Question RDP with 2FA or VPN

[JD001]

Hi Guys,

I just joined the group. Looking for some clarifications and confirmations with respect to connecting to the office from home via microsoft RDP. I have read few forums/post and blogs and secured RDP. However, I still don't have a VPN. These are the steps I have taken to secure the RDP connection, wondering if these are enough or still VPN is absolute necessary.

1) enabled NLA
2) created a long complex password and logging in with a Standard account profile.
3) enabled 3 password attempts then lock PC for 30 minutes
4) changed the default RDP port number
5) since i have a static IP address at home, added to scope in windows firewall only connect from that IP (I checked from a different PC with different IP address and it wasn't connected).
6) changed the group policy and under RDP connection changed to high, SSL and removed the administrator group etc.
7) added Duo 2FA to RDP connection.

Doing all this, do I still need to have VPN? The reason I am avoiding VPN, in another case when I am using VPN, it slowing down things a lot.

Thanks for your feedback.

 

[SamirD]

You've locked it down pretty solidly, but there should be an easy way to vpn into your office if it is using an enterprise or even smb router that allows l2p vpn tunnels. Then you simply connect the tunnel and have access not only to the system you want, but the entire network if you need to.

 

[JD001]

Thanks SamirD, our office is very small done have that type of hardware. Also, I need to connect only one PC, don't need the access to entire network. I am thinking it should provide me enough security without implementing VPN solution. Currently, I am getting a very good speed, doesn't feel any lag.

Thanks

 

[SamirD]

I think you should be in good shape than with the type of security you have put into place--multiple layers and overlapping. If you want to secure it even more, you could get a cheap win embedded thin client for $30 and enable the rdp server on it and only allow the real system to rdp from that thin client on the local network. I use something similar, not for security reasons, but just to make it easier to make a single rdp connection and have access to all my rdp systems at once.