Why is it bad to deploy Remote Desktop Services on a domain controller?

Question

I have an application on a VPS and I want to run it with RemoteApp instead of having to remote desktop into the server. Our VPS provider can sell us a pack of five RDS licenses to use which will be plenty.

I plan on following this guide that says it is not recommended for security reasons: https://ryanmangansitblog.com/2015/02/22/deploying-rds-2012-r2-on-a-domain-controller-the-walk-through-guide/

Another guide on how to set up a single server for remoteApp actually uses two servers: https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

Finally Microsoft have a guide on installing RDS on a DC that essentially just says no: https://technet.microsoft.com/en-us/library/cc742817(v=ws.11).aspx They say it is insecure and bad performance. We have a decent sized VPS though and trust the users.

My question is what is the security risk? The users running the remoteApp apps are trusted employees.

Answer 1

I believe it's generally considered a bad idea because domain controllers are supposed to be the critical heart of your network that store all the keys to your kingdom. So they should be left alone, not mixed with other applications, and not logged into by non-admin users (or even admins on a regular basis) so there's less chance for that critical data to be compromised.

However, in your specific case, it sounds like the only reason AD would exist is to support the installation of RDS since you can't use it outside of the basic remote administration mode unless you also have a domain. So in my opinion, throwing all the roles on a single server to save hosting costs is just fine. You're essentially just replacing the server's local SAM database with the Active Directory database. An attacker that compromises the server and AD is irrelevant because the only thing that uses AD are the services on the server that was compromised. So you wipe it and re-build or restore from backup, no biggie.

The combination of the two services doesn't create some sort of new vulerability on the server as far as I know.