KingSlareXIV ,

Yeah, I hate it. I’d want some sort of SAML SSO auth in front of the actual RDS Gateway to allow you to use whatever identity provider and MFA you already have.

You really don’t want to allow all manner of auth attempts able to be made against your actual workload servers, which is what it sounds like you are describing.

BlackEco ,
@BlackEco@lemmy.blackeco.com avatar

From what I understand, Remote Desktop Gateway acts as a proxy to route Remote Desktop connections inside a VPC. So authentication will be delegated to the Windows machines, which appears to be outside the scope of Remote Desktop Gateway. I haven’t set up Windows on EC2, maybe there’s a way to tie authentication to AWS Identity Center to get some form of 2FA or SSO?

The deployment guide mentions that you can use Network ACLs to limit access to the gateway to certain IP ranges, so here’s that.

xylogx ,

It’s pretty bad. You are going to be vulnerable to password spraying at the very least and a phishing email or credential leak, both incredibly common, will result in a bad day.

You need MFA and preferably FIDO based MFA with conditional access.

wmassingham ,

Secure enough for what?

YourHuckleberry OP ,

Hosting critical proprietary data.

SheeEttin ,

On its own, sure. Unlike straight RDP, RD Gateway is meant to be exposed to the Internet.

slazer2au ,

Is there no conditional access for the rds portal?

Time for a CYA email to your manager, project manager, and legal voicing your concerns about the lack of security for an rds Gateway and lack of best practices.

YourHuckleberry OP ,

Wide open to the internet.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • [email protected]
  • All magazines
    •