Suggestions for Remote Windows Server Access
Posted by unsung-hiro@reddit | sysadmin | View on Reddit | 44 comments
I have a standalone Windows server (VM) hosted at a third-party data center that is shared/used by multiple orgs. As a shared server, maintaining the server will be a collaborative effort by select IT staff from some of the orgs. The server is running a single, very specific service and is pretty much set-it-and-forget-it, so the remote access is mainly for periodic maintenance such as Windows updates, disk clean-up, etc.
I'm looking for a solution for these IT folks to be able to securely connect to this server over the internet preferably without setting up a complicated VPN infrastructure. The data center operator is willing accommodate requests (opening up ports and such) to a certain degree but installing additional equipment (VPN appliances, etc.) is probably a no-go.
One-time costs would be acceptable but we'd like to avoid subscription-based solutions as it's difficult to split the bill among the organizations due to administrative reasons.
Within my org, we are using RemotePC to access certain isolated machines that can't be part of our RMM. I thought this might work as adding one more machine costs nothing, but it requires adding collaborators as users in an existing RemotePC account which creates a dependency on a single org. If my org dies, so too does the account, and access for all provisioned users.
Does anyone have any suggestions in this scenario?
Thank you in advance for any advice and insight.
hightechcoord@reddit
Guacamole?
GreatThiefPhantom@reddit
Here are 3 options:
1) Install Wireguard then just use RDP
2) DW Service
3) RustDesk
rejectionhotlin3@reddit
Zerotier is another good option and on Mikrotik
MARS822a@reddit
DW Svc is the shit
Tailscale + RDP as alternate
Dioz_31337@reddit
This, and get Patch Management so u dont have to Install the shit by hand
spyingwind@reddit
Apache Guacamole if you want to incorporate SSH and RDP remote access into one place. Can setup Duo/TOTP 2FA, AD/LDAP auth, and record sessions for example.
djDef80@reddit
Yeah I'm curious why there's any talk about a VPN appliance when all is really needed is a VPN running on the server itself.
GreatThiefPhantom@reddit
This. You don't need an appliance for Wireguard. If that's too complicated, then just use Tailscale.
GeneMoody-Action1@reddit
Use a SaaS product that calls home from inside and forget ingress altogether?
That way you have zero RA external footprint, and to the host, you are simply making another connection to another endpoint on the internet.
pv_jenkins@reddit
Remote Desktop Gateway (RD Gateway): This can be a solid choice if you're looking for a secure way to access your Windows server. It's built into Windows Server, so you won't need additional hardware. You can configure it to use SSL, which might align nicely with the data center's willingness to open ports. The setup is a bit more involved than a simple RDP, but it provides a secure connection without needing a full VPN.
Azure Bastion: If you're open to cloud solutions and your data center is Azure-friendly, Azure Bastion provides secure RDP and SSH connectivity to your VMs without a public IP. It's a bit more cloud-centric and might not fit if you're avoiding subscriptions, but it's worth considering for its security benefits.
Confident_Guide_3866@reddit
Wire guard and RDP
D4M3@reddit
I know VPN is a no go but to be fair Tailscale can be deployed to devices that are needed without much hassle and supports up to 100 devices for free. After that RDP can be achieved to the host as long as you have enough users to log into as needed.
Edgeforce@reddit
https://www.dwservice.net Would work perfectly for this and checks all of your boxes. It's free, doesn't require any kind of subscription, no VPN needed, supports MFA and can be securely shared with the other support folks to remotely access the same machines as needed.
Absolute_Bob@reddit
VPN is the standard for colo access, is this a "datacenter" or a dude with a basement who figured out how to bypass the electric meter? You could do an RD Gateway but be prepared for the box to get compromised a lot.
unsung-hiro@reddit (OP)
This is a proper data center.
I will ask the operator if they already have a VPN infrastructure in place that we could just use.
For RDS, for a standalone workgroup server I think we'd need a cert and VDA licensing which is not feasible since the server won't be tied to any one org and these are ongoing costs/elements that would need to be maintained.
supremeicecreme@reddit
For remote administration, Windows allows 2 admins connected with RDP at any point. The RD Gateway is simply for “putting it on the internet” which is fine but not amazing. For no cost/low cost, have a look at Apache Guacamole - it’s a web-based portal which can do RDP, VNC and other protocols. I’m assuming it’ll happily run in some form on Windows, but from my experience I’ve had it running on a small Linux box on a Tomcat server.
dustojnikhummer@reddit
And the standard "2 sessions RDP" doesn't need any extra license (aside from Windows Server and CALs which you need anyway) unlike Windows Terminal Services
Historical_Score_842@reddit
What security is in place? This isn’t just about functionality but how is it properly being secured since this is a public internet facing system with multiple outside partners use this system?
This is an auditors nightmare.
techboy411@reddit
If each org has their own remote access software, have them install it and log on with their own creds.
For instance, one has ScreenConnect, one has AnyDesk, one has SplashTop...
you get the drill.
Ssakaa@reddit
So, who owns the responsibility when Bob skips doing updates because he took a day off, noone else at a different org stepped in, and the box gets popped by an attack that should have been patched? Who owns it when Steve at another org decides to clean up some space and wipes something Bob's org needed? Who owns offboarding when Steve gets fired from his org?
The lack of clear ownership an line of responsibility is an absolute nightmare here begging for loss of data, outages, and lawsuits.
Skyhound555@reddit
After reading your response, I believe you're asking for too much. This is a classic "you pick two" scenario between cheap, secure, and easy-to-use. To be honest, cheap and easy to use options are very slim. Especially if want a one time cost, which does not really exists anymore unless you went open source and live with a complex set up.
VPN is not the standard anymore and is actually being phased out in favor of direct, zero trust server access. Okta PAM is the current leader and Cisco, Cloudflare also offer Zero Trust Remote Access. Teleport is the open source option.
Gonna be honest, set up can vary. Though for one server, you could probably just install an agent that would handle it.
We rent our own datacenter space. So for "break glass" scenarios we also use a raspberry pi bastion server exposed to the internet. However, it is heavily tied to monitoring so if it is ever accessed, the whole organization knows about it lol
Equivalent-Peak-5213@reddit
The company I worked for was pushing against using RDP for similar solutions you mentioned via Privileged Access Management where basically the RDP was contained inside of a browser session (one vendor used was Cyberark) and I've always wondered the rationale why.
Conceptually, every connection uses a service and protocol. Whether you're using a vendor with a another service or protocol versus one embedded as a standard (RDP) in Windows Server and Windows - what exactly is the difference? I'm going to assume its layering things like MFA, session timeout, and session replayability into the product? Or is it functioning to authenticate at the server level via some zero-trust method?
Either way, it would seem an admin username is still going to have it's authentication and authorization handled in Active Directory and if you had someone's password and 2FA I'm not sure what these products are necessarily providing outside of what I listed versus RDP.
Skyhound555@reddit
The benefits are multi-faceted. For one, zero trust access makes it so that one no longer has to expose a whole subnet to users when you only need them to access a few server assets. I would say that is the primary goal of the tool. In most cases, they are just taking your RDP/SSH session and routing it through a gateway managed by the platform. It's all about reducing attack vectors.
It is also great for just-in-time access provisioning. Most of these tools will only create the admin credential on the server at the moment it is authorized to do so.
It also offers auditing of ssh and rdp sessions, so we can monitor how the access is being used.
The problem with VPN is that it is very basic. Nowadays, it is not uncommon to have non-IT and non-privileged users to hop onto a remote VM for data entry work. You don't want these people to be able to perform any lateral movement on the network. It is easier to restrict things on the credential side than the network side.
Equivalent-Peak-5213@reddit
Thanks for the explanation. We always had separate Admin/Superuser accounts for servers created, and permissions to login via RDP were handled by access policy inside of AD so no normal business user could get in. Also all PROD servers were segmented from DEV/TEST servers that developers could access. It sounds like in this case it goes a step further and creates a proxy server to access servers (which we did with public facing servers via a DMZ in the way you mention).
I was just curious how this worked and what benefit it brought, the MFA one is the primary one I considered along with session replayability for logging access, as well as reducing attack surface (or at least changing it).
whatsforsupa@reddit
Can you just setup RDP and set the firewall to only allow specific IPs to connect to it?
unsung-hiro@reddit (OP)
Yes, this would be easiest but 1) I hear running RDP without RDS w/ MFA is dangerous, and 2) we would need VDA licensing which means VLA/SA/EA tied to a specific org.
DepthPuzzleheaded546@reddit
2) Why? Just install a Server 2025, buy RDS and Server CALs and you are good to go.
SevaraB@reddit
You've got a people problem right in the first sentence: too many hands on this server. One org should be responsible for this server and everybody else should be submitting tickets instead of working on it directly. If it's a competitive advantage thing, maybe that responsible party should be a neutral third party/trustee specifically taking care of that server.
UpsetBar@reddit
What is happening here? This entire thread is making my head spin.
cyr0nk0r@reddit
You want SecureRDP. Check them out. It does exactly what you want and is about as simple as it gets.
OkEmployment4437@reddit
For a shared Windows server like this, I'd worry more about ownership than the remote access method. Pick one org to own patching and change control, give everyone else named accounts with just enough access, then put either WireGuard in front of RDP or use RD Gateway if you want the all-Windows route. I would not expose straight RDP even with IP allowlists because those lists always get messy once a few orgs are involved. If six different admins all treat it like "their" box, that's the part that usually goes sideways first.
Appropriate-Egg9733@reddit
RD Gateway is probably your cleanest option. It's built into Windows Server, tunnels RDP over HTTPS and needs no subscription nor appliance needed. Just a cert (like let's encrypt) and one open port at the DC.
For the multi-org dependency problem just skip shared accounts entirely. Give each org their own local account on the server. You revoke per-org if someone leaves or an org drops out, and no single org owns the credential. Avoids exactly the RemotePC problem you described.
If you want something more turnkey and fully open source Rustdesk self-hosted is worth a look. Relay server runs on a cheap VPS
unsung-hiro@reddit (OP)
I really like the idea of RDS but for a standalone workgroup server but we'd need to maintain the cert and VDA licensing would be needed, which is not feasible since the server won't be tied to any one org.
About the org dependency issue, we could issue individual local accounts on the server but the server has to run in an unlocked state, i.e., a certain app running in an active logon session, and troubleshooting/maintenance would likely require using that session. Therefore, I would prefer to control access at the remote connection level.
I will look into Rustdesk but other than the free tier it seems there's an ongoing cost and we cannot easily host another VPS for this purpose.
Thank you.
CP_Money@reddit
RD Gateway is not RDS you’re confusing the two. RD Gateway can run on its own without being part of an RDS deployment.
unsung-hiro@reddit (OP)
Thank you for the clarification - TIL!
blue30@reddit
Not a fan of VPN directly to the server because having multiple interfaces subnets etc can make some situations more complicated. RDP locked down to specific source IPs by firewall is nice and easy. Or a jump box of some kind. Say a little NUC sat on top of it you can VPN to then RDP to the server, or hit up the idrac, ILO etc
kyle-the-brown@reddit
A single device LMI license with user accounts would be web based access with forced MFA
Otherwise MFA enforced VPN with MFA enforced non public RDP is probably the best
I would not open RDP to the public - it will get compromised eventually
If you dont like LMI there are other options like TeamViewer, ScreenConnect, etc..
Personally, I would rather some type of RMM software with remote access, remote scripting, update management, hardware monitoring built in - the license cost on that is just added to the operating costs and spread between the clients as a slight hike - will keep you from having to actively monitor the server as it will alert for issues and give you weekly update status notifications.
Dry_Inspection_4583@reddit
I'd suggest a bastion host or jump box with a specific VPN through wireguard for access, not direct access. Policy of least privilege from the os firewall and maintained upstream.
You may even consider a secondary card on the endpoint to put access on a different VLAN for access. MFA should also be considered at a minimum on the bastion host.
And depending on compliance requirements you could lock it down to hardware or key access(SSL)
MinnSnowMan@reddit
Zoho Assist is subscription but only $18 US a month for up to 5 unattended installs
MySurvive@reddit
It is the year of our Lord two thousand twenty six, why are we manually performing server maintenance? :P
canadian_sysadmin@reddit
I'd suggest maintaining and monitoring the server should be the responsibility of a single team.
It could go bad very quickly if multiple people have their hands on it. Something goes wrong you'll also have too many people trying to fix it and step over each others' toes.
unsung-hiro@reddit (OP)
Yes, we have considered this and the IT staff from various orgs will be the support "team". We will have a process and structure in place for handling issues. We just need a way to get in without any dependencies on any one org.
noazrky@reddit
AnyDesk or the free 1 person version of ScreenConnect
unsung-hiro@reddit (OP)
AnyDesk is subscription-based and ScreenConnect no longer offers a free tier.
We have funds, but can only be used for non-recurring costs and can't maintain subscriptions.