RDS GW+RDP vs VPN RDP

glenimp617 · 11 May 2021 at 14:58

Hi Everyone,

I'll try and not over complicate this, but may be tricky lol

We have a group of users at work who require access to their works desktops from home. My IT engineer wants to go with option 2, but two security consultancy firms and an MSP say option 1.

Option 1

Works laptops installed with a VPN. User given a VPN login which only allows RDP port to their works desktop. No other ports are allowed. The remote desktop has its local firewall configured to only allow RDP for that specific user on an IP address coming from the VPN connection. The works laptops have a policy to disable RDP drives and clipboards.

Option 2

Users login to the public RDS gateway service using personal devices. The RDS sessions have an RDP shortcut to their desktop machine. They are basically using RDS as a way to leap frog through the network to their machines. RDS sessions have drives and clipboards disabled. The remote desktops as above are locked down to that user, with a group of IPs for the RDS servers.

Both options have MFA enabled.

glenimp617 · 12 May 2021 at 08:29

Thanks guys,

There's no issue about time/costs etc etc. It's just whatever is most secure. My opinion was that it was option 1, but I'm being told it's a massive security risk and option 2 is best (despite literally everyone else telling me the opposite).

Always good to get a second (third/fourth) opinion.

I just don't understand why he thinks this.

glenimp617 · 12 May 2021 at 19:13

visibleman said:
That removes control of that portion of the "chain" but it wouldn't make RDS/option 2 inherently less secure than the first option would it?

I've yet to experience a rolling out of BYOD that has been successful and not a complete and utter cluster that ended up being more problematic than simply handing out work devices. So personally i wouldn't opt for it. But i'm sure it does work, plus off-site work devices has it's own challenges.

@TheOracle - With option 2, has the IT Engineer discussed the plan around employees not having or not wanting to use personal devices? I assume you would offer work devices in that scenario and essentially deal with a combination of the two solutions and all the additional costs and management of that?

They are happy to use their own machines, however we also have a stack of new laptops they can have.

It's looking like option 1 I think.

glenimp617 · 19 May 2021 at 20:45

teaboy5 said:
Whats the workstations that they need to RDP onto that can't be done on the actual work laptops and a vpn?

Development and SQL access

We don't want to open up any more ports on the VPN