How to Secure Remote Access: VPN, RDP, and Zero Trust for SMBs
RDP is a top ransomware entry point. Learn how to secure remote access with VPNs, MFA, and Zero Trust gateways—practical steps for Australian SMBs.
The Problem
Remote Desktop Protocol (RDP) allows employees to access office computers from anywhere—but when exposed directly to the internet, it becomes one of the most exploited entry points for ransomware and unauthorised access.
Attackers continuously scan the internet for systems with port 3389 (the default RDP port) open to the world. When they find one, they launch brute-force attacks against login credentials. Once inside, they have complete control of the machine and, often, the broader network.
This is not a theoretical risk. RDP-based attacks remain one of the most common initial access vectors cited by the Cybersecurity and Infrastructure Security Agency (CISA) and ransomware incident responders globally.
Why This Matters
For Australian businesses, an RDP compromise can result in:
- Ransomware deployment across file servers, backups, and critical systems
- Data exfiltration leading to regulatory obligations under the Notifiable Data Breaches scheme
- Business disruption with recovery timelines measured in weeks, not hours
- Insurance complications, as many cyber policies now explicitly ask whether RDP is exposed
The ACSC’s Essential Eight includes patching and restricting administrative privileges—both directly relevant to securing remote access. Leaving RDP exposed undermines those controls entirely.
What Good Looks Like
A secure remote access configuration meets these criteria:
- No direct RDP exposure: Port 3389 is never open to the public internet
- Authenticated tunnel: All remote access flows through a VPN or Zero Trust gateway
- Multi-factor authentication: Every remote session requires MFA
- Logging and visibility: Remote sessions are logged for audit and incident response
- Patched systems: RDP clients and servers are kept current
How to Implement It
Step 1: Verify Your Current Exposure
Before making changes, confirm whether your organisation currently exposes RDP:
- Log into your firewall or router’s management interface
- Check port forwarding rules for port 3389
- If port 3389 is forwarded to any internal IP address, you have exposed RDP
You can also use external scanning services like Shodan to check your public IP address for open ports.
Step 2: Close Direct RDP Access
If RDP is currently exposed:
- Remove the port forwarding rule for port 3389 immediately
- Notify affected staff that the direct connection method will no longer work
- Communicate the new secure access method (see below)
This may cause short-term inconvenience, but the security improvement is immediate and significant.
Step 3: Choose a Secure Access Method
Option A: Business VPN
A Virtual Private Network (VPN) creates an encrypted tunnel between the remote user and your network. Once connected, the user is effectively “inside” the network and can RDP to internal systems safely.
Implementation steps:
- Deploy a business-grade VPN solution (e.g., WireGuard, OpenVPN, or a vendor solution like Fortinet or Cisco AnyConnect)
- Require MFA for all VPN logins
- Issue VPN client software to authorised staff
- Ensure the VPN server is patched and monitored
When to use this approach: Suitable for most SMBs with a traditional network perimeter and existing firewall infrastructure.
Option B: Zero Trust Network Access (ZTNA)
Zero Trust solutions like Cloudflare Access or Microsoft Remote Desktop Gateway authenticate users before granting access to specific applications—without requiring a full network VPN.
Implementation steps:
- Deploy the ZTNA gateway in front of your RDP servers
- Configure identity verification (typically via your existing identity provider)
- Require MFA for every session
- Define access policies based on user roles and device posture
When to use this approach: Ideal for organisations with cloud-first strategies, remote-heavy workforces, or those looking to reduce VPN complexity.
Step 4: Enforce Strong Authentication
Regardless of which access method you choose, require MFA for all remote sessions. A password alone is insufficient protection for remote access—especially when attackers have automated tools capable of testing thousands of credentials per hour.
See the MFA basics guide for implementation options suitable for SMBs.
Step 5: Keep Clients and Servers Updated
Remote access infrastructure is a high-value target. Ensure that:
- VPN server software is patched within 48 hours of critical updates
- RDP-enabled Windows systems receive monthly security updates
- VPN client software on employee devices is kept current
This aligns with patch management best practices and ACSC Essential Eight guidance.
Checklist for Secure Remote Access
| Control | Status |
|---|---|
| Port 3389 is not exposed to the internet | ☐ |
| All remote access requires a VPN or ZTNA gateway | ☐ |
| MFA is enforced on all remote sessions | ☐ |
| Remote access sessions are logged | ☐ |
| VPN and RDP systems are patched regularly | ☐ |
Action Item: Log into your firewall or router today and verify that port 3389 is not forwarded to any internal system. If it is, remove the rule and implement VPN or ZTNA access before restoring remote access for staff.