There are different ways to secure a Windows system running RDS when accessed over the internet, each with significant drawbacks. We have pioneered a simpler and more secure solution that takes just minutes to install.
Let’s take a closer look at methods for securing RDS. To start with, it is strongly recommended that any computer system that is accessible over the internet be protected. Negligence from completely protecting internet-accessible computers running RDS will certainly expose them to compromise and data theft and / or destruction.
Methods for Securing RDS and Their Drawbacks
When RDS is enabled on a Windows system, it opens TCP port 3389, which is required to accept incoming login from remote users. Although this port can be changed, it is never recommended to directly expose a computer running RDS to the internet. Since there are a variety of ways to attempt to secure RDS, I have used a table below to show common methods and their drawbacks.
Method to Secure Windows RDS
Drawback / Vulnerability
Place behind firewall with default TCP 3389 or changed TCP port allowed from the Internet
a. Placing a Windows system with the RDS port open to the Internet is the equivalent of placing a Windows computer in a public place so that anyone can try to login to it. In fact, it is worse since anyone on the internet can attempt to login
b. Exposing a Windows system running RDS to the internet is this manner exposes it to the possibility of a denial-of-service attack
Place behind firewall and restrict external access to trusted IP addresses
a. It is not a good solution for supporting people working from locations that do not have fixed IP addresses
b. It limits the ability to work from public locations with untrusted, even if fixed IP addresses
c. There is a need to constantly verify that trusted IP addresses can continue to be trusted
d. It is not an effective way to support remote access to several Windows RDS systems in a centralized location due to need to secure one IP address for each Windows system
Place behind firewall and secure with Microsoft RD Web and RDS Gateway. RD Web and RD Gateway are features of RDS for enterprise use
a. Microsoft RD Web and RD Gateway expose access to Windows systems running RDS via a web login page. This login page is not much more secure than exposing each Windows RDS system directly to the internet for random login attempts
b. RD Web and RD Gateway can be subjected to denial-of-service attacks
Integrate third-party Multi-Factor Authentication (MFA) with Microsoft RD Web and RD Gateway
a. Since there are several third-party MFA solutions for Windows RDS, integration can be difficult and multifaceted. Moreover, with malicious intent and adequate preparation and resource, MFAs that rely on SMS messages can be compromised
b. Despite MFA integration, RD Web and RD Gateway can still be subjected to denial-of-service attacks
Integrate corporate VPN with third-party Multi-Factor Authentication (MFA) and Microsoft RD Web and RD Gateway
a. This is an effective but complex solution to implement. It requires integration of products from possibly three vendors (VPN vendor, MFA vendor, and Microsoft)
b. A VPN gateway can be subjected to denial-of-service attacks
The Simplest and Most Secure Way to Secure RDS
TruGrid is the simplest and most effective way to secure a Windows RDS environment for the following reasons:
- TruGrid does not require firewall ports to be opened on networks with Windows RDS systems. This way, nothing is directly exposed to the internet and nobody knows that your Windows RDS systems exist.
- TruGrid does not need Microsoft RD Web or RD Gateway. It does not require any third-party VPN or MFA solutions.
- TruGrid is automatically integrated into your on-premises Active Directory without the need to replicate your Active Directory to the cloud.
- TruGrid creates a cloud protective layer with integrated MFA. The TruGrid cloud is protected from denial-of-service attacks. The TruGrid MFA does not send passwords until MFA is validated – thereby reducing the ability for passwords to be compromised.
- TruGrid can be added to any Windows RDS network in under 15 minutes.
- TruGrid can link Windows RDS systems in multiple data centers for effortless business continuity.
Here is an architectural overview of TruGrid: https://info.trugrid.com/security
Ready to test it our for yourself? We offer a 30 day free trial. Click here to get started now.