Each itopia CAS partner is responsible for the design and implementation of their own customized security solution for each of their CAS deployments. While the following ‘best practices’ are based-on a typical deployment, Google Cloud Platform (GCP) is responsible for all IaaS- and PaaS- level security.
Standard Security Best Practices
A common set of standard security ‘best practices’ for common systems also applies to Remote Desktop Services (RDS) environments.
Minimize the attack surface by deploying to a minimum number of servers, disable services or features that are unused, use firewalls to restrict connectivity to authorized sources and targets (including port restrictions), and leverage the principle of least privilege to minimize scope if an account is compromised.
Enforce frequent and regular patching, preferably with automatic installation of security-related patches
Leverage monitoring and access auditing solutions to alert administrators if unauthorized access is detected. Modern solutions such as Azure Advanced Threat Protection (ATP) can use machine learning to perform heuristics and identify unusual user activity that can provide proactive alerting if suspicious behavior is detected
Best Practices for CAS Deployments
Itopia CAS expects each customer will have their own internal security and compliance ‘best practices’ and procedures because each customer has their own unique business and service requirements as well as their own evaluation of risk.
The following set of ‘best practices’ are provided to customers as a starting point, but the design and implementation is the responsibility of each customer and GCP:
- The secure RD Gateway servers sit behind GCP’s Firewalls and Load Balancers. They have a single secure service port open listening for authorized connections.
- If a resource in their deployment does have a public IP address, this resource behind the Firewalls. The Firewalls typically include active IPS which detects scan attempts and blacklists the IP address of the offender.
- GCP (as IAAS provider) is responsible for perimeter DDOS and IDS/IPS systems.
- Partners are responsible for ensuring any server (virtual machine) in any itopia CAS deployment has enterprise anti-malware installed and active, including IDS to detect un-authorized or simply out of character network behavior.
Frequently Asked Questions
Q: Who manages the CAS deployment’s external Firewall?
A: Typically, the partner’s IaaS provider. Each deployment sits behind external Firewalls which itopia doesn’t manage and/or control.
Q: How does itopia CAS configure the internal Firewall for each deployment?
A: itopia CAS automation setups all internal Windows Firewall policies per Microsoft best practices of a multi-tenant RDS (Remote Desktop Services) environment.
Q: Who sets up the secure Gateway server? How is it setup?
A: itopia CAS sets the secure Gateway server(s) during the initial deployment provisioning process. The secure Gateway Servers are part of the deployment core and are configured for Microsoft RDS (Remote Desktop Services). Customers and GCP are responsible for the hypervisor, virtual machines, physical hosts & network of the secure Gateway server(s).
Q: What standards are the secure Gateway servers configured to – NIST?
A: itopia CAS does not subscribe to NIST standards. We apply a combination of Microsoft best practices and IIT operational best practices developed over the past 15 years of providing CW environments.
Q: Does itopia CAS support IPSEC VPN via license files?
A: Partners can configure SSL VPNs from servers deployed for their clients to other systems outside the CW SDDC.
Q: If a customer wants to implement a VPN, would the Gateway server sit behind it?
A: VPNs are generally built between data servers and external resources (i.e. Active Directory Forests). When they are built to connect to data servers and external resources, the RD Gateways are irrelevant.
Q: How to monitor malicious attacks on a port or internally?
A: Customers install their own monitoring software in their itopia CAS deployment. GCP monitors the physical network layer.
Q: Who is responsible for IDS/IPS?
A: This is the responsibility of the partner and GCP.
Q: How are log files being reviewed once people are in the environment? Between the networks? Can someone inside the environment attack or get through to somewhere else if they wanted to?
A: Each customer deployment is segmented from by GCP subscription, GCP project, itopia CAS VPC, etc. They cannot see each other’s servers at all. This process is controlled by the itopia CAS orchestration and automation toolset. In some cases, separate vLANs are used to meet the requirements of public companies, but this is not the norm.
Q: Is 3389 is not open regardless for the connection method? They use 443 instead because of the Gateway server?
A: Yes, itopia CAS uses 443 for both RDS and HTML5 gateways