<div>
Hello, <br>I belong to the people saying "never expose RDP to the public internet" just out of bad experience. <br>I hat a terminal server running for testing, nothing special on it but used for a ransomware attack. <br>Using VPN may cover both need, let users working remote with their laptops as well as with terminal server, and reduces the possibility to be attacked. <br>Even you may not be able to cover all users needs only by RDP / Terminal server.&nbsp;
</div>


<div>
Using the VPN and RDP is secure. Use this.
</div>


Pau Lo

<div>
<blockquote>
you may not be able to cover all users needs only by RDP / Terminal server. 
</blockquote>
<br />
could you give some examples?
</div>


<div>
Very easy...<br>A RDP session is a connection to a single machine. From this machine, you can do some additional actions. So you can use it as jump server to connect to other machines, or you have to expose all other machines via RDP to the internet. <br>This is usually the administrative access. <br><br>A Terminal server session is a connection to a terminal server host, which offers either applications or virtual machines to clients. If you have complex software environments with a lot of individual software, you have to create a lot of individual terminal server environments. Also such environments are usually limited according permissions so not really an environement for administrative tasks. <br><br>If you just have a loptop with all the software already on it, using a VPN connection you can use everything what you can do from inside the network (dependend from the configuration and user permissions of course). Including all tools.<br><br>RDP is a service which responds on a port. So, every exposed server may ba a possible attack target. <br>I do not say that this is unsecure, I just want to say, that you have to secure each single service which is publicy exposed. <br><br>VPN is a point to point connection, where the client creates a tunnel between the local machine and the target network. In your company network you have a VPN Endpoint, the clients connect to. If the tunnel is alive, the clients can works as usualy with their hardware or they can eben wirk with terminal servers. It is like you put a cable between you home office client and your company network. <br>VPN can be highly secured an you also have to opportunity to limit the clients which are able to open the VPN tunnel (i.e by certificates). Security option may depend on the endpoint device or software. <br><br>From my point of perspective, VPN is not only the method, you have more options to secure, who can connect. It is also the prefered method for most of the larger companies. At least in my last years projects, the client machines were all equiped by default with a preconfigured VPN client, doesn't matter if the people work at home or not.<br>And it is possibly easier to setup as you have only one single point of access. <br><br>If you then use additionally terminal server doen't play a role, as with VPN, there is no need to make it accessable over the internet. &nbsp; <br>&nbsp;<br><br><br>
</div>


<div>
what do you use for the MFA service in your setup?
</div>


<div>
I use Azure MFA, but only because I am a legacy customer. I wouldn't recommend it unless you are an Azure AD P1 or Azure AD P2 customer. If you are using M365/O365, then it can make sense. Otherwise use Cisco Duo or one of the many other alternatives. Some do just MFA, some do conditional MFA, have greater analytics, etc.
</div>


<div>
<blockquote>
I use RD Gateway
</blockquote>
Still learning the basics of RDP as a 'home working' platform, I only ever thought of it as an application systems administrators would use to access windows servers, i.e. domain controllers, database servers, file servers etc. <br />
Is the gateway product you mention also a Microsoft product, or some 3rd party product that adds a 2nd tier of security around the MS RDP protocol? <br />
What technically does the gateway add/do above and beyond the plain RDP app? Is it the gateway that allows you to embed MFA into the security of remote access, and the basic RDP app alone would have no simple way to integrate MFA into the login process? Or is it more of a load balancing application whereby you have a pool of remote desktop servers for users to work on? <br />
If you have any best practice guides on the general configuration, security and management of your RDP/Gateway setup in line with best practice (or what you used as a guide when it was setup), that would be great to compare with.<br />

<blockquote>
Not every account has permissions to use RD Gateway.
</blockquote>
Is there any particular reasoning as to which users you exclude from the gateway access, and what are the benefits of doing this? If its a service anyone may need to use, is it not easier to add all users into the permissions/groups which allow access?
</div>


<div>
<blockquote>
I hat a terminal server running for testing, nothing special on it but used for a ransomware attack.<br />

</blockquote>
<br />
Do you know how they hacked your RDP server, from any post mortem forensics work? Did you use the RDP gateway and have MFA enabled on that?
</div>


<div>
You can allow an account to not require MFA, but that's a really bad idea. Colonial Pipeline attack happened because a VPN didn't require MFA.<br><br>Only accounts tied to employees get RDP access. This means that my domain admin accounts, or SQL server accounts, or backup service, can't be used to RDP or VPN. That's just good security hygiene. <br><br>In addition, not all employees are allowed remote access.
</div>


<div>
thank you for the reply.<br />
<br />
Regarding:<br />
<br />

<blockquote>
This means that my domain admin accounts, or SQL server accounts, or backup service, can't be used to RDP or VPN. That's just good security hygiene.
</blockquote>
<br />
Assuming you have a domain admin account registered for MFA, and added to the groups/permissions that allow RDP, is there much risk?
</div>


<div>
Hello,<br><br>a domain admin account has full permissions to nearly everything. <br>High privileged account should not be exposed to the public at all.<br>From the security perspective, it is secure than any other account. <br><br>With VPN you can establisch a connection to the network and then can use RDP with any account.<br>Or you device to use a jump server, so you connect with a normal account from home to a jump server, and from there you can logon with an admin account to any other server.&nbsp;<br><br>
</div>


<div>
thanks, I understand they are powerful accounts which would be disasterous if they fell into the wrong hands, but playing devils advocate as long as MFA is in place for all accounts, I don't see how anyone could make use of those accounts externally via an RDP gateway?<br />
<br />
It is probably good practice to limit who can use the service to the intended users, e.g. lower privilege employees accounts, but I cant see how a domain admin with MFA required/configured could be compromised? Or is it a 'better to be safe, then sorry' suggestion. (almost suggests MFA is not as secure as some may assume)
</div>


<div>
If you require MFA, but an account is not yet enrolled that allows an attacker to self enroll MFA. That is a risk if you allow self enrollment. <br><br>MFA that depends on email, SMS, or phone call is less secure than app based TOTP or push based MFA.<br><br>MFA isn't 100%. Perfect storms where 2, 3, or even 4 things that need to go wrong aren't that rare. That's why it is important to have multiple controls in place.&nbsp;
</div>


<div>
I just discussion with a colleague, he lost 25.000 € from his credit card, with 2 Factor authentication.<br>Nobody knows how, but it happened. <br>A system is as save as the people take care which are maintaining the system. <br>So there is no system which is 100% save.<br>If you use a jump server or VPN, you have a 3FA security for your doamin admin account. If you expose this account, its 2FA.<br>I tell you this, because I have to tell you this, you have to decide for yourself if 2 FA is enough and if you feel able and cofortable to control everything. <br><br>&nbsp;
</div>


<div>
Is that the general basic security checklist then for making RDP gateway as secure as possible, before it can be considered for home working on personal devices:<br />
1. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Use RDP gateway to allow HTTPS and protect direct RDP exposure to the Internet<br />
2. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Limit which accounts can use the RDP gateway on a justified requirement basis, removing administrative accounts<br />
3. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Subject all accounts with access to the RDP gateway to MFA, preferably using authenticator app option.<br />
4. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Enforce complex password policy for all user accounts.<br />
5. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Keep all components of the RDP gateway architecture current with the latest security patches.<br />
Anything I have missed?
</div>


<div>
Sounds reasonable<br>On the external interface or the RDP connection is a certificate...<br>So you should limit the connection down to TLS 1.2 and according save cipher suites.&nbsp;
</div>


<div>
Enforce account lockout policies.<br>Geo restrict which IP addresses can access the RD Gateway. If you have a smaller number of users, you can get their individual public IP. For larger number of users, how about geo-restricting access to th RD Gateway to just your country.
</div>


<div>
<blockquote>
So you should limit the connection down to TLS 1.2 and according save cipher suites. <br />

</blockquote>
<br />
where would this be set, so I can investigate current settings?
</div>


<div>
<div class="content wysiwyg-content fr-view">
Are any of your organisations ‘remote access’ facilities for your users to support home working (especially during the pandemic), built upon the proprietary Windows remote desktop protocol (RDP)? &nbsp;And if so, what security measures did you have configure around your RDP system before exposing the system to the Internet to support remote working/access? It seems fairly common for a hybrid approach of some users have a laptop with pre-installed VPN client software and connections, whilst others need a remote access facility from their personal devices (where the RDP option comes into play).<br><br>Some of the best practices guides I have been reading this morning suggest to never ever expose RDP to the Internet to support home working requirements, as with all the security add-ons/features in the world will never make it a safe solution, whilst others seem to suggest this is actually a fairly common low budget answer to allow users remote access from their own home devices, so long as the basic security measures are in place to support the system. I was interested if this was relevant to you, what specific controls/configurations you had to ‘wrap’ around the RDP system to satisfy your security regulators/auditors/key stakeholders. &nbsp;<br>Or if your remote access infrastructure has been reviewed as part of compliance audits, were there any particular weak spots they flagged you up on and remedial improvement recommendations?
</div>
</div>



Are any of your organisations ‘remote access’ facilities for your users to support home working (especially during the pandemic), built upon the proprietary Windows remote desktop protocol (RDP)?  And if so, what security measures did you have configure around your RDP system before exposing the system to the Internet to support remote working/access? It seems fairly common for a hybrid approach of some users have a laptop with pre-installed VPN client software and connections, whilst others need a remote access facility from their personal devices (where the RDP option comes into play).
Some of the best practices guides I have been reading this morning suggest to never ever expose RDP to the Internet to support home working requirements, as with all the security add-ons/features in the world will never make it a safe solution, whilst others seem to suggest this is actually a fairly common low budget answer to allow users remote access from their own home devices, so long as the basic security measures are in place to support the system. I was interested if this was relevant to you, what specific controls/configurations you had to ‘wrap’ around the RDP system to satisfy your security regulators/auditors/key stakeholders.  
Or if your remote access infrastructure has been reviewed as part of compliance audits, were there any particular weak spots they flagged you up on and remedial improvement recommendations?

RDP protocol for home working

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.