploying RD gateways:

1. Always adhere to the principle of least privilege

Least privilege is a security norm that restricts access rights for various users in an organization, only allowing them to access what is required to get the job done. In AWS, this is possible by exposing as few ports to the network as possible. This limits the source network from accessing the organization’s EC2 instances. AWS has many capabilities, including security groups, subnets and trusted ingress CIDR blocks that you can use to enforce this principle.

2. Always use VPC for business-critical workloads

A VPC also ensures you have complete control of the virtual network environment, including selecting your own IP address ranges, subnets and configuring gateways. Amazon recommends the following best practices when deploying critical Windows-based instances:

  1. Lock down the network access control lists with more specific rules

Network access control lists (ACLs) provide permissions for inbound or outbound traffic and are great tools for providing an effective way to blacklist an IP address or a CIDR block. While a default network ACL configuration is still deemed sufficient, locking it down with more specific rules can help you further secure the Windows-based instances at the network level.

4. Use security groups to create instance-level firewalls

Security groups let IT administrators manage open ports and isolate different application tiers. For example, every instance usually executes behind a stateful firewall in a VPC by default. This way, the security group enforces rules for opening inbound and outbound ports on the firewall.

You can also associate a particular security group with multiple instances to isolate application tiers in the AWS environment. When configured this way, security groups minimize the attack surface for EC2 instances. It also allows IT administrators to create secure connections for all the connected workloads via a single gateway.

5. Use SSL certificates to improve security

The RD gateway role relies on transport layer security (TLS) protocol to encrypt the connection between the gateway servers and administrators. To support TLS, IT administrators must install a valid X.509 secure sockets layer (SSL) certificate on each RD gateway. Smaller test environments can implement a self-signed certificate to get started quickly. However, for large environments, Amazon recommends a public certificate.

How Do You Connect to an EC2 Instance Using RDP?

You require an administrator password to get connected to Windows-based instances via Amazon RDP. If your instance is part of a domain, you’ll need the AWS Directory Service credentials to connect to the instance. However, unlike the first option where you enter the local computer name and the generated password, you need a fully qualified username for the administrator and password to access EC2 instances.

Here are steps to help you connect to EC2 instances via Amazon RDP:

  1. Launch the Amazon EC2 console (https://console.aws.amazon.com/ec2/), and log in as root. You can create a new account with AWS if you don’t have one.
  1. Select Instances under the navigation pane. This displays a list of all the EC2 instances you have created before, including their statuses and actions. Select your Windows-based EC2 instance and click Connect.
  1. In the new Connect to instance page, click RDP client, and choose Get password. This generates an administrator password that you’ll need to use when logging into the EC2 session.
  1. Now choose Browse, and navigate to the folder containing the private key file. The private key file gets generated when you launch an EC2 instance for the first time. Choose the file and click Open.
  1. Click Decrypt Password. Save the password in a location of your choice since you’ll need it when connecting to the instance.
  1. Next, choose Download remote desktop file. Select the Save option when prompted about whether you want to open or save the file, and return to the Instances page.
  1. Navigate to the location containing the downloaded file, and double-click to open the RDP shortcut file.
  1. You may receive a warning message notifying you that the publisher of the downloaded file cannot be verified. Click Connect to log onto your EC2 instance.
  1. The program chooses the administrator account by default. Copy/paste the generated password that you had saved previously to log on to your instance.

Simplify Your Hybrid Cloud Deployments with Parallels RAS

Organizations are looking increasingly to cloud solutions such as AWS and Microsoft Azure as the answer to their transformation challenges. While this is driven mainly by the need to modernize IT infrastructures, other compelling reasons for the transition include innovating, increasing agility and cutting costs.

You also need to consider a robust virtual desktop infrastructure (VDI) solution as you transition your IT infrastructure from on premises to the cloud. A perfect VDI can help streamline IT administration tasks and reinforce cloud computing benefits such as increasing agility and cutting down costs.

Parallels® Remote Application Server (RAS) is one such product. As an all-in-one VDI product, Parallels RAS allows businesses to provide virtual applications and desktops that employees can access on any device and platform with ease. Parallels RAS is also cloud-ready, supporting on-premises, public cloud, hybrid cloud and hyper-converged infrastructure (HCI) deployments.

Parallels RAS increases IT agility with virtual applications and desktops secured—whether on premises or in the cloud. This allows customers to access corporate resources tailored towards meeting evolving business requirements. Additionally, companies can reduce upfront costs substantially when they leverage cloud computing and the Parallels RAS pay-as-you-go pricing model.

Download your free Parallels RAS trial today, and see for yourself how it can simplify your hybrid cloud deployments!