I'm dealing with some Windows servers and appliances that aren't joined to Active Directory and likely won't be in the future since they're part of our operational technology (OT) environment. When I connect via Remote Desktop Protocol (RDP) to these servers, they use NTLM for authentication, which is necessary because Kerberos requires a domain controller. While the risk is fairly low since they're all on-premises, I'd prefer not to have NTLM hashes flying around our network. I'm looking for advice on how I can wrap these RDP sessions in SSH to secure them further. I'm okay with an extra step for establishing the SSH tunnel as long as the connection remains stable.
5 Answers
We’re implementing Guacamole for similar access. It allows secure connections since the Guacamole server is the only point accessing the RDP ports directly, and it’s exposed only through HTTPS.
How are your OT nodes connected to the rest of your environment? You might want to explore something like Bitvise Tunnelier for creating secure connections.
Consider using an RD Gateway set up in a DMZ for secure remote desktop connections to your OT servers. It’s been my go-to solution for years, coupled with network segmentation and firewalls between OT and AD.
You can definitely run RDP over IPSEC. It offers a solid layer of security for your connections.
One straightforward way to encrypt traffic on Windows is by using IPSEC in the Windows firewall. It can help secure your RDP sessions quite effectively without too much hassle.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures