For remote work, is access via secure channels (VPN, ZTNA, or modern SaaS with MFA) — not RDP exposed to the internet?
Demonstrate that all remote access pathways employ secure, authenticated tunnels or zero-trust architectures, and that high-risk protocols like RDP are not directly accessible from the internet without protective intermediation.
Description
What this control does
This control requires that remote access to organizational systems be secured through approved channels such as Virtual Private Networks (VPNs), Zero Trust Network Access (ZTNA) solutions, or authenticated SaaS applications with multi-factor authentication. It specifically prohibits direct exposure of Remote Desktop Protocol (RDP) or similar remote administration protocols to the public internet without intermediate security controls. Direct RDP exposure is a common attack vector exploited through credential stuffing, brute force attacks, and exploitation of protocol vulnerabilities, making it one of the highest-risk remote access configurations.
Control objective
What auditing this proves
Demonstrate that all remote access pathways employ secure, authenticated tunnels or zero-trust architectures, and that high-risk protocols like RDP are not directly accessible from the internet without protective intermediation.
Associated risks
Risks this control addresses
- Unauthorized access through brute-force attacks against exposed RDP services with weak or default credentials
- Exploitation of known RDP protocol vulnerabilities (e.g., BlueKeep, DejaBlue) by external attackers scanning public IP ranges
- Credential stuffing attacks using compromised username/password pairs from third-party breaches against internet-facing authentication surfaces
- Man-in-the-middle attacks intercepting unencrypted or weakly encrypted remote sessions
- Lateral movement by attackers who gain initial access through unsecured remote entry points
- Ransomware deployment via compromised remote access channels that lack monitoring or segmentation
- Data exfiltration through persistent remote access established by threat actors exploiting exposed services
Testing procedure
How an auditor verifies this control
- Obtain a current network diagram identifying all remote access pathways, including VPN gateways, ZTNA controllers, cloud access security brokers, and SaaS applications used for remote work.
- Request firewall ruleset exports and network access control lists covering internet-facing zones and perimeter devices.
- Perform external port scanning from an internet-originating IP address against the organization's public IP ranges to identify exposed services on common remote access ports (TCP 3389 for RDP, TCP 22 for SSH, TCP 5900 for VNC).
- Review authentication logs for VPN, ZTNA, and SaaS applications to verify multi-factor authentication enforcement for a sample of 15-20 remote access sessions from the past 30 days.
- Examine configuration exports from VPN concentrators and ZTNA platforms to confirm encryption standards (minimum TLS 1.2 or IPsec with AES-256) and certificate validation requirements.
- Interview IT operations staff to identify any sanctioned exceptions for direct protocol exposure and review associated risk acceptance documentation and compensating controls.
- Cross-reference external vulnerability scan reports or penetration test findings from the past 12 months to identify any documented instances of exposed remote administration protocols.
- Validate that endpoint device policies require use of approved remote access clients and prohibit configuration of direct RDP listeners accessible without VPN or ZTNA intermediation.