AWS EC2 Windows RDP Security
Most likely you are working with some form of cloud infrastructure these days. This could be in Amazon AWS, Google GCP, or Microsoft Azure. I had a question from a team I was working with not tool long ago about Windows RDP security in Amazon AWS EC2 instance. The assumption was made that a security group could allow 3389 to the world due to the fact that a “key pair” was used in conjunction with the Windows Server RDP connection. However, I want to explore some of the misconceptions with how the Amazon AWS RDP session works when provisioning a Windows host in your Amazon AWS EC2 instance.
How Windows EC2 instances use the AWS key pairs
The way that Windows EC2 instances make use of the key pairs is a bit different for security purposes and connectivity than Linux instances. How so? When you spin up an Amazon AWS EC2 Windows instance, AWS sets a default password for the administrator account on the Windows host.
The AWS key pair is only used to view this default password. Once you have the password you can save the password off in clear text in your password manager or other means and use this password to connect via RDP to the AWS Windows EC2 instance.
Additionally, this means that you do not have to physically have possession of the key pair to connect to the Windows instance unlike you do for establishing an SSH connection to a Linux EC2 instance.
AWS EC2 Windows RDP Security
Let’s walkthrough what it looks like to configure your AWS EC2 Windows instance and establish an RDP connection. I am not posting all screenshots here related to creating a Windows instance such as instance size, storage, etc. However, starting in step 6. Configuring Security Group you see the default configuration of security groups to allow all connections to port 3389.
You will see an information warning of sorts noting that your security group configuration is allowing connections from the outside world.
The next step is where confusion can set in among those creating their first Windows AWS EC2 instance. After you select to launch the instance, you will be prompted to select an existing key pair or create a new key pair. Many may assume the ability to connect to your Windows instance will be determined by this key.
After generating or selecting an existing AWS key pair and launching the instance, once it is running, you can right-click and select Connect to connect to your new AWS EC2 Windows instance.
When you select to Connect, you will see the Connect to instance screen. Here you have a couple of options. You can download your remote desktop file and also click the Get password link to see the password for the default administrator local account on the AWS EC2 Windows instance.
Once you click the Get password link, you will choose the key pair you downloaded from Step 7. The private key will be displayed. You can then click the Decrypt password button.
Once you click the Decrypt Password button, you will see the password displayed in clear text under the Password section.
Again, this may create some confusion or misconceptions in the role the key pair plays in the ability to connect to the AWS EC2 Windows instance. Unlike Linux EC2 instances where you have to have the private key to make an SSH connection, the key pair is only used to view the password, not make a connection. As you can select below, I can connect directly to the IP address of my Windows AWS EC2 instance and use the password that is displayed in clear text and connect to the instance without any question about the key pair.
Importance of understanding the key pair role with AWS EC2 Windows instances
Why is this important to understand how the key pair is used? Many can get the false sense of security with Windows AWS EC2 instances that their Windows RDP ports are more secure running in AWS since they require a key pair. However, as shown, this is simply used to decrypt the initial default administrator password that is automatically configured by AWS. What’s more, you can change the default password to something that is less secure.
Amazon details that process here: Set the password for a Windows instance – Amazon Elastic Compute Cloud. It is still very important to keep in mind AWS EC2 Windows RDP Security when configuring and using Windows AWS EC2 instances. This includes scoping down who has access to the Windows instance by means of the AWS Security Group in addition to other means.