We run an Amazon EC2 Windows instance and recently received an email from Amazon warning us that RDP is open to everybody and there is a new threat in the wild that may exploit this.
The security group of the server in question allows access to RDP from any IP (0.0.0.0/0). We have multiple people use RDP on these servers from a variety of locations some with dynamic IP addresses, so setting a list of allowed IP addresses is not a solution.
Is there another solution to prevent access to RDP?
As long as you don't have any of the passwords in combination with the usernames found in this list:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A
You should be good by my account
First of all, the worm isn't actually exploiting a vulnerability in the RDP protocol, just weak passwords, and from what I've seen from the actual payload is that it's a very short and (oddly random) list of usernames and passwords it attempts. Having a strong password policy in effect will greatly mitigate against this worm and any future variants.
Having said that, I'd recommend you setup VPN (L2TP/IPSec with pre-shared keys, or certificates, depending on how much you want to invest in configuration/infrastructure) in Windows Server Roles > Network Policy and Access Services and then RDP across the VPN session.
If you have multiple users behind the same NAT firewall, it would be better to setup a Site-to-Site VPN; this can be done with Network Policy and Access Services as well.
This would be much more secure than leaving RDP open to the public, and with L2TP/IPSec, you're using two-factor authentication (pre-shared key or certificate and Windows logon).
