I recently had a client get denied Cybersecurity Insurance due to their RDS Gateway being exposed to the internet (this is RDS Gateway on port 443/3391, not Remote Desktop port 3389). Their claim was that "Current threat actor activity on the internet is focusing on targeting this technology to deploy ransomware and other malware." We had GeoIP filtering restricting access to USA only, MFA, and a brute-force detection/IP blocking software installed. Their only solution was to put it behind a VPN or disable it altogether. We're currently pressing them to find out if that's also required for Citrix Netscaler or VMWare Horizon since they're exposed to the internet as well and can (and have) had vulnerabilities.
I have not heard of any "threat actor activity" actively exploiting RDS Gateway and am wondering if the new standard is not exposing it to the internet and I missed that? Is everyone else putting it behind a VPN and praying for no or low vulnerabilities on that?
I agree - VPN is being phased out by many organizations. Attacks do come from remote users over the IPSEC tunnel - I have seen that happen to companies we have assisted.
Anyhow, SASE is good for securing RDP. Azure App Proxy and TruGrid SecureRDP are two good products for securing RD Gateway.
@ITProJeffCould CVE-2020-610 be what they were thinking about? "A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP. The update addresses the vulnerability by correcting how RD Gateway handles connection requests."
@ITProJeffCould CVE-2020-610 be what they were thinking about?
CVE-2020-610 was mitigated with routine monthly patches in Jan 2020. If the single vulnerability were the target of concern, I would think the finding would have been "failure to promptly apply patches", not "we hate RDP gateway".