To be compliant with PCI, we need to review the way we have configured Remote Desktop Protocol. We need to be using Remote Desktop Connection, with HIGH encryption level. At my organization, people use RDC when:
* Admins and users are physically outside of the network: In which case, they have to VPN to the network and then only they can remote in to the intended machine.
* Admins and users are physically on the network: In which case, they can directly start a remote session with the server.
PCI requirement is not very clear about whether we need to have high encryption level for "on-network" type of connections or this requirement is only meant for organizations allowing RDP over internet?
If you PCI better, that's great, please share !
But from technical standpoint, I also want to compare the security aspect of using RDP over the internet and RDP over VPN. Can we say RDP over VPN is quite secure ? What measures can I take to secure RDC sessions.