Subscribe to the Non-Human & AI Identity Journal

How should security teams protect legacy RD Web access without moving to a cloud IdP?

Security teams should place MFA and access rules at the RD Web or IIS publishing layer, then keep enforcement inside the existing Active Directory and server boundary. That preserves on-prem control, reduces integration overhead, and avoids creating a second identity estate just to secure one access path.

Why This Matters for Security Teams

Legacy RD Web is often treated as a narrow publishing problem, but it is really an identity control point. If that entry path is exposed with weak MFA placement, loose session handling, or broad server-side authorization, attackers can use it to reach internal desktops, pivot into Active Directory, and reuse the same trust boundary for more than one workload. That is why guidance on non-human and workload access still matters here, even when the portal itself is a human-facing surface.

Security teams also miss that the risk is not just external login abuse. RD Web typically sits close to privileged Windows infrastructure, so a successful compromise can become an internal foothold rather than a single-user event. The OWASP Non-Human Identity Top 10 is useful here because it frames credentials, trust boundaries, and over-privilege as systemic issues, not isolated misconfigurations. NHIMG research shows how often identity maturity lags behind need, with The 2024 Non-Human Identity Security Report finding that 88.5% of organisations say their non-human IAM practices lag behind or are only on par with human IAM.

In practice, many security teams encounter RD Web abuse only after a published server becomes the easiest route into the domain, rather than through intentional access design.

How It Works in Practice

The most defensible pattern is to keep enforcement as close to RD Web and IIS as possible, while preserving the existing Active Directory boundary. That means MFA, device or network checks, and coarse access rules should be applied at the publishing tier rather than by introducing a new cloud identity provider just for one remote access path. The result is simpler operations, fewer synchronization problems, and less risk of creating a second identity estate with different policy semantics.

Current guidance suggests three practical layers:

  • Place MFA at the RD Web or IIS publishing layer so the user must satisfy the control before the session reaches the desktop broker.
  • Restrict access by AD group, source network, or published collection so only intended users can reach the portal.
  • Harden the backend hosts with least privilege, logging, and short administrative pathways so RD Web is not treated as a general-purpose landing zone.

This is consistent with the broader direction of NIST Cybersecurity Framework 2.0, which emphasizes protecting access paths and limiting blast radius, not just authenticating at the perimeter. For teams trying to understand why identity compromise tends to spread so quickly through shared credentials and weak access boundaries, NHIMG’s 52 NHI Breaches Analysis is a useful reminder that poor credential discipline almost always becomes a lateral movement problem.

Where possible, use short-lived session controls and explicit timeout policies, but do not confuse those with true JIT identity issuance. In a legacy RD Web stack, the goal is usually to constrain the existing trust path, not to retrofit cloud-native identity plumbing. These controls tend to break down when RD Web is published through multiple reverse proxies with inconsistent MFA enforcement because the policy boundary becomes fragmented across components.

Common Variations and Edge Cases

Tighter access control often increases operational overhead, requiring organisations to balance user convenience and help desk load against a lower blast radius. That tradeoff is especially visible in legacy environments where app dependencies, shared admin accounts, or older browser flows make modern MFA harder to deploy uniformly.

There is no universal standard for every RD Web deployment. In some environments, the best option is MFA at the web tier with strict AD group filtering. In others, current guidance suggests moving the control point to the reverse proxy or gateway in front of IIS if the publishing layer cannot enforce policy cleanly. The key is to avoid pushing authentication out to a cloud IdP merely because the legacy stack is inconvenient; that can solve one problem while creating a separate identity management burden.

Edge cases also matter when the RD Web farm supports vendors, contractors, or privileged admins. Those users may need tighter session limits, stronger approval workflows, or separate collections with narrower entitlements. The operational lesson is consistent: keep the trust boundary close to the service, minimize standing access, and make every exception explicit. Where teams ignore those exceptions, the result is often a quietly over-permissive remote access path that survives long after the original migration plan changed.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 RD Web access depends on controlling credentials and trust boundaries.
NIST CSF 2.0 PR.AC-4 Directly supports access control placement and least-privilege enforcement.
NIST AI RMF Useful for governance of automated policy decisions and identity trust boundaries.

Define ownership, risk review, and monitoring for identity controls around legacy access paths.