My company is about to shift a large workload to a vendor that uses an RD Gateway hosted at Amazon to serve access to the front-end application. It’s open to the internet at 443. There’s no MFA. How worried should I be?
It’s pretty bad. You are going to be vulnerable to password spraying at the very least and a phishing email or credential leak, both incredibly common, will result in a bad day.
You need MFA and preferably FIDO based MFA with conditional access.
From what I understand, Remote Desktop Gateway acts as a proxy to route Remote Desktop connections inside a VPC. So authentication will be delegated to the Windows machines, which appears to be outside the scope of Remote Desktop Gateway. I haven’t set up Windows on EC2, maybe there’s a way to tie authentication to AWS Identity Center to get some form of 2FA or SSO?
The deployment guide mentions that you can use Network ACLs to limit access to the gateway to certain IP ranges, so here’s that.
Yeah, I hate it. I’d want some sort of SAML SSO auth in front of the actual RDS Gateway to allow you to use whatever identity provider and MFA you already have.
You really don’t want to allow all manner of auth attempts able to be made against your actual workload servers, which is what it sounds like you are describing.
Is there no conditional access for the rds portal?
Time for a CYA email to your manager, project manager, and legal voicing your concerns about the lack of security for an rds Gateway and lack of best practices.
Wide open to the internet.