Just kind of wanted to get a feel for what other admins out there are using for remote users that need access to servers and whatnot. We have remote users using a VPN client, and our security team is soon going to implement a block for RDP which is going to severely impact their existing workflow.
It doesn’t sound like the security team is ready to block RDP if the company has no other means to perform work to support business objectives.
What use is a company if it’s business objectives cannot be completed.
Ask the security team what is the secure alternative/option?
Shitty security teams just say no. A good security team tells the business how they can do something securely.
The day the security team decides to block RDP traffic over VPN is the day I stop coming to work.
If your security team can’t figure out how to secure internal RDP I question the need for them to show up to work ever again.
Strictly security speaking, I would personally trust a VPN + RDP + DUO more than something like TeamViewer, Screen Connect or other RMM tool.
We have remote users using a VPN client, and our security team is soon going to implement a block for RDP
Why would your security team block a standard tool like RDP? It is really simple to secure and is encrypted by default. If you have your RDP access groups set up correctly, and you configure MFA on your endpoints what value would there be in blocking RDP internally?
If they block RDP internally, that means you are going to need some other tool to replace that functionality. Whatever tool that is chosen to fill that need is likely to have more security problems than RDP, and is likely to require more time and money to support.
This seems like a heavy handed approach by someone who does not really understand security, or usability.
We are looking at Apache Guacamole to replace our VPN+RDP for privelidges access. Rdp will still be in use here, but with IP to IP firewall restrictions to make sure that traffic is pushed through the approved path (guacamole). For the general population we use an azure app proxy to our RDS farm.
Well them blocking RDP without an alternative in place will get them fired.
I would ask security if it would be ok to have 1 internal host allowed to RDP internally and setup Remote Desktop Gateway on it and set group policy to use that for all RDP connections.
You can even have it perform MFA if you use Azure IdP, just need to setup an NPS server with the Azure MFA Plugin for NPS.
If they are blocking RDP over an encrypted connection, they probably aren’t wanting “any” remote desktops.
My guess is I can work around all of that by tunneling (e.g. an ssh tunnel). But probably in violation of whatever policy is making them do what they are doing.
What do you mean by remote users needing access to servers? Are you talking about admins? If so, we use PAWs and only allow RDP to certain hosts from those PAWs, like terminal servers that allows admin functions.
We have terminal servers for different admin groups, and from the terminal servers there are fw rules that allows the needed access to manage the systems the terminal servers were defined for.
If you are talking about users, they should only be allowed to RDP to systems like terminal servers they need access for their job. We don’t have any users that are allowed to log directly into other servers.
If users are using VPN from home systems, then I would deploy laptops to them instead and block any non domain systems from using VPN.
VPN + RDP + 2FA. It’s been a few years since I set it up but we used 2FA from Duo to add an additional layer. Works for RDP in office and remote + makes security folks feel better and checks compliance boxes.
This doesn’t make much sense. If you’re connected via VPN then why not allow RDP to the machines? At that point you’re already on the company’s remote network, its sort of shutting the barn door sort of situation in terms of netsec. I would follow up with the sec team to see if the communications was miffed.
Why are they blocking RDP over VPN? I assume this is for IT staff to access servers? If someone has access to your VPN (bypassed MFA, certificates, trusted device etc.) then they have bigger issues…
Putting a remote access solution like Citrix or RDS in just for admin server access is overkill and is another system to maintain, you could have a jump box that you can RDP and from that you can RDP all other servers rather than 3389 to all servers from your VPN laptop, or put RDP behind MFA.
Our security team doesn’t have the ability to implement these kinds of decisions themselves . They advise us, and we attempt to comply with their suggestions as much as possible and if for some reason we can’t, we put compensating controls in place, but this one would likely have to go the CIO who would tell them to get bent, we have to be able to do our work.
We disabled RDP domain wide and switched to Splashtop. We have Splashtop SSO to our Azure environment and we have 2FA setup. Works well.
Tunneling over SSH.
Or a web desktop like Guacamole. But there is a lot of information missing.
Block RDP is a bit weird, but you can encapsulate it.
Think of Zscaler private access: it creates a micro tunnel through which RDP traffic is routed.
Alternatively if your servers are in Azure you can use Bastion.
Let them do it, be sure to forward any tickets on this over to the security team.
Sounds like a ham fisted attempt to end wfh. I’d be asking questions about why the security team is doing that
We stopped using RDP when we refreshed our hardware and sent everyone home with a work laptop. They still VPN to route to the datacenter where our file server lives but they connect directly from their laptop now rather than through RDP. There’s a performance hit but it was offset by the cost of not purchasing onsite systems for RDP. Your scenario may or may not match up with ours so can’t say much beyond what we did.