How to secure remote desktop access to windows azure instances

Question

I've successfully enabled Remote Desktop access to my Windows Azure Web role, but ideally I'd like to lock down access so it's not only protected by a password. Is this possible? For example, restrict RDP access to specific IP ranges, require a client certificate, etc.

I realise that you're advised not to enable Remote Desktop at all times but rather only enable it for troubleshooting. But if it's enabled for troubleshooting the security problem still remains. (Also seems annoying that you can't enable/disable RDP access without republishing, unless I'm missing something).

thanks

Answer 1

One thing you can do is move your site to a durable VM, that offers you the ability to:

• Edit November 2013: you can use ACLs to lock down specgic port ranges for RDP using PowerShell. The new Azure portal allows you to do this inside the portal itself withour PowerShell: http://weblogs.asp.net/scottgu/archive/2013/11/04/windows-azure-import-export-hard-drives-vm-acls-web-sockets-remote-debugging-continuous-delivery-new-relic-billing-alerts-and-more.aspx

• you can use the OS software Windows Firwall

• go over another port instead of the default 3389. In the endpoint management portal you can have an external port (ie 2400) point to an internal port of 3389. This obfuscates rdp access a little for people sniffing for RDP ports

• that endpoint behavior mentioned above can be added or removed pretty quickly..so you can have RDP enabled on the server, but no traffic will be allowed in until the endpoint is added/enabled for the Virtual Machine

You could change the RDP port as well using a script (using a web/worker role) to mimic the behavior above, but I would not do that. With PowerShell scripts, you can have an admin page that runs a powershell script in the background (turn on RDP/turn it off). But I think that is a big overkill here unless you really want to turn RDP off for compliance.

Edit: addition info since 2012 :)