Remote Access Solutions: RDP, VNC and Zero Trust Alternatives

The shift to hybrid and remote work has made remote access a core IT service rather than an occasional convenience. Employees need to reach their desktops and applications from home, IT administrators need to manage servers without being physically present in the data centre, and support technicians need to see and control a user's screen to diagnose problems. The challenge is providing this access securely — every remote access pathway is also a potential attack surface if not properly protected.

Remote Desktop Protocol (RDP) is Microsoft's built-in remote access technology, available on Windows Professional and Server editions. RDP transmits the graphical desktop session over the network, allowing a remote user to interact with a Windows machine as if they were sitting in front of it. It uses TCP/UDP port 3389 by default and supports features such as clipboard sharing, drive redirection, printer redirection, and multi-monitor support.

RDP supports Network Level Authentication (NLA), which requires the remote user to authenticate before a full session is established. This reduces the attack surface by preventing unauthenticated users from reaching the Windows login screen. RDP sessions are encrypted using TLS, and when properly configured within a secured network, RDP is a capable and efficient remote access protocol.

VNC (Virtual Network Computing) is a platform-agnostic remote desktop protocol based on the RFB (Remote Framebuffer) standard. Unlike RDP, which is tightly integrated with the Windows session manager, VNC works by capturing the screen as pixel data and transmitting it to the viewer. This makes VNC available on virtually any operating system — Windows, macOS, Linux, and even embedded systems — but at the cost of efficiency.

Because VNC transmits raw pixel data (with compression), it is generally slower and uses more bandwidth than RDP, which understands the graphical primitives of the Windows desktop and can render them more efficiently. Popular VNC implementations include TightVNC, RealVNC, and TigerVNC. VNC is commonly used for cross-platform support scenarios and for accessing Linux desktops remotely.

For command-line server management, SSH (Secure Shell) remains the gold standard on Linux and Unix systems. SSH provides an encrypted tunnel for terminal access, file transfers (SCP/SFTP), and port forwarding. SSH tunnelling can also be used to securely wrap other protocols: for example, you can forward a local port through an SSH tunnel to reach an RDP or VNC session on a remote server without exposing those ports to the public internet.

SSH key-based authentication (using public/private key pairs) is far more secure than password authentication and should be the default for all production servers. Disable password authentication entirely once key-based access is configured, and use tools like ssh-agent and SSH config files to simplify key management across multiple servers.

Remote access VPN solutions (such as WireGuard, OpenVPN, or vendor-specific clients from Fortinet, Palo Alto, or Cisco) create an encrypted tunnel from the user's device to the corporate network. Once connected, the user can access internal resources including RDP sessions, file shares, and intranet applications. VPNs are well-understood and widely deployed, but they grant broad network access — once authenticated, the user is typically "on the network" and can reach resources they may not need.

Zero Trust Network Access (ZTNA) solutions take a different approach. Instead of placing the user on the network, ZTNA brokers access to specific applications on a per-session basis. The user authenticates to a cloud-hosted identity provider, passes device posture checks, and is granted access only to the resources they are authorised for — nothing more. Solutions such as Cloudflare Access, Zscaler Private Access, and Twingate fall into this category. The user never receives a routable IP address on the internal network, dramatically reducing the blast radius if their device is compromised.

Jump servers (bastion hosts) are hardened intermediary servers that sit between the external network and internal resources. Administrators connect to the jump server first (via SSH or RDP), and then connect from there to internal systems. All sessions are funnelled through this single, closely monitored entry point. Microsoft's Azure Bastion provides this as a managed service for Azure virtual machines, allowing RDP and SSH access through the Azure portal without exposing any public IP addresses on the VMs themselves.

For organisations that rely on RDP but want to avoid exposing port 3389, Microsoft offers two gateway solutions. Remote Desktop Gateway (RD Gateway) is a Windows Server role that tunnels RDP traffic over HTTPS (port 443). External users connect to the RD Gateway using their RDP client, authenticate via the gateway, and are proxied to internal RDP hosts without those hosts being directly reachable from the internet.

Azure Bastion takes this concept further for cloud workloads. It provides browser-based RDP and SSH access to Azure virtual machines directly from the Azure portal. No public IP address is required on the VM, no VPN client is needed, and all traffic flows over TLS. Azure Bastion integrates with Azure AD for authentication and supports just-in-time (JIT) access policies to minimise standing privileges.

Regardless of which remote access technology you choose, several security principles apply universally. Enable multi-factor authentication (MFA) on every remote access pathway — compromised credentials alone should never be sufficient. Enforce least privilege by granting remote access only to the specific resources each user needs. Enable session recording and audit logging for privileged access to servers and critical systems. Use network segmentation to limit what a remote user can reach even after authenticating. And keep all remote access software patched — vulnerabilities in RDP, VPN concentrators, and remote access tools are among the most exploited in the wild.