Hi,
I restore one of my Epicor server (Epicor is a software - https://www.epicor.com) and configure RDSH (Remote Desktop Service Host) for testing.
I created AD (Private IP) and RDSH Server (Private IP with Nated Public IP)
I configure the firewall rules (SonicWall) and allow only http/https and RDP (389) traffic from WAN for RDSH Server.
I install the 3rd party certificate (comodo) in RDSH server. RDSH require .pfx certificate so I create/install the certificate in IIS and export the certificate with private key and password. I make sure that password is strong. I import the certificate in
below roles. certificate is install and success. RD Gateway role is grey-out.
RD Connection Broker - Enable Single Sign on
RD Connection Broker - Publishing
RD Web Access
1st Time: Server was hacked after one hour and all files were encrypted
2nd Time: I rebuild the server again and perform all the above steps again but server again hacked after 24 hours.
Note:
I scan the primary server (Epicor Server) from different tools (malwarebytes) but there is no virus etc.
The RDSH server is a replica of my current server (Epicor server). Epicor Server is also available for remote access (Not RDSH) and its working fine. I can RDP it and work on it without any issue.
In this server Epicor and SQL application are installed. Can my server hacked any of Epicor or SQL account but primary server also available from WAN and its working fine.
Both time AD is not hacked, only RDSH server is hacked.
Both server and certificate name are same for example: e10.domain.com is a server name and certificate url https://e10.domain.com/RDWeb. Is there any issue for using same name. I feel comfortable because RDSH configure with server name and certificate install
without any issue.
I am not sure what is the issue? Someone please help me to find out the issue for this hacking. Rest of the network is fine.
Its windows server standard 2012 R2. (Both AD and RDSH server)
Thanks in Advance.Shoaib Nawaz