Ova

What is the Resource Authorization Policy for RDS?

Published in RDS Authorization Policy 4 mins read

The Resource Authorization Policy (RAP) for Remote Desktop Services (RDS) is a crucial security component that defines which specific internal network resources (such as servers or computers) authorized users are permitted to access when connecting through an RDS Gateway server. It acts as a gatekeeper, ensuring that even if a user is authorized to connect to the gateway, they can only reach the destinations explicitly allowed by these policies.

Understanding RDS Resource Authorization Policies

An RDS Resource Authorization Policy (RAP) works in conjunction with a Remote Desktop Connection Authorization Policy (CAP), which determines who can connect to the RDS Gateway server. While CAPs focus on user identity and authentication, RAPs focus on the target resources these users can access.

Key Functions of a RAP

RAPs provide granular control over the internal network resources accessible to external users connecting via the RDS Gateway. Their primary function is to:

  • Specify target resources: Define a list of specific computers or computer groups that authorized users are allowed to connect to. This directly addresses the core purpose: "to specify WHAT servers or computers the authorized users have access to."
  • Enhance security: Prevent unauthorized access to internal network resources by acting as a filter, allowing connections only to pre-approved destinations.
  • Segregate access: Enable administrators to create different RAPs for different user groups, ensuring that users only access the resources relevant to their roles.

How RDS Resource Authorization Policies Work

When a user attempts to connect to an internal resource through the RDS Gateway, the gateway evaluates both the Connection Authorization Policy (CAP) and the Resource Authorization Policy (RAP).

  1. CAP Evaluation: First, the RDS Gateway checks if the user is authorized to connect to the gateway itself, based on their identity, group membership, and device properties (if configured).
  2. RAP Evaluation: If the user passes the CAP check, the gateway then evaluates the RAP to determine if the requested internal resource is one that the user is permitted to access. This check is based on the target resource specified in the user's connection request (e.g., a specific server name or IP address) against the list of permitted resources defined in the applicable RAP.
  3. Connection Establishment: Only if both the CAP and RAP checks are successful will the RDS Gateway establish the secure tunnel to the requested internal resource.

Configuring an RDS Resource Authorization Policy

Administrators configure RAPs directly on the RDS Gateway server. The process involves defining the specific resources that users are allowed to access.

Steps to Configure RAPs:

  1. Access the Gateway Manager: On the RDS Gateway server, open Server Manager, navigate to Tools, then Remote Desktop Services, and select Remote Desktop Gateway Manager.
  2. Create or Edit Policy: In the RD Gateway Manager, expand the server name, then navigate to Policies, and select Resource Authorization Policies. You can then create a new policy or modify an existing one.
  3. Define User Groups: Specify the user groups that this RAP will apply to. These are the groups whose members will be allowed to access the defined resources.
  4. Specify Network Resources: This is the critical step where you define the target resources. You can:
    • Select computer groups: Grant access to all computers within a specific Active Directory security group.
    • Add individual computers: List specific computer names or IP addresses.
    • Allow any network resource (with caution): While an option, this is generally discouraged for security reasons as it bypasses the granular control of RAPs.
  5. Configure Port Settings: Optionally, restrict access to specific ports on the target resources, further enhancing security.

Example RAP Scenario:

Consider a scenario where:

  • User Group: "Developers"
  • Allowed Resources: "DEV-Server01" and "Test-SQL-DB"
  • RAP Name: "RAP-Developers-DevAccess"

This RAP would ensure that only members of the "Developers" group, after successfully authenticating to the RDS Gateway, can connect to "DEV-Server01" or "Test-SQL-DB." Any attempt to connect to other internal servers would be denied by the gateway.

Benefits of Implementing RAPs

Implementing robust RAPs offers significant advantages for security and management:

  • Stronger Security Posture: Limits the "blast radius" of a compromised account by restricting access only to necessary resources.
  • Granular Control: Provides precise control over which users can reach which internal servers.
  • Compliance: Helps meet regulatory and compliance requirements by enforcing strict access control policies.
  • Simplified Management: Centralizes resource access control for Remote Desktop connections through a single gateway.

By strategically configuring RAPs, organizations can ensure that their remote workforce can access essential internal applications and data securely, without exposing the entire network.

← Previous Article
What happens if a stain freezes?
Next Article →
Can We Drink Coffee During a Monday Fast?