Forum Discussion

JAndradePL's avatar
JAndradePL
Occasional Reader
Feb 26, 2026

Internal RDP vs Self-Hosted RustDesk

Hi everyone,

 

I am looking for some guidance and real-world experiences around choosing the best approach for remote access in a Windows environment.

 

Right now, we are considering two main options:

- Continue using Microsoft Remote Desktop Protocol (RDP), but strictly for internal use only (no direct exposure to the public internet).

- Deploy a self-hosted instance of RustDesk as an alternative or complement to RDP for remote access and remote support.

 

Our main concern is security. RDP has historically been a common attack vector, especially when exposed externally or misconfigured, and we want to avoid introducing unnecessary risk to our endpoints. Even if we restrict RDP to internal networks or VPN-only access, we are still cautious about potential vulnerabilities, credential theft, lateral movement, and abuse of remote access.

 

What we are trying to understand better is:

 

1. In environments where RDP is used only inside the LAN or over VPN (no open RDP from the internet), what are the recommended hardening practices and controls you would consider mandatory today? Examples might include: Network Level Authentication (NLA), strong account policies, just-in-time access, firewall restrictions, RDP Gateway, MFA, monitoring/logging, etc.

 

2. From a security and operational perspective, is it generally considered acceptable to keep RDP enabled only for internal administrative tasks, while avoiding using RDP for end-user remote support scenarios?

 

3. For those who have deployed self-hosted RustDesk (or similar remote support tools) in a Windows/Active Directory environment, how has it compared to RDP in terms of:

- Security model (encryption, authentication, access control, exposure to the internet)

- Ease of deployment and maintenance

- User experience and performance

- Logging, auditing, and integration with existing security monitoring

 

4. Are there any best practices or architectural patterns you would recommend when combining these approaches? For example:

- Keeping RDP only on jump servers / bastion hosts inside the network

- Using RustDesk (self-hosted) for remote support and helpdesk use cases

- Enforcing least privilege, MFA, and strong authentication for all remote access paths

- Segmentation and limiting which machines are even allowed to receive RDP connections

 

5. Have you encountered any specific security pitfalls, misconfigurations, or "gotchas" when relying on RDP internally or when rolling out RustDesk self-hosted that we should be aware of before committing to a design?

 

Our goal is to design a remote access strategy that:

- Minimizes attack surface and reduces the likelihood of compromise via remote access.

- Separates administrative access from end-user remote support where it makes sense.

- Remains manageable for a small IT/security team in terms of configuration, patching, and monitoring.

 

If you have any references to Microsoft documentation, hardening guides, or community best practices for RDP (especially internal-only scenarios), as well as any detailed write-ups or lessons learned from using RustDesk self-hosted in production, those would be extremely helpful.

 

Thank you in advance for any guidance, recommendations, or examples you can share.

 

Best regards,

Juan

accessibility
Application Management
community
configuration
deployment
device management
security
No RepliesBe the first to reply