On the other hand: Speaking as a Windows network admin, such a laughably large number of Windows vulnerabilities start from "someone had port 3389 exposed to the Internet", I find it a little strange that Cloudflare would support RDP. Shouldn't RDP be used solely behind a VPN, much like other services Cloudflare already offers?
In a world where Cloudflare is pushing DoH into people's browsers against the wishes of lots of orgs because it's best practice, isn't supporting direct RDP access from the Internet a bit backwards? Shouldn't Cloudflare be, if anything, blocking RDP access by default as a safety feature?
> I find it a little strange that Cloudflare would support RDP? Shouldn't RDP be used solely behind a VPN, much like other services Cloudflare already offers?
Of course. But...
As we both know, people have running RDP on the standard port, wide open, with zero firewalling or other access controls since the beginning of time and continue to do so regardless of "common sense", best practices, or anyone suggesting that maybe they shouldn't.
At some point, it doesn't take much to decide, "Well, if they're gonna do it anyways, we might as well try to make a dollar off of it".
Many organizations have terminal servers which are already internet-exposed, so this is relevant in the sense that it gives you a DDoS mitigation plan while not making those people more exposed than they already were.
That said, they should have more clearly linked this to Access which lets you put a login requirement in front of those tunnels:
On the other hand: Speaking as a Windows network admin, such a laughably large number of Windows vulnerabilities start from "someone had port 3389 exposed to the Internet", I find it a little strange that Cloudflare would support RDP. Shouldn't RDP be used solely behind a VPN, much like other services Cloudflare already offers?
In a world where Cloudflare is pushing DoH into people's browsers against the wishes of lots of orgs because it's best practice, isn't supporting direct RDP access from the Internet a bit backwards? Shouldn't Cloudflare be, if anything, blocking RDP access by default as a safety feature?