I know that you can limit what published apps a user can see once they log into RDWeb, but I cannot seem to find a good way to prevent unauthorized users from logging into RDWeb if they have valid domain credentials. The idea here being that only users authorized to use the RDWeb and published RDS apps should be able to log into the RDWeb page. Currently, domain users can log in even without having permissions to published apps assigned to them; they just won't see any apps. One would think that a principle of least privilege would dictate that users not even be able to log into the RDWeb portal if there are no apps assigned for them to use? 

The only method of denying users login to the RDWeb portal seems to be denying those users access through the folder permissions for the RDWeb site on the host. Unfortunately, using a deny all setting on a group is very maintenance and effort intensive when the group of end users you want to have access to the site is relatively small, since deny permissions trump allow permissions. Why doesn't the RD Web access role have a permissions assignment in its settings similar to the published applications permissions, where individuals or groups can be assigned?