Restricting login to RAS

Discussion in 'Parallels Remote Application Server' started by MatE1, Jul 1, 2019.

Tags:
  1. MatE1

    MatE1 Bit poster

    Messages:
    7
    Hello
    Does anyone know if there is a way to restrict which Active Directory users can login to RAS?
    I know there is a way to filter Published Resources by user or group. However wondered if you could stop all Active Directory users from being able to login.
     
  2. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    Hi MatE1,
    Could you please describe to us why do you want it and what behavior do you expect? Your answers might help me to suggest you something or probably file a new feature request in RAS.
    Thanks in advance!
     
  3. MatE1

    MatE1 Bit poster

    Messages:
    7
    Hi Eugene
    I can't think of anything specific at the moment. Maybe if there was some security concern where you didn't want a user/group of users to be able to login to RAS. At the moment it seems that any AD user can login and what they can do is only based on the published resources filtering. If that is the case then that is fine. I just want to make sure i am not missing something.
    Thanks
     
  4. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    Hi Mat, thanks for your time.
    Indeed a normal practice is to publish resources to a particular AD group and manage members of this group from AD. When people out of the group log into RAS they don't see resources and can't connect to servers.

    We don't see a real use case for preventing login to RAS per-user and don't really get such requests (often). That's why we don't have this functionality in the product.
    Anyway, I'll count you as "+1" requestor for the corresponding feature and maybe it will be released someday.

    At the same time there are few ways to prohibit logon to RAS which work for some situations:
    1) Two Factor Authentication.
    Parallels RAS has built-in support for various 2FA services. You could configure who can log in to RAS on 2FA side. It helps to increase security in general and save account passwords from being brute-forced.
    2) Trusts.
    If you have 2 domains in a trust and want only users of 1 domain to be able to login to RAS, then you can configure it in Administration -> Authentication

    I can't come up with anything extra at the moment.
     
  5. roberta5B

    roberta5B Bit poster

    Messages:
    2
    I have a Windows Server 2019 Environment. I have several VPN users who connect from their home machines to the VPN and then initial outbound RDP connections from the corporate network to another network.
     
  6. roberta5B

    roberta5B Bit poster

    Messages:
    2
     
    Last edited by a moderator: Jul 20, 2019
  7. CantwellV

    CantwellV Bit poster

    Messages:
    2
    Also in active directory you can configure a static remote ip address. Also in the Network Access Permission click Allow to allow the user to connect through VPN, Deny -self explainatory, Control access through NPS network policy you would click if you used NAP.
     
  8. CantwellV

    CantwellV Bit poster

    Messages:
    2
    Any other update?
     
  9. nishar1

    nishar1 Bit poster

    Messages:
    5
    We have no Proxy in place, hence everyone has unrestricted access. Port restrictions are in place on the firewall. We have Tellsubway Server 2003 RRAS box handling all the incoming VPN connectivity.

    Many thanks in advance.
     
    Last edited by a moderator: Oct 29, 2019
  10. nishar1

    nishar1 Bit poster

    Messages:
    5
    NAP is available only in server 2008 or above. It is not available in 2003, and it is a little more complicated to deploy but in short, you basically configure a connection policy for computers to connect. If they meet certain conditions that are required, they are allowed inside the network, if not they can be sent to a remediation network where they can try to meet the compliance checks. You also have to enable NAP clients through Group Policy.
     
    Last edited by a moderator: Jan 26, 2020
  11. nishar1

    nishar1 Bit poster

    Messages:
    5
    As I thinking that if you are using your personal Network then you may be able to restrict user RAS Login. But in that case, you must have to shift your network IP address using Tellsubway VPN and you may able to restrict RAS Login.
     
  12. ParallelsU1156

    ParallelsU1156 Bit poster

    Messages:
    2
    This is quite an old forum post, but feel it is extremely important.
    If Parallels is accessible from the Internet, I certainly don't want it to be used to bruteforce admin accounts or DDoS them.

    Even if 2FA is enabled, username and password can be tried from anywhere in the world. Yes, they can't log in then, but there are accounts where this simply shouldn't be possible at all.

    From me (and all colleagues and customers) a very big +1 for this feature. For me it is completely incomprehensible that this supposedly bothers so few people 0.o
     
  13. jpc

    jpc Pro

    Messages:
    427
    Counter intuitively, when using MFA (especially if enrollment is ready or admin-managed), brute force in this manner will not be possible.
    While RAS has some DOS prevention functionality, it is mostly out of its direct scope.
    An allow/deny list sounds like a good idea, but I'm not sure if it can help if there are same named users (administrator) with different domains (local or one in the forest). RDP itself doesn't do that (it authenticates the user before checking the allow list). I'm sure that with some restrictions, it can be done. Hopefully this limitation might be re-reviewed.
     
  14. ParallelsU1156

    ParallelsU1156 Bit poster

    Messages:
    2
    @jpc Thank you for the answer.
    I checked that again and it is not perfect but not as bad as I thought. Guessing usernames is possible, because if a username is unknown, I get a corresponding error message. But guessing passwords does not work. Even if the provided password is wrong, the 2FA request appears and is send to my phone. Only after providing the correct 2FA token, I the password wrong info.
     
  15. DimitriosM

    DimitriosM Bit poster

    Messages:
    2
    A way to control initial login to the RAS Portal is through Themes. You can filter the AD user groups that have access to the theme, restricting in this way the initial login.
     
  16. David GHT-LOIRET

    David GHT-LOIRET Bit poster

    Messages:
    2
    Good morning,
    Be careful, there is a bug. if you use flush from the outside, it is possible for the user to change the theme and go back to the default theme.
    Gateways accessible from the Internet should be able to filter the theme.
    I reported the security flaw, but nothing is progressing at Parallels
     
  17. DimitriosM

    DimitriosM Bit poster

    Messages:
    2
    If the environment is not very complex, you can use the default theme and apply the restrictions there. No need to create a separate theme.
     
  18. johnc113

    johnc113 Bit poster

    Messages:
    5
    yes, you can restrict the active directory user can log in the remote application server.
     

Share This Page