Internal RDP vs Self-Hosted RustDesk
Hi everyone, I am looking for some guidance and real-world experiences around choosing the best approach for remote access in a Windows environment. Right now, we are considering two main options: - Continue using Microsoft Remote Desktop Protocol (RDP), but strictly for internal use only (no direct exposure to the public internet). - Deploy a self-hosted instance of RustDesk as an alternative or complement to RDP for remote access and remote support. Our main concern is security. RDP has historically been a common attack vector, especially when exposed externally or misconfigured, and we want to avoid introducing unnecessary risk to our endpoints. Even if we restrict RDP to internal networks or VPN-only access, we are still cautious about potential vulnerabilities, credential theft, lateral movement, and abuse of remote access. What we are trying to understand better is: 1. In environments where RDP is used only inside the LAN or over VPN (no open RDP from the internet), what are the recommended hardening practices and controls you would consider mandatory today? Examples might include: Network Level Authentication (NLA), strong account policies, just-in-time access, firewall restrictions, RDP Gateway, MFA, monitoring/logging, etc. 2. From a security and operational perspective, is it generally considered acceptable to keep RDP enabled only for internal administrative tasks, while avoiding using RDP for end-user remote support scenarios? 3. For those who have deployed self-hosted RustDesk (or similar remote support tools) in a Windows/Active Directory environment, how has it compared to RDP in terms of: - Security model (encryption, authentication, access control, exposure to the internet) - Ease of deployment and maintenance - User experience and performance - Logging, auditing, and integration with existing security monitoring 4. Are there any best practices or architectural patterns you would recommend when combining these approaches? For example: - Keeping RDP only on jump servers / bastion hosts inside the network - Using RustDesk (self-hosted) for remote support and helpdesk use cases - Enforcing least privilege, MFA, and strong authentication for all remote access paths - Segmentation and limiting which machines are even allowed to receive RDP connections 5. Have you encountered any specific security pitfalls, misconfigurations, or "gotchas" when relying on RDP internally or when rolling out RustDesk self-hosted that we should be aware of before committing to a design? Our goal is to design a remote access strategy that: - Minimizes attack surface and reduces the likelihood of compromise via remote access. - Separates administrative access from end-user remote support where it makes sense. - Remains manageable for a small IT/security team in terms of configuration, patching, and monitoring. If you have any references to Microsoft documentation, hardening guides, or community best practices for RDP (especially internal-only scenarios), as well as any detailed write-ups or lessons learned from using RustDesk self-hosted in production, those would be extremely helpful. Thank you in advance for any guidance, recommendations, or examples you can share. Best regards, JuanMy father has a Windows 11 S, how do I get out of it?
Here I gave my Epson ET2750 print to my father who is 75 years old. And there it's impossible to install the drivers because it tells me that I'm on Windows mode S and that I can only install applications from Microsoft Store?? So Windows I dropped to 7 when I switched to macOS! But suddenly it's impossible to install a driver for the printer and the generic prints anything! Do you know how to solve this problem please?Microsoft finally admits almost all major Windows 11 core features are broken
A major new Windows 11 update has introduced widespread stability issues affecting core system functionality. Many users, including myself, are now experiencing frequent and disruptive problems like File Explorer crashes, slow performance, taskbar glitches, and Bluetooth failures, which together make the operating system frustratingly unreliable for daily use.
How to disable Microsoft Defender sign-in prompt.
We're using the default Microsoft Defender in Win 11 Pro on workstations on a domain network. On this network, access to things like OneDrive are just flat out not allowed for security reasons. User's can log in to things like the MS Store, Google accounts, etc. Every time a user logs on using their domain credentials they get a popup from the Microsoft Defender icon in the systray informing them they need to sign in for "best protection". Since they're not permitted to use "any" remote sites for things like data storage there is no need for them to sign in to "ANYTHING" remote. Presently the buttons present on the popup are "Sign In" and "Dismiss". Per a GPO setup they flat out can't sign in even if they tried. But is there a way in GPO to completely eliminate this popup appearing? I've looked in GPO settings for Defender for both computer and user, but there's nothing that jumps out at me to indicate I can do this without totally and completely disabling Microsoft Defender entirely. TIA. - Carl
