Securing RDP Connections
Mostly relevant from Windows 7/2008(R2) and up. Steps you can take to secure RDP traffic. Don't forget setting a good password as well if you open up your own server for Internet access (12+ characters long, and not just alphanumeric).
Don't Make It ObviousChange your port to something else than 3389 (preferably something available between 1024 and 65535). You can then forward it to your server at 3389 in your firewall and/or router in your network. To connect to this new port in your client, just use IP:PORT (e.g. 127.0.0.1:1234).
Group Policy Editor (gpedit.msc)Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Set client connection encryption level
- Require secure RPC communication
- Require use of specific security layer for remote connections
- SSL (TLS 1.0)
- Require user authentication for remote connections by using NLA (Network Layer Authentication)
- Enabled (You can check support for this by clicking on client mstsc upper left icon - "About". It will state support, and should be at least version 6 on clients.)
Local Security Policy (secpol.msc)Account Policies > Account Lockout Policies
- Set tries to 3-10
The other 2 options will (should) suggest a value of 30min waiting period, which is fine. Adapt as wanted.
Additional measuresComputer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Accounts: Give a new name to the Administrator account.
- Try to make it non-intuitive, and match it with a good password.
Regardless of all these precautions, RDP still opens up for NTLM brute force attacks. It can even be wise to go as far as blocking all NTLM traffic in general if your machine is exposed on public networks. An option to continue using RDP is to set up site-to-site VPN between target networks. If you are on a public network and want to block NTLM temporarily:
Local Security Policy (secpol.msc)Local Policies > Security Options > Network Security: Restrict NTLM: Incoming NTLM-traffic
- Deny all accounts
This will cause CredSSP issues when RDP clients attempt to connect via NLA, don't use this if you need RDP open.