Are any of your organisations ‘remote access’ facilities for your users to support home working (especially during the pandemic), built upon the proprietary Windows remote desktop protocol (RDP)? And if so, what security measures did you have configure around your RDP system before exposing the system to the Internet to support remote working/access? It seems fairly common for a hybrid approach of some users have a laptop with pre-installed VPN client software and connections, whilst others need a remote access facility from their personal devices (where the RDP option comes into play).
Some of the best practices guides I have been reading this morning suggest to never ever expose RDP to the Internet to support home working requirements, as with all the security add-ons/features in the world will never make it a safe solution, whilst others seem to suggest this is actually a fairly common low budget answer to allow users remote access from their own home devices, so long as the basic security measures are in place to support the system. I was interested if this was relevant to you, what specific controls/configurations you had to ‘wrap’ around the RDP system to satisfy your security regulators/auditors/key stakeholders.
Or if your remote access infrastructure has been reviewed as part of compliance audits, were there any particular weak spots they flagged you up on and remedial improvement recommendations?