>>>Hi all,
>>>
>>>Working on security stuff again today. I use RDC to log into one of my customer's servers to upload changes/source code etc and test. In discussion with them, they had talked about closing down their RDC server because it "opens a security hole because [they say] when the RDC session is open, then anything from your desktop could find its way to our servers".
>>>
>>>In a way, I can see this (I have not yet checked if AD group policy has options to prevent drive mapping etc - I will look into that later).
>>>
>>>If RDC is not that secure, are there other programs that allow an RDC-like connection where the only thing going back and forth are keyboard/mouse and video? In a sense, the program would open screen into their RDC server but nothing can really pass between my PC and their server other than what I type. I would have to transfer updates via another mechanism but I could tell them that nothing else can move across the wire.
>>
>>Group Policy on the RDS host should indeed give you what you need - you can Google [rds lock down group policy].
>
>I still argue that any machine reachable from outside should be quaranteed into a DMZ

Exactly. That's what an RDS Gateway server does, or at least can do when set up correctly. https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/RD-Gateway-deployment-in-a-perimeter-network-Firewall-rules/ba-p/246873