Use Azure Bastion to access your virtual machine in Azure

As most of you know, it’s possible to provide a virtual machine in Azure with a public IP address. This IP address can then be used to build a connection to, for example, RDP or SSH.

This way of connecting takes place over the Internet, which entails a great security risk. In many environments we see jumpbox or stepping stone servers, which are placed in the DMZ. These servers can be accessed from the Internet, and from these servers a connection can be made to a server or multiple servers on the internal network.

Such an arrangement is not safe, unmanageable and vulnerable. Azure Bastion is a great addition to facilitate a secure connection to a virtual machine in Azure. Azure Bastion integrates into the Azure portal, requiring multi-factor authentication. The virtual machines do not need to have a public IP address, so they are not accessible directly from the Internet.

Azure Bastion is a fully managed, autoscaling and hardened PaaS service, to provide you secure RDP and SSH connectivity. It is easy to configure in just a few steps. By using virtual network peering, it’s possible to easily add Azure Bastion to an existing configuration in Azure.

image

  1. Configure a new virtual network for Azure Bastion
  2. Create a new subnet named ‘AzureBastionSubnet’ required for Azure Bastion
  3. Configure virtual network peering to your other networks
  4. Create an Azure Bastion host
  5. Login in the VM through the Azure portal using Azure Bastion
  6. See the list of active sessions in the Azure Bastion Host properties

2021-05-20_16h00_34    2021-05-20_16h00_532021-05-20_16h00_59    2021-05-20_16h01_102021-05-20_16h01_45    2021-05-20_16h11_542021-05-20_16h12_54    2021-05-20_16h15_14

Now you can securely connect through Azure Bastion to a virtual machine running RDP or SSH. As you can see, the virtual machine I’m connecting to has no public IP address, only a internal IP address.

image

Restricting RDP access to Azure virtual machines

By default, every VM you’v e created within Azure has RDP (Remote Desktop Protocol) on port 3389 enabled. You can access you VM from anywhere in the world.

You can restrict RDP access on just that IP addresses you want, so you can limit the access. So for example, you can limit your company IP address and maybe you home address to access the specific VM in Azure.

To restrict access, I’ve created a NSG (Network Seciruty Group) with the following configuration:

1.) Create a new Inbound security rule with a priority of 4095 (every digit below the default of 65000 is fine!!)
2.) Configure the following rule:

Priority: 4096
Name: Deny-RDP-Access
Source: Service Tag
Source service tag: Internet
Source port ranges: *
Destination: VirtualNetwork
Destination port ranges: 3389
Protocol: TCP
Action: Deny

3.) Configure a second rule:

Priority: 4095
Name: Allow-RDP-Access
Source: IP Addressess
Source IP Addressess/CIDR ranges: YOUR IP ADDRESSESS
Source port ranges: *
Destination: Any
Destination port ranges: 3389
Protocol: TCP
Action: Allow

image

Now you can test your new configuration. RDP access is only allowed from your custom IP addressess!!

How to: Enable RDP during Task Sequence with SCCM 2012 R2

I quiet often receive the question how to enable Remote Desktop (RDP) access on a server during a task sequence in SCCM 2012 or 2012 R2. Because by default RDP is not enabled, it could be realy handy to enable RDP access to control your server remotely. There’re a whole bunch of tools to manage your server(s) remotely, but still RDP could be ncessary.

1.) Create a new package with the source location to your script directory.
2.) Create a new package with a program and use the following command:
Powershell.exe -ExecutionPolicy Unrestricted -NoProfile -File Enable-RDP.ps1
3.) The PowerShell script ‘Enable-RDP.ps1’ contains the following code. See in this post below.
4.) Insert the script in your task sequence

##
## Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0
##
## Enable Firewall Rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
##
## Enable RDP Authentication
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0

2015-11-27_09h03_02    2015-11-27_09h03_21    2015-11-27_09h34_03

How to: Remove “Connect to a remote PC” in RDS 2012 R2

When you deploy a Remote Desktop Services (RDS) environment and you’re going to use also RDS Web Access, the default website (RDWeb) contains some features that you’re maybe not going to use. For example “Connect to a remote PC”. This features gives the user te ability to connect to a remote computer using Remote Desktop Protocol (RDP).

I want to remove this option from my RDWeb website. This is a realy easy job in Windows RDS 2012 R2. Without hacking some files or running custom script, within a few seconds the option is gone!

1.) Open the Internet Information Services (IIS) Management Console
2.) Navigate to “Sites / Default Web Site / RDWeb / Pages” and select “Application Settings” in the right pane
3.) Navigate to “ShowDesktops” and change this value from true to false
4.) The new value is immediately live!
5.) As you can see, the option is gone now…

2015-10-19_15h42_13    2015-10-19_15h42_53    2015-10-19_15h43_25

2015-10-19_15h44_58    2015-10-19_15h45_51