简体繁体 English

如何保护对Windows Azure实例的远程桌面访问

[英]How to secure remote desktop access to windows azure instances

原文 2012-11-01 17:46:56 2 1 security/ azure/ remote-desktop/ azure-web-roles

I've successfully enabled Remote Desktop access to my Windows Azure Web role, but ideally I'd like to lock down access so it's not only protected by a password. 我已经成功启用了对Windows Azure Web角色的远程桌面访问，但是理想情况下，我想锁定访问权限，以便它不仅受密码保护。 Is this possible? 这可能吗？ For example, restrict RDP access to specific IP ranges, require a client certificate, etc. 例如，将RDP访问限制为特定的IP范围，需要客户端证书等。

I realise that you're advised not to enable Remote Desktop at all times but rather only enable it for troubleshooting. 我了解到，建议您不要始终启用远程桌面，而应仅启用它以进行故障排除。 But if it's enabled for troubleshooting the security problem still remains. 但是，如果启用了它进行故障排除，则仍然存在安全问题。 (Also seems annoying that you can't enable/disable RDP access without republishing, unless I'm missing something). （也令人烦恼的是，除非重新缺少内容，否则您不能启用/禁用RDP访问而无需重新发布）。

thanks 谢谢

1 个解决方案

One thing you can do is move your site to a durable VM, that offers you the ability to: 您可以做的一件事是将站点移至持久的VM，这使您能够：

Edit November 2013: you can use ACLs to lock down specgic port ranges for RDP using PowerShell. 编辑2013年11月：您可以使用PowerShell使用ACL锁定RDP的特定端口范围。 The new Azure portal allows you to do this inside the portal itself withour PowerShell: http://weblogs.asp.net/scottgu/archive/2013/11/04/windows-azure-import-export-hard-drives-vm-acls-web-sockets-remote-debugging-continuous-delivery-new-relic-billing-alerts-and-more.aspx 新的Azure门户允许您使用PowerShell在门户内部进行此操作： http ://weblogs.asp.net/scottgu/archive/2013/11/04/windows-azure-import-export-hard-drives-vm- ACLS Web套接字远程调试连续交付新的遗物开帐单警报和更多.aspx
you can use the OS software Windows Firwall 您可以使用OS软件Windows Firwall
go over another port instead of the default 3389. In the endpoint management portal you can have an external port (ie 2400) point to an internal port of 3389. This obfuscates rdp access a little for people sniffing for RDP ports 通过另一个端口而不是默认的3389。在端点管理门户中，您可以将外部端口（即2400）指向内部端口3389。这会使rdp访问变得有些混乱，从而使嗅探RDP端口的人们感到困惑
that endpoint behavior mentioned above can be added or removed pretty quickly..so you can have RDP enabled on the server, but no traffic will be allowed in until the endpoint is added/enabled for the Virtual Machine 可以很快添加或删除上述端点行为。.因此，您可以在服务器上启用RDP，但是在为虚拟机添加/启用端点之前，将不允许流量进入

You could change the RDP port as well using a script (using a web/worker role) to mimic the behavior above, but I would not do that. 您也可以使用脚本（使用Web / Worker角色）来更改RDP端口，以模仿上述行为，但是我不会这样做。 With PowerShell scripts, you can have an admin page that runs a powershell script in the background (turn on RDP/turn it off). 使用PowerShell脚本，您可以拥有一个管理页面，该页面在后台运行powershell脚本（打开RDP /关闭RDP）。 But I think that is a big overkill here unless you really want to turn RDP off for compliance. 但是，除非您真的想关闭RDP以使其合规，否则我认为这是一个很大的矫kill过正。

Edit: addition info since 2012 :) 编辑：自2012年以来的附加信息:)