With discussions on preparations for the Corona virus and possibly more people working from home the discussions at my office have turned to users connecting back to the network. This would concern mostly the non-normal remote access employee accessing the network. Normally we use VPN for a corporate vetted asset as we are sure it has things like updated anti-virus. We sometimes use RDP for users that need to connect but do not have a dedicated corporate asset. The conversation turned to which is more secure? With the VPN solution the is on the network. This means that any virus, trojan, nasty, etc. that my be on the users device and the device has access to whatever is in the access-list for that profile. In the case of RDP it is just a window to a server and the user works in that window and nothing from the remote device can cross into that window. Items and documents can be transferred but would be more through a cut and past or maybe a copy as opposed to a straight open connection such as VPN. At least that is the stance of the RDP camp.
Since I am not a security expert I figured to ask the community and see what are the thoughts. There are possible logistic questions such as getting the VPN client onto a remote device that are not there with using windows built in RDP. But logistic questions are separate from the security side of things. I have started doing the research to see what I can find and figured to ask here as part of that. White papers? Existing research?
Why not combine the two into an even more secure setup?
Put an RDP server (or servers) into a DMZ and require users to access it via VPN and the VPN only allows access to the RDP server(s). Make sure the servers have antimalware and DNS security like AMP for Endpoints and Umbrella.