Securing RDP Connections
By Dag, on December 22nd, 2016Mostly relevant from Windows 7/2008(R2) and up. Steps you can take to secure RDP traffic. Don't forget setting a good password as well if you open up your own server for Internet access (12+ characters long, and not just alphanumeric).
Don't Make It Obvious
Change your port to something else than 3389 (preferably something available between 1024 and 65535). You can then forward it to your server at 3389 in your firewall and/or router in your network. To connect to this new port in your client, just use IP:PORT (e.g. 127.0.0.1:1234).Group Policy Editor (gpedit.msc)
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security- Set client connection encryption level
- Enabled
- High - Require secure RPC communication
- Enabled - Require use of specific security layer for remote connections
- Enabled
- SSL (TLS 1.0) - Require user authentication for remote connections by using NLA (Network Layer Authentication)
- Enabled (You can check support for this by clicking on client mstsc upper left icon - "About". It will state support, and should be at least version 6 on clients.)
Local Security Policy (secpol.msc)
Account Policies > Account Lockout Policies- Set tries to 3-10
The other 2 options will (should) suggest a value of 30min waiting period, which is fine. Adapt as wanted.
Additional measures
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options- Accounts: Give a new name to the Administrator account.
- Try to make it non-intuitive, and match it with a good password.