How secure is Remote Desktop Gateway?

Mathew Curr 96 Reputation points
2021-07-30T09:33:02.243+00:00

Just wondering how secure it would be from Brute Force attacks.

Is my Remote Desktop Session host more secure behind a VPN, Gateway or MFA?

Windows for business Windows Client for IT Pros User experience Remote desktop services and terminal services
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andy YOU 3,076 Reputation points
    2021-08-02T03:43:43.22+00:00

    HI

    Is my Remote Desktop Session host more secure behind a VPN, Gateway or MFA?
    Since some end users work from home, when they dial VPN successfully, once the user's computer was attacked by hacker, the threat will beep the company's internal computers. I think Remote Desktop Session host more secure behind RDgateway with MFA. We can refer below document.

    Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

    How to secure the RD Gateway with Multi Factor Authentication
    https://askme4tech.com/how-secure-rd-gateway-multi-factor-authentication
    Please Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. RDS Admin 1 Reputation point
    2022-12-05T16:52:41.573+00:00

    Here are a few things to consider to properly secure Remote Desktop Gateway (RD Gateway):

    (1) RD Gateway setup should include RD Web. The RD Web should be secured with SSL certificate for HTTPS, and a Multifactor Authenticator (MFA) solution.

    While this solution is secure for user logins, it is not immune to brute force attacks. Anyone who knows the IP address of your RD Web (via port scanning for example), can launch a brute force attack against it. Some Cybersecurity Insurance companies are beginning to refuse to insure against RD Web implementations.

    (2) Another option is to put your RD Gateway behind company VPN. This solution does not necessarily require RD Web, but MFA is still recommended for VPN.

    While this solution is also secure for user logins, it is not immune to brute force attacks – in this case, against your VPN appliance. In addition, this solution is also prone to malware attacks from your end users home network over the VPN connection. A ransomware attack at the home of any of your end users can traverse the VPN link to infect your network.

    (3) One other option that you can consider is a reverse proxy solution. A reverse proxy solution will not require any open firewall port, so that you cannot be brute forced. Your remote users won’t need VPN and therefore cannot transmit ransomware. A good reverse proxy solution should include MFA as well. You can search the internet for “reverse proxy for RD Gateway”. Two examples are Microsoft App Proxy for RDS, and another solution from a company called TruGrid.

    I hope above helps.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.