ADMT approach

Hermann Maurer, Jan 22 2020

© 2019 | GFT Technologies SE and its affiliates. All rights reserved.

 Shaping the Type here if add
future of digital info needed for
business every slide

1. Objectives
Agenda

2. Terminal Server landscape

3. Network topology and restrictions
4. Working with Terminal Servers
5. Emergency access

gft.com 02/04/2021 2
Shaping the Type here if add
future of digital info needed for
business every slide

Objectives

 Main driver
 On premise server network protection

 Implementation/Security improvements
 Consequential separation of user and administrative accounts
 Consequential move of system/service management out of the client computer
 Strict separation of user and administrative network traffic
 Enforcing the 2nd factor (OTP) for admin account authentication

gft.com 02/04/2021 3
Shaping the Type here if add
future of digital info needed for
business every slide

Terminal Server Landscape

 2 own Terminal Servers for each Group IT team

 one ADMT (= ADMinistrative Terminal server) in STG and one ADMT in STC
 2 owners per team
 Each Group IT team defines at least 2 ADMT owners, who can carry out administrative tasks on the
team’s server: add/remove programs, install software updates etc.
 Isolated network with dedicated network access
 Each ADMT is resided in an isolated network and have network access according to the motto “as
much access as needed, as less as possible”.
 RDGW (= Remote Desktop GateWay) in front of the ADMTs
 It controls the RDP traffic from client computers and forwards it to the ADMTs. ADMT users connect
to RDGW rather than directly to ADMTs
 Dedicated file server FADMT
 It is used as file storage with an exclusive access from ADMT servers only.
 Temporarily it can be used for data exchange between client computers and ADMTs.

gft.com 02/04/2021 4
Shaping the Type here if add
future of digital info needed for
business every slide

Terminal Server Landscape

 RDP Restrictions
 No printers from client computers available
 No drive mapping from client computers available
 No file exchange between RDP client and ADMT enabled, text can be copied using clipboard, though

 Login restrictions
 Team members are allowed to login
 Domain admins are allowed to login
 Members of BE AS/PS and BE SM teams are allowed to login to GIA ADMTs to support

 Software maintenance
 Automatically in case of SCCM packages
 Manually by owners in case of manually installed software

gft.com 02/04/2021 5
Shaping the Type here if add
future of digital info needed for
business every slide

Network topology and restrictions

 No direct network connection to manage servers/services (work in progress)

 Direct network connection to manage servers/services from ADMTs only

 Network access to Terminal Servers is enabled upon user authentication (XXXX) with
2FA and AD group membership
 Login to Terminal Servers is enabled upon admin user authentication (a-XXXX) at
RDGW with 2FA and AD group membership

 Access from Terminal Servers to destinations in GFT LAN must be enabled explicitly and
is a subject of approval by GISM. Default access policy is “deny access”.
 Access from Terminal Servers to destinations on the Internet (based on domain names
or URLs) must be enabled explicitly and is a subject of approval by GISM. Default
access policy is “deny access”.

gft.com 02/04/2021 6
Shaping the Type here if add
future of digital info needed for
business every slide

gft.com 02/04/2021 7
Shaping the Type here if add
future of digital info needed for
business every slide

Working with Terminal Servers

 Preparation (one time)

 Configure the RDP client software to use RDGW
 Configure a new VPN connection in Netscaler VPN client:
 https://vpnstg-admt.gft.com as “VPN ADMT STG”
 https://vpnstc-admt.gft.com as “VPN ADMT STC”.

 Open network access

 Connect to Netscaler VPN and login using your standard user credentials (XXXX)
 Use “VPN ADMT STG” inside GFT LAN, otherwise the standard VPN

 Open RDP connection

 Open an RDP session in your RDP client and login at RDGW using your admin account credentials
(a-XXXX) and 2nd factor.

gft.com 02/04/2021 8
Shaping the Type here if add
future of digital info needed for
business every slide

Emergency access

 Problem: Netscaler in STG has become unavailable

 Solution: Use Netscaler in the site STC

 Problem: ADMT servers in STG have become unavailable

 Solution: Use ADMT servers in the site STC

 Problem: ADMT servers in both sites have become unavailable

 Solution: Use emergency network ports in server rooms at the dedicated locations with
BEVB and/or NET staff. The emergency network ports have network access without
authentication to networks with Hyper-V systems and network equipment that allows
BEVB and NET to recover the underlaying infrastructure.

gft.com 02/04/2021 9
Shaping the future
of digital business
ADMT Approach
GFT Technologies SE
Hermann Maurer
Group IT - Infrastructure Network Manager
Kölner Str. 10
65760 Eschborn
T +49 6196 969-2088
Hermann.Maurer@gft.com

© 2019 | GFT Technologies SE and its affiliates. All rights reserved.