We have a cloud environment where users log on to a terminal server through a TS Gateway
and TS Session broker that load balances users to various terminal services. We want to secure this environment so that the users don't have a chance to compromise the security, such as disabling RDP to the Domain Controllers or Exchange servers on this virtual environment (right now admins have access as they are allowed to do some administration on their own cloud) we're thinking to create a VPN for them to access the DC's and Exchanges and critical servers, and not be directly accessible from the terminal services, is that a viable policy? what else could we do to secure? thanks!