CYBER ESSENTIALS MYTHCONCEPTION 9: Devices Connecting to Remote Desktop or VDI Services are Not in Scope

This post in our series on Cyber Essentials "Mythconceptions", tackles the myth:

    "If I use Remote Desktop Services or VDI environments, then the devices connecting to those services are out-of-scope."

This is not true. Devices connecting to Remote Desktop services, VDI services, or Bastion servers are considered to be devices accessing business services and data and are in-scope.

Since these devices are in scope, then all technical controls for any in-scope device will apply, as with all other mobile devices, and laptops.

The reason for this requirement is to protect those remote services from compromised devices, which can become direct conduits into your organisation.

Barrier's "Securely Compliant Tips" for Remotely Connecting Devices

The following tips are offered as inspiration to help you devise a strategy for remotely connecting devices in your organisation for compliance and beyond:

1. Endpoint agents can be installed on remote devices that will confirm or enforce compliance. This is useful for BYOD devices that may need to connect.

2. All remotely connecting devices can be limited to devices that are under the organisation's control and remote services configured to reject connections from unauthorised devices.

3. Consider replacing Remote Desktop Protocols (RDP) with alternative methods of providing connection to organisation data and services

For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,

or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.