Understandable, if you've been targeted in the past :(

>In theory there should be an air gap/trench between anything open to the outside and the defenseless inner perimeter.
>In practice, in the outfits I work for most of the time data transfer is done often via copying selected directories via a specific scratch VM only spun up to allow transfer, minimizing danger time.
>
>On more personal level: the nextcloud "sharing" directory (mostly document drafts, biz documents often needed for reference, some links and general domain info) I keep in VM on a seperate machine with different host OS in a subnet - but there gut twitches sometimes, as the intent is to enable others to put something easy to "see" for me. But always going to the server via web is just too cumbersome...
>
>fitting: https://www.youtube.com/watch?v=hkXHsK4AQPs
>
>thomas
>
>
>>Not sure what you mean by "drive mapping enabled". The normal process with RDP is to go to the "Local Resources" tab and specify that your remote session is allowed to access one or more of your local drives.
>>
>>When you do that, it means that your remote session can see the local drives it's allowed to see. If you fire up File Explorer in the session, you'll see entries such as "C on AGComputer" in the main treeview. However, while connected your local computer can't see any drives on the RDS host, by default, and for the purposes of file transfer you don't need to map any remote drives to your local computer. You initiate file transfer within File Explorer in the remote session; you copy/paste files between "C on AGComputer" and other drives accessible from the remote session.
>>
>>Since remote drives aren't visible by default, malware such as ransomware scanning for mapped network drives won't find any. That said, bear in mind when you're connected via VPN, it is as if your remote computer is on the LAN at the remote location. So you can do things like
>>
>>net use z: \\SomeComputerHostNameOrIPAddress\SomeShare
>>
>>on your local machine, and manually map a drive that way.
>>
>>Since you're on the remote LAN, you can use any program or protocol to connect to other computers, as long as the VPN server allows the traffic. That can be hazardous; if your local machine is infected, it's as if an infected computer is on the remote LAN. It can attack other hosts. It should be noted that hosts on the remote LAN are on a different subnet from your local LAN; as I understand it at this time, most malware doesn't scan anything other than your local subnet. Still, it could happen.
>>
>>So yes, when you're connected via VPN you can do a lot on the remote LAN (anything the VPN server allows), so be careful. But this applies to everything, not just accessing sessions on the RDS host. Think of it more as a potentially infected computer on the remote LAN.
>>
>>>I forgot to mention that a VPN tunnel is established with their firewall first and obviously authenticated against their inside AD set of users (who have rights to open a session). So the encrypted tunnel is open, but in my mind, that still means that if there were already some malware on my PC, it could potentially jump across to their network (if I had drive mapping enabled).
>>>

hkXHsK4AQPs