A quick question. In your experience, does the Windows RDP protocol qualify to comply with requirement 2.3 for logging into windows servers remotely (non-console access)? It natively can be configured for Medium or High encryption, but there are some known "man-in-the-middle" vulnerabilities for this protocol (see http://www.oxid.it/downloads/rdp-gbu.pdf). If this protocol is only being used internally or through a VPN, will it still qualify?

I don't have a problem with RDP as long as:

It is used ONLY internally or over a VPN with two factor authentication if connecting from an external location;
ONLY high encryption connections are allowed; and
Unique user logon credentials are used by all that have access.

Thanks
:)

Does RDP also meet the PCI requirements for Logging?

As long as you have the proper settings enabled in the Local Security Policy under System Auditing set, there should not be a problem. This can be accomplished either manually on an individual machine basis or through a Group Policy Object (GPO). If using GPOs, we recommend that the GPO be specifically created and named for PCI compliance so that it can be readily identified and its parameter settings listed off.