ZPA Unauthorised Access - RDP or Direct Access

(Omar ) #1

Hi All,

We are currently testing out ZPA for the first time and tying to figure out all security related scenarios where we access applications through RDP servers and ZPA connects us to the RDP servers.

Our approach is to bypass the RDP server and have ZPA connect us directly to the required applications.

If ZPA is set to authenticate for 3 day interval, as an example. What is the best approach to prevent someone ,who has unauthorised access to your laptop, from accessing your applications and is it more secure to have an RDP as it provides a second layer of authentication?

(Scott Bullock) #2

Hi Omar,
Interesting design question you raise, as it’s design related I’m sure there would be conflicting opinions on how best to handle this scenario. Here’s my thoughts.


ZPA allows you to specify different auth-intervals per app-segment, for example:

  • SSH to a critical system can have a re-auth interval down to minutes
  • access to non-sensitive intranet could have re-auth set to never (always-on).

This offers a very flexible and hardened approach to identifying users, especially where MFA is deployed alongside your IDP.

If you were to run all app access through a single RDP server, you’d loose this level of granularity, limiting the overall design options available when implementing ZPA to define the perimeter.

This said, Bastion SSH and RDP hosts may still make sense for some environmental specific access requirements, with ZPA controlling access to said bastion hosts.


Note, Your SE and/or Zscaler partner will be able to provide more insights here. If you’re not sure who’s assigned to your account please DM me your organisation info and I will put you in touch with the right people.


Cheers,
@skottieb

1 Like
(Omar ) #3

Thanks Scott for the clarification, I think we can achieve a higher level of security by bypassing the RDP server while maintaining a better user experience.

And thanks for the prompt response.