Securing RDP

Mostly relevant from Windows 7/2008(R2) and up. Steps you can take to secure RDP traffic. Don't forget setting a good password as well if you open up your own server for Internet access (12+ characters long, and not just alphanumeric).

Don't Make It Obvious

Change your port to something else than 3389 (preferably something available between 1024 and 65535). You can then forward it to your server at 3389 in your firewall and/or router in your network. To connect to this new port in your client, just use IP:PORT (e.g.

Group Policy Editor (gpedit.msc)

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

Set client connection encryption level
- Enabled
- High

Require secure RPC communication
- Enabled

Require use of specific security layer for remote connections
- Enabled
- SSL (TLS 1.0)

Require user authentication for remote connections by NLA (Network Layer Authentication)
- Enabled (You can check support for this by clicking on client mstsc upper left icon - "About". It will state support, and should be at least version 6 on clients.)

Local Security Policy (secpol.msc)

Account Policies > Account Lockout Policies

Set tries to 3-10
The other 2 options will (should) suggest a value of 30min waiting period, which is fine. Adapt as wanted.

Additional measures

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Give a new name to the Administrator account.
- Try to make it non-intuitive, and match it with a good password.

Regardless of all these precautions, RDP still opens up for NTLM brute force attacks. It can even be wise to go as far as blocking all NTLM traffic in general if your machine is exposed on public networks. An option to continue using RDP is to set up site-to-site VPN between target networks instead of exposing RDP directly to the Internet.