Securing RDP
Mostly relevant from Windows 7/2008(R2) and up. Steps you can take to secure RDP traffic. Don't forget setting a
good password as well if you open up your own server for Internet access (12+ characters long, and not just
alphanumeric).
Don't Make It Obvious
Change your port to something else than 3389 (preferably something available between 1024 and 65535). You can
then forward it to your server at 3389 in your firewall and/or router in your network. To connect to this new port in your
client, just use IP:PORT (e.g. 127.0.0.1:1234).
Group Policy Editor (gpedit.msc)
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote
Desktop Session Host > Security
Set client connection encryption level
- Enabled
- High
Require secure RPC communication
- Enabled
Require use of specific security layer for remote connections
- Enabled
- SSL (TLS 1.0)
Require user authentication for remote connections by NLA (Network Layer Authentication)
- Enabled (You can check support for this by clicking on client mstsc upper left icon - "About". It will state support,
and should be at least version 6 on clients.)
Local Security Policy (secpol.msc)
Account Policies > Account Lockout Policies
Set tries to 3-10
The other 2 options will (should) suggest a value of 30min waiting period, which is fine. Adapt as wanted.
Additional measures
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Accounts: Give a new name to the Administrator account.
- Try to make it non-intuitive, and match it with a good password.
Regardless of all these precautions, RDP still opens up for NTLM brute force attacks. It can even be wise to go as far
as blocking all NTLM traffic in general if your machine is exposed on public networks. An option to continue using
RDP is to set up site-to-site VPN between target networks instead of exposing RDP directly to the Internet.