Avatar of lianne143
Flag for United States of America asked on

Is It safe to remotely access my organisation system through RDWeb Access Or VPN is required ?


We are having RDWeb Access installed on Windows 2012 server in our network.

For Staff to access the network drives and applications outside our network,  they go to their laptop browser and type  https://desktop.myorg.co.uk/RDWEB
Once they put their credentials and, on the prompt they land in on the following page.
Please see the attached snapshot.

On the second page, once they click the computer icon “My Org” – they log into the RDWebserver and once they are logged in here, staff can access their drives and application.

This type of remote access setup was done by my predecessors.

With current Covid-19 situation, staff are working from home and I have given them remote access.
Now I am bit concerned  and please let me know , if current setup is safe way to access our system from outside of our network ?


Do I need setup a VPN  and then force the users to connect to VPN first and to the RDP into RDweb access server?

Please advise and any help much appreciated.

Thanks in advance.
Remote Access* RemoteDesktopWindows Server 2012* rdwebNetwork Security

Avatar of undefined
Last Comment

8/22/2022 - Mon

It's a terrible idea to do this without a VPN.
Even if you had a VPN, users would still be entering their domain credentials on non-company devices, which any strict security policy should surely forbid.

Give them company device to take home with them. If RDP is still needed, then, setup a VPN.
Irwin W.

RDWeb access is rather secure when using SSL.

Things I would however do and have done:
  • Do not allow drive or device redirection other than printers
  • Do not allow copy and pasting to/from remote systems

Remote Desktop Gateway is secure. RDWeb on exposes TLS over 443 on the Remote Desktop Gateway, and TLS over 443 for IIS on the RD Web Server.
Cláudio Rodrigues

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Could the author let us know whether they use company devices to connect from? Or do they use their private devices?

Let me summarize the above links:

• Secure remote access must be strictly controlled with encryption, strong passphrases & Multi-Factor Authentication
• If your employees are working from specified IP block, you can enable IP filtering.
• Ensure even while connecting via VPN, users can only access resources they would normally access even while on-prem via ACL.
• Configure your SSL VPN to use LDAP-integrated certificates - in such a way that - non-corporate devices cannot connect via VPN.
• Antiviruses installed on end-user laptop should be configured to receive antivirus updates either directly from the internet or through the VPN.
• Enable auditing and logging to be sent to your SIEM for monitoring.
Cláudio Rodrigues

There are several drawbacks with VPNs. For example, many apps do not work well over the VPN (what RDP fixes as no data is going back and forth the connection tunnel - screen updates only). Also if the devices are not corporate owned, are these being scanned once the tunnel is established to guarantee the device health? Many places deploy VPNs and the VLAN where the devices end up are not properly locked down so now they may be bringing devices that are not patched, potentially with malware/viruses, etc into a network segment that may access other segments.
And the same way VPNs can have filtering and MFA capabilities, a properly installed and configured RDGW can have it too, with the added benefit of not allowing any other type of traffic (RDP only).
At the end of the day these are all tools that address certain use cases. If they do need access to apps and apps that they either do not have on their endpoint or apps that do suffer over VPN connections (like many legacy ones do), RDGW is the way to go here.
So right tool for the job. You have nails, we give you a hammer, not a screwdriver :-)

Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Staff have been given company laptops and few staff use personal apple Macs to remote access.

Ok, that's important to know.

If you enter domain credentials on an unmanaged client (your personal Mac), these may be recorded by some key logging software and thus become leaked. I would not allow this.
Irwin W.

Anyone on this post connect to banks, Experts-exchange or other login services using SSL?

I mean we use these but don't seem to consider this a security risk. ;)

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

All banks or payment services I connect to are using 2-factor authentication.
And I don't type anything that I need to guard.

Connecting to work with 2FA is not possible for many. Typing business related things on your personal machine is not advisable as well, even if you use 2FA.

Cláudio Rodrigues

On the other hand, preventing total access from non-corporate machines when the company is NOT providing machines to everyone AND during COVID-19 does not seem like a good idea either. It is a matter for the business to decide on the potential risks (very low IMHO but that said I am NOT the business and cannot decide for them).
Also if Macs are involved a VPN may be useless as the apps users may be required to run could be Windows only. Then you may have to ask users to load VMware Fusion/Parallels Desktop/VirtualBox AND setup a Windows VM to access these apps from inside the VM, over a VPN tunnel what IMHO is a major hassle (as RDP may not be allowed, RDP on Mac is not the same as RDP on Windows, etc).
At the end of the day, IT and Security are there to serve USERS and NOT to create hassles for them. Security is paramount, yes. But that said it cannot and should not ruin the user experience just because there is a 0.00001% chance some hacker will get access to non-privileged account info off a Mac a user owns.
Even in this case, if you are that paranoid, you probably have all sorts of checks/tools on the backend to prevent lateral movement (i.e. every single system has a different local administrator account with a different password and that is changed on a daily basis), what makes the point of putting all this effort on the local endpoints moot.


Beware attackers may use graphical remote desktop protocols (RDP) when available. Protocols like Windows Remote Desktop can provide the attacker with access to a target machine, so system hardening is a must.


Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Cláudio Rodrigues

Any protocol, remote display or not, has vulnerabilities. This is nothing new or tied to RDP in particular. Just look at the CVE the Citrix ADCs suffered at the end of last year. Or several ones Cisco devices had, VPNs included.
One thing is a host with RDP exposed to the internet directly. Another is a host BEHIND an RD Gateway with either two separate domains or with MFA. VERY different scenarios and attack surface.


By hardening a system, you reduce its exposure to vulnerabilities as well as its potential to be exploited. Specific hardening techniques include applying security patches and adjusting the system's configurations, like closing open ports and disabling unnecessary services that add to the system's attack surface. Always, follow your organization's security policies and procedures.

Be watchful for possible attacks. Any applications or services on the host can provide a vector for attack. Keep yourself updated with https://www.exploitdb.com/; it's a searchable archive of exploits and vulnerable software, supplied in a standard format.

Irwin W.

@Claudio Rodrigues
At the end of the day, IT and Security are there to serve USERS and NOT to create hassles for them. 

Truer words never spoken :)
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

Thanks guys
Really much appreciated!!!