RDS GW+RDP vs VPN RDP

glenimp617 · 11 May 2021 at 14:58

Hi Everyone,

I'll try and not over complicate this, but may be tricky lol

We have a group of users at work who require access to their works desktops from home. My IT engineer wants to go with option 2, but two security consultancy firms and an MSP say option 1.

Option 1

Works laptops installed with a VPN. User given a VPN login which only allows RDP port to their works desktop. No other ports are allowed. The remote desktop has its local firewall configured to only allow RDP for that specific user on an IP address coming from the VPN connection. The works laptops have a policy to disable RDP drives and clipboards.

Option 2

Users login to the public RDS gateway service using personal devices. The RDS sessions have an RDP shortcut to their desktop machine. They are basically using RDS as a way to leap frog through the network to their machines. RDS sessions have drives and clipboards disabled. The remote desktops as above are locked down to that user, with a group of IPs for the RDS servers.

Both options have MFA enabled.

Robert T. · 11 May 2021 at 17:20

Ancient battle - convenience vs cost.

1 is more costly in setup time, spend and user convenience. But has a secure dedicated hardware and software, which is good.
2 is simplier, but less secure. Also lack of VPN encryption end-to-end. Cheaper cause you dont have to use work laptop.

LizardKing · 11 May 2021 at 22:35

Personal preference but i avoid a byod approach at all cost! so option 1, you control the hardware end to end and can ensure compliance is maintained (updates, encryption, antivirus etc).

If you have a full on intune / conditional access implementation and your users agree to enrolling there personal devices option 2 could be ok - at a push!

glenimp617 · 12 May 2021 at 08:29

Thanks guys,

There's no issue about time/costs etc etc. It's just whatever is most secure. My opinion was that it was option 1, but I'm being told it's a massive security risk and option 2 is best (despite literally everyone else telling me the opposite).

Always good to get a second (third/fourth) opinion.

I just don't understand why he thinks this.

visibleman · 12 May 2021 at 13:31

Robert T. said:
...but less secure. Also lack of VPN encryption end-to-end.

Genuine question, is RDP/RDS/TS less secure? As traffic is encrypted in both situations :confused:

Armageus · 12 May 2021 at 13:34

Option 1 imo - better to put faith in a VPN solution rather than relying on Microsoft for anything security related

Robert T. · 12 May 2021 at 17:20

visibleman said:
Genuine question, is RDP/RDS/TS less secure? As traffic is encrypted in both situations

Yes, because VPN should be starting with system start, meaning entire session beforehand is also already encrypted. Connection to RDP gateway "should be" encrypted in theory, but as @Armageus said - trusting M$ on security is... problematic..

Toughnoodle · 12 May 2021 at 17:30

The RDP traffic should be encrypted end-to-end, but also it'll be wrapped again between the client and the RDS Gateway using HTTPS. You'd have the option of disabling the weaker protocols/cyphers on the Gateway.

The only problem with the default RDS web/gateway setup is that there's nothing to stop them from accessing it from any PC. If you use the VPN option, then you could install a user cert and use that as part of the MFA.

The only time I'd consider the VPN less secure is if it gave full network access to the LAN. I see that's already been thought of though.

visibleman · 12 May 2021 at 18:41

Toughnoodle said:
The only problem with the default RDS web/gateway setup is that there's nothing to stop them from accessing it from any PC.

That removes control of that portion of the "chain" but it wouldn't make RDS/option 2 inherently less secure than the first option would it?

I've yet to experience a rolling out of BYOD that has been successful and not a complete and utter cluster that ended up being more problematic than simply handing out work devices. So personally i wouldn't opt for it. But i'm sure it does work, plus off-site work devices has it's own challenges.

@TheOracle - With option 2, has the IT Engineer discussed the plan around employees not having or not wanting to use personal devices? I assume you would offer work devices in that scenario and essentially deal with a combination of the two solutions and all the additional costs and management of that?

glenimp617 · 12 May 2021 at 19:13

visibleman said:
That removes control of that portion of the "chain" but it wouldn't make RDS/option 2 inherently less secure than the first option would it?

I've yet to experience a rolling out of BYOD that has been successful and not a complete and utter cluster that ended up being more problematic than simply handing out work devices. So personally i wouldn't opt for it. But i'm sure it does work, plus off-site work devices has it's own challenges.

@TheOracle - With option 2, has the IT Engineer discussed the plan around employees not having or not wanting to use personal devices? I assume you would offer work devices in that scenario and essentially deal with a combination of the two solutions and all the additional costs and management of that?

They are happy to use their own machines, however we also have a stack of new laptops they can have.

It's looking like option 1 I think.

Hellsmk2 · 16 May 2021 at 15:23

Robert T. said:
Ancient battle - convenience vs cost.

1 is more costly in setup time, spend and user convenience. But has a secure dedicated hardware and software, which is good.
2 is simplier, but less secure. Also lack of VPN encryption end-to-end. Cheaper cause you dont have to use work laptop.

RDS GW is not less secure in any way, if anything, it's far more secure as the users end device does not need to be included on the inside network.

To answer the question, any decent remote working solution will have a mixture of connectivity options.

For a VDI/ RDSH I would always, always opt for a rdgw (or whatever user access gateway forms part of the solution... Vmware, Ms, or citrix). They are purpose built for the role, usually act as a proxy so only 443 encrypted traffic is accessible externally, integrate exceptionally well with proper load-balancers (f5, netscaler, etc), are all compatible with MFA and other perimeter network security devices, and usually far simpler to set up and maintain, and don't potentially give your average Joe user more access to other internal resources than necessary. Also, less moving parts to troubleshoot from an operational perspective.

For the end user, they're infinitely more simple. Browse to a url, authenticate, use desktop.

For VPN connectivity, I'd say it should only be given to end users in very specific situations; usually for upper management because ceo/cfo/cto believe vdi is beneath them, or devs & IT as it makes sense for them to have wider access. For Bob from admin... No, never. It's not the 00s anymore.

teaboy5 · 16 May 2021 at 20:31

Whats the workstations that they need to RDP onto that can't be done on the actual work laptops and a vpn?

glenimp617 · 19 May 2021 at 20:45

teaboy5 said:
Whats the workstations that they need to RDP onto that can't be done on the actual work laptops and a vpn?

Development and SQL access

We don't want to open up any more ports on the VPN

xPETEZx · 9 Jun 2021 at 11:12

Hellsmk2 said:
RDS GW is not less secure in any way, if anything, it's far more secure as the users end device does not need to be included on the inside network.

To answer the question, any decent remote working solution will have a mixture of connectivity options.

For a VDI/ RDSH I would always, always opt for a rdgw (or whatever user access gateway forms part of the solution... Vmware, Ms, or citrix). They are purpose built for the role, usually act as a proxy so only 443 encrypted traffic is accessible externally, integrate exceptionally well with proper load-balancers (f5, netscaler, etc), are all compatible with MFA and other perimeter network security devices, and usually far simpler to set up and maintain, and don't potentially give your average Joe user more access to other internal resources than necessary. Also, less moving parts to troubleshoot from an operational perspective.

For the end user, they're infinitely more simple. Browse to a url, authenticate, use desktop.

For VPN connectivity, I'd say it should only be given to end users in very specific situations; usually for upper management because ceo/cfo/cto believe vdi is beneath them, or devs & IT as it makes sense for them to have wider access. For Bob from admin... No, never. It's not the 00s anymore.

Couldn't agree more with this. Been using RDS for years, and not had any issues. Simple to use for the end users.

LoL at the people saying "shouldn't trust MS with security"...while most likely making that post from a Windows 10 machine... , as with almost anything... properly configured Microsoft solutions can be as insecure or secure as you want them to be.

Caged · 9 Jun 2021 at 11:25

VPN should be avoided wherever possible, there's so many better options now.

My preference would be to deploy RDS Gateway with Azure Application Proxy
Publish Remote Desktop with Azure Active Directory Application Proxy | Microsoft Docs

Also; is this 2004? People posting 'M$' without irony? How confident are you that your VPN appliance vendor doesn't have any security issues?