Not sure what you mean by "drive mapping enabled". The normal process with RDP is to go to the "Local Resources" tab and specify that your remote session is allowed to access one or more of your local drives.

When you do that, it means that your remote session can see the local drives it's allowed to see. If you fire up File Explorer in the session, you'll see entries such as "C on AGComputer" in the main treeview. However, while connected your local computer can't see any drives on the RDS host, by default, and for the purposes of file transfer you don't need to map any remote drives to your local computer. You initiate file transfer within File Explorer in the remote session; you copy/paste files between "C on AGComputer" and other drives accessible from the remote session.

Since remote drives aren't visible by default, malware such as ransomware scanning for mapped network drives won't find any. That said, bear in mind when you're connected via VPN, it is as if your remote computer is on the LAN at the remote location. So you can do things like

net use z: \\SomeComputerHostNameOrIPAddress\SomeShare

on your local machine, and manually map a drive that way.

Since you're on the remote LAN, you can use any program or protocol to connect to other computers, as long as the VPN server allows the traffic. That can be hazardous; if your local machine is infected, it's as if an infected computer is on the remote LAN. It can attack other hosts. It should be noted that hosts on the remote LAN are on a different subnet from your local LAN; as I understand it at this time, most malware doesn't scan anything other than your local subnet. Still, it could happen.

So yes, when you're connected via VPN you can do a lot on the remote LAN (anything the VPN server allows), so be careful. But this applies to everything, not just accessing sessions on the RDS host. Think of it more as a potentially infected computer on the remote LAN.

>I forgot to mention that a VPN tunnel is established with their firewall first and obviously authenticated against their inside AD set of users (who have rights to open a session). So the encrypted tunnel is open, but in my mind, that still means that if there were already some malware on my PC, it could potentially jump across to their network (if I had drive mapping enabled).
>
>Albert
>
>>>One important aspect of Setting up RDP is to change the default port. You may already have done that, but it's always good to remember. One of our clients learned this the hard way. See https://blog.emsisoft.com/en/28622/rdp-brute-force-attack/ under "Changing the RDP Port".
>>
>>Changing the port is not the right way to protect RDS/RDP. You sometimes see that done if better methods have not been implemented. Better ways are setting up VPN access (not discussed in your link above) and using RD Gateway (which is briefly mentioned).
>>
>>With either of those in place, changing the RDP port is unnecessary, and arguably counterproductive since it forces remote users to append the port number to connection settings etc and thereby becomes a support headache.