How To Secure Windows Remote Desktop
In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol. See the announcement here which includes some suggestions (with additional considerations below) https://www.ic3.gov/media/2018/180927.aspx
Considerations For Securing your Windows Server / RDP Terminal Server
Here is a list of various actions to consider to help secure your remote server environment:
- Utilize strong, complex usernames/passwords for all accounts (very important)
- Keep your server firewall enabled and configured correctly
- Keep your server updated with the latest security patches for Windows Server OS and other programs
- Install Anti-virus (note: Windows 2016 comes with Defender built-in)
- Whitelist IPs within the Windows Firewall – Allow RDP connections from only specific IPs
- Change RDP listening port from default port 3389
- Disable the built-in Administrator account (or disable RDP access from Administrator account)
- Use Multi-factor / Two-factor Authentication (using software like Duo Software, www.duo.com)
- Use VPN – Allow RDP connections from VPN clients only
- Install RDP Intrusion Prevention Software to block IPs with repeated failed login attempts
- Limit users who can login via RDP (i.e. by default all Administrator group members have access)
- Enable Account Lockout policies to create delay or lock-out accounts with recurring failed logins
- Don’t provide local administration rights to regular users
- Setup Remote Desktop Gateway role to tunnel RDP traffic through https port 443 instead of port 3389
- Enable Network Level Authentication for RDP (so credentials are authorized before session established)
- If using Dedicated Hardware server hosting, utilize a hardware VPN/firewall device like a Sonicwall, etc.
- Design and Implement backup plan
- Disable user accounts no longer being used
- Use software security products that combine some or all of the following: VPN, Firewall, AV/anti-malware, Intrusion Protection (IPS), Intrusion Detection (IDS), etc.
- Enable policies to automatically logoff disconnected sessions or idle sessions after a time period
- Adjust RD Session Host Security settings to require SSL communication, High Encryption, etc.
After applying any of the actions above, make sure to test whether they are working properly. You can open multiple RDP sessions using different user names initiated from one PC which can be useful for testing.
The information provided in this document/post is intended to provide general information only and is not a complete listing of available considerations. The content is provided AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness, reliability, or fitness for a particular purpose. You should be discussing all security policies and related procedures, configurations, monitoring and other server management functions with your IT staff or consultants. Riptide Hosting does not provide managed services and is not a substitute for you maintaining your own IT staff/consultants.
RD Session Host Security settings in Windows Server 2016 (SSL, High encryption, etc.)
Gpedit.msc, computer configuration, administrative templates, windows components, remote desktop services, remote desktop session host, security, see various options.
- “Require use of specific security layer for remote (RDP) connections” – Changing Security Layer to SSL is the recommendation listed in Windows 2016,
- “Client Connection Encryption Level to High” – enabled/Yes
- “Require Secure RPC communication” – enabled/Yes
- “Require user authentication for remote connections by using NLA” – enabled/Yes
RD Gateway Role in RDS
Using the Remote Desktop Gateway Role (RDGW) provides additional security by forcing RDP traffic over https/port 443 (requires SSL certificate) instead of port 3389.
General steps to install the RDGW role on Windows Server 2016: (we have a more detailed post on this too)
- Install RDGW role which will also install IIS
- In RD Gateway Manager, create CAP and RAP policies for who can login to the gateway and what resources they can access.
- For initial testing/deployment, you can create a self-signed certification and change the certificate name to IP address in the name field. Using a self-signed certificate will require you to install the certificate on each client device. Using a SSL cert issued by a certificate authority is preferred and can only be issued in the domain name, not IP address).
- Confirm that all items in the RD Gateway Manager have green checkmarks.
- From the RD Connection Client on your local PC, go to more options, advanced tab, enter gateway settings before connecting.
- Turn off port 3389 to the outside on the Windows Firewall on the server to force traffic to use port 443.
Lockout Policies (based on username attempts, not IP addresses):
To lock out an account for a period of time after a number of incorrect login attempts (to create delay with recurring failed logins), you can set up Account Lockout Policies in Windows. It does NOT apply to the Administrator account (so you may want to disable the Administrator account and create a different account with administrator rights – see previous suggestion). Lockout policies can be useful to prevent brute-force password guessing attacks but can cause your accounts to be locked out without you being able to access the server (so plan accordingly).
Local Security Policy (secpol.msc) -> Security Policies -> Account Policies -> Account Lockout Policy, set values for the three options, OR
Gpedit.msc -> Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Policies -> Account Policies -> Account Lockout Policy, set values for the three options
To unlock an account, (if a legit user is locked out) login under an active account (with administrator properties), go to the locked out user’s properties, and uncheck the box by “account is locked out”.
You can see detailed status of a user account by opening the command prompt and typing “net user [username]”
Limit users who can login via RDP
By default, all users in the “Administrators group” have RDP access rights. And, of course, all users in the “Remote Desktop Users group” have RDP access rights too. If you only want some members of the Administrators group to have RDP access, you can adjust this in Local Security Settings as follows: by removing the “administrators group” and then making sure all required remote users are part of the “Remote Desktop Users group”.
Local Security Policy (secpol.msc) -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Logon Through Remote Desktop Services, change settings to remove “Administrators group” (but make sure any users you want to have RDP access are already part of the “Remote Desktop Users Group” especially the one you are currently logged in with).
RDP Intrusion Prevention Software (Host based Intrusion Detection/Prevention) – RDP IP blockers (software for brute force protection against Windows RDP based on failed attempts from various IP addresses; some products also have geolocation blocking to block IPs assigned to certain countries.)
There are several third-party software products available that will lock out IP addresses after X number of failed attempts such as Syspeace, RdpGuard, TSPlus RDS-Knight, LF Intrusion Detection and more. Syspeace ($73/year or $0.20 per day with minimum $15 purchase) has a global blacklist feature as well as a geolocation feature to block IP address by location/county. During a test with the Syspeace software, we noted a majority of failed login attempts were geocoded to Russia and Ukraine. Another observation was when we changed the RDP port to something other than 3389, the failed attempts dropped to zero, although automated bots may have eventually found the changed port (we didn’t try it that way for very long).
Using a VPN with RDP is more secure because it provides two steps to access your network. You could require clients to connect with a VPN first before being able to RDP to the server. Unless you are using our Dedicated Server Hosting offering where you can have a hardware vpn device, you will need to install a software VPN on the server. One option is using the free built-in Windows VPN role service. Other software VPN options available have been Hamachi (acquired by LogMeIn), Zerotier which provides software defined networking capabilities, and other options.
WINDOWS SERVER BUILT-IN VPN ROLE:
If you are interested in setting up the built-in VPN role on Windows Server 2016 and then limiting RDP access to private IPs after VPN is connected, contact Riptide Hosting for a post we wrote on how to set this up. PPTP VPN using Windows Authentication is password based so strong/complex passwords are still very important. Other VPN protocols, certificate authentication, may provide stronger security depending on your needs and environment. You can use the built-in Windows VPN to setup a L2TP VPN with preshared keys too.
General steps to install the (free) built-in VPN role on Windows Server 2016:
- Add “Remote Access” server role with “DirectAccess and VPN (RAS)” role service.
- Open the Getting Started Wizard, select “Deploy VPN only”, “Configure and Enable Routing and Remote Access”, Select “Custom Configuration”, Select “VPN access” only. Start Service. Reboot
- Go into “Routing and Remote Access” properties, IPv4 tab to add static IP address pool with private IPs
- Change Network Adapter settings, IPv4, to add secondary IP from private IP range above
- Adjust User Properties for each user on the Dial-In tab to Allow “Network Access Permission”
- Setup VPN Connection on each user PC (may need to uncheck “use default gateway on remote network” if having internet issues on the PC)
- Adjust Server Firewall rules to disable RDP access on port 3389
- Test deployment (verify you can’t RDP without using VPN first, etc.)
- Our steps generally follow the steps in these links with a few additional items noted
Advantages to using Riptide Hosting SPLA Microsoft Licenses
Most customers use our Microsoft licensing (Windows Server, Office, SQL Server, Remote Desktop Services – RDS) provided under the SPLA program (Service Provider Licensing Agreement) on a monthly basis rather than purchasing their own MS Volume Licenses. (Windows Server CAL licenses are not required with our SPLA licensing which are required under regular MS Volume Licensing).
Using our Microsoft SPLA licensing eliminates upfront fees and makes it easy to increase and decrease licenses each month.
If you own Microsoft Volume Licenses, you can use our Dedicated Hardware Server offering and transfer your own licenses but depending on which licenses you own and how many users you have, it may still be cheaper to utilize our virtual servers/VMs with our SPLA licenses. Contact us to review options and pricing. We discuss the advantages to using SPLA licenses below.
SPLA LICENSES — Advantages to using our MS Licensing under SPLA:
- Pay monthly with no commitment (versus Volume Licenses which may be 1-3 year term)
- Pay for exactly the number of licenses you need today, not more (for user based licensing (i.e. RDS SALs/user licenses, Office SALs), we can increase the number of licenses easily so you can only license what is needed)
- For Windows Server under SPLA, no additional Windows Server CALs are needed (you still need RDS SALs if applicable).
- Upgrade rights (similar to software assurance) are included– You can upgrade to the latest version.
- No large upfront payment like if you purchase perpetual MS Volume Licenses.
- No minimum purchase – Can increase user licenses in increments of one user. (Some volume licensing programs have a minimum purchase or minimum points)
- You cannot install or use your own licenses for SQL Server, RDS, Office or Office 365 on our Virtual Servers due to Microsoft licensing restrictions.
- Example Pricing:
- Windows Server licensing is included in our base server cost
- RDS user licenses are $8.99 per user per month
- SQL Server Standard is $316/mo per 4 cores versus retail pricing of approx. $7,500 per 4 cores plus add Software Assurance annually.
VOLUME LICENSES — Advantages to using/purchasing your own Volume Licensing
- If measuring over a long-term period, perpetual volume license may cost less than monthly SPLA license (but you have a long-term agreement with large upfront fee, plus you have to purchase Software Assurance separately, as well as Windows CALs on top of Windows Server).
**If you end up needing fewer licenses you will still pay for all the licenses you purchased.
- SQL Server Standard and Enterprise can be very expensive (often times as much as the underlying server cost!) and if you have already purchased these licenses you may want to use them to save money, although you are required to use our Dedicated Hardware Server hosting to use your own licensing.
- If you have a large number of users and already have your own Office licensing (or Office 365 plan that will work on a server or terminal server), then you may want to use them to save money, although you are required to use our Dedicated Hardware Server hosting to use your own licensing.
VIRTUAL SERVER HOSTING — Virtual Server Environment at Riptide Hosting:
- SPLA licenses only. You must license SQL Server, RDS and Office through us (SPLA) in our VM environment. You cannot use your own licensing of SQL Server, RDS, Office, or Office 365 on our VMs.
- Lower entry costs, VMs start at $100/month
- Best for VMs with fewer resources (less than 25 users, less than 200 GB space, less than 8g RAM and 4vCPU)
- Less expensive full image backup options with quick restores
- May be less expensive to use our SPLA licenses on a VM with full image backup, even in scenarios where you have your own licensing.
DEDICATED SERVER HOSTING — Dedicated Hardware Server Environment at Riptide Hosting:
- You can use our SPLA licenses or use your own Volume Licenses. Where the server hardware is fully dedicated to you, the outsourcing language within Microsoft Product Terms applies.
- Best when you need significant resources (greater than 25 users, more than 200 GB disk space, more than 8g RAM and 4vCPU).
- Our Dedicated Servers start around $300/month. Compare this to AWS Dedicated Instances or AWS Dedicated Hosts that start at over $1k per month and you have to bring all your own licensing.
- Requires more expensive full server image backup options due to much higher disk space provided.
- Only hosting offering we provide that allows you to use your own SQL Server, RDS, Office, or Office 365 licenses. Even if you have your own licensing, make sure it can be use on a remote hosted server. For example, Office 365 Business Plans won’t work on a Windows Server with Remote Desktop Services because Office 365 Business doesn’t include Pro Plus.
RDS — Remote Desktop Services (RDS) Licensing Notes:
- We get asked a lot of questions about RDS licenses and here are some of our most common discussions.
- Many hosting providers don’t even offer the ability to license RDS SALs through them and require you to have your own licenses. If you are using Remote Desktop Services (RDS), make sure you understand whether your hosting provider can provide the required licenses or not. **If you can only login with two accounts then they did not provide you licensing for RDS access other than for maintenance.
- The RDS CALs/SALs are not part of the Windows Server OS licensing and are applied separately. Riptide Hosting provides RDS SALs on a monthly basis (with no long-term commitment) at $8.99 per user. For example, AWS doesn’t offer RDS user licensing. You have to buy them from MS and then bring them to AWS via License Mobility which requires that you maintain active Software Assurance on the RDS CALs and go through a MS license verification process.
- Microsoft only provides RDS user licenses on a per-unique-end-user basis. There is no concurrent licensing model available from Microsoft for RDS. All users, regardless of actual usage, require a license.
Windows Server and SQL Server Licensing Notes:
- SQL Server is licensed per core but with a minimum of 4 cores per VM or per processor.
- Windows Server is also now licensed per core (starting with Windows Server 2016)
- SQL Server comes in multiple editions: Express (free), Web (through SPLA only; for publicly accessible web pages, etc.), Standard, Enterprise. Contact us for differences and monthly SPLA pricing.
You may want to see which users are logged on to your Windows 2016 Server at any given time and may want to logoff a user. Users can be “active” on a server or in a “disconnected” session status which means they disconnected from the server but didn’t log off. Since disconnected sessions continue to utilize server resources, we recommend you enable a group policy to log off disconnected sessions automatically after a specific time period such as 5 minutes or X hours – easiest method is to enable a group policy to set session time limits for all users as follows:
- Cmd prompt, gpedit.msc
- Computer Configuration, Admin Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Session Time Limits
- Enable appropriate group policies and modify as needed
- We recommend setting this one because it will prevent disconnected sessions from consuming server resources — “Set time limit for disconnect sessions”
- After modifying group policies, you can force an update without rebooting by typing “gpupdate /force” at cmd prompt
By default, we now release Windows 2016 Servers with the disconnected session limit set at 5 minutes. We strongly recommend keeping this group policy at 5 minutes or change it to another time amount that you want. We don’t enable a default policy to log off “idle” sessions after X period of time but it is recommended that you enable this at X hours or X days.
To see detail on each users session (how long it has been active, if disconnected or idle, etc.), you can open a command prompt and type in “quser” which will show each user with session stats.
We haven’t seen this happen very frequently, but if a user logs on to the server and the screen remains black, it is likely because the user has an existing disconnected session that has not be fully logged off. To resolve this, log into the server as an Administrator and log off the User’s disconnected session. When the User logs in again, they should see their full desktop session without any issues.
Steps to view and log off users:
- Login as Administrator or account with administrator rights
- Open Task Manager by right clicking the bottom tool bar
- Click on “More” or “Detail” to view all tabs of Task Manager
- Go to the “Users” tab which will show the users that are logged on the server
- Right click on a username and select “Log Off”
We recommend that users be educated to log off from the server when their tasks are completed (start, click on username, select log-off or sign-off) instead of just disconnecting the session by clicking the X in the upper right corner which doesn’t log the user off and only disconnects the session.
This post is about how to shadow a user session if the Windows Remote Desktop Server is not connected to a domain. If the server is connected to a domain, you can go to server manager, RDS Manager, and right click on current sessions to shadow and connect. When the server is in Workgroup mode (not connected to domain) the Remote Desktop Services Manager page is not accessible in Server Manager. To shadow another user’s sessions in Windows Server 2016 in Workgroup mode, use the following steps:
1) Open command window by clicking start, CMD. You must be using an account with administrative privileges. If you are using an account with administrative privileges that isn’t the named Administrator account, you must run in administrator mode (right click on cmd and click run as administrator)
2) Type quser.exe to determine the session number of the user session you want to shadow.
C:\Users\administrator.computer>quser.exe (note: typing “>qwinsta” without .exe will show similar information)
USERNAME SESSIONNAME ID STATE
administrator rdp-tcp#0 1 Active
user1 rdp-tcp#1 3 Active
3) In this example, the Administrator is going to shadow the user1 session which is session 3. You need to know the session number (“3”) for the next step.
4) Start shadow session by typing “mstsc /shadow:# /control” where # is the session number to shadow and /control allows you to control the session.
C:\Users\administrator.computer>mstsc /shadow:3 /control
5) The other user (user1 in this example) will get a popup called “remote control request” and must press Yes before shadow session will open.
6) The shadow session will open and you’ll be able to view the user1 session desktop screen.
IF YOU WANT TO SHADOW A USER SESSION WITHOUT NEEDING THEIR CONSENT FOR THE SHADOW SESSION TO OPEN:
- Enable the following group policy by going to gpedit.msc and then Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Connections.
- Enable the setting “set rules for remote control of Remote Desktop Services user sessions” and select the option for “Full Control without user’s permission” in the dropdown.
- Reboot the server to make the group policy take effect (or open elevated command prompt and type in gpupdate.exe /force)
- Then using the same command as in the section above add “/noconsentprompt” like this:
- mstsc /shadow:3 /control /noconsentprompt
- It will still prompt the user to authorize control but if they don’t within 5-10 seconds, the shadow session will open even without their authorization.
The quickest and easiest method to move your MS applications/databases online (to the cloud) is to deploy it on a hosted Windows Remote Desktop Server. We have been providing terminal server (remote desktop) hosting solutions for over 15 years. Most clients are able to deploy their Access application on a Windows Server with Remote Desktop Services within a few hours. Contact us and to discuss your options, pricing, MS licensing, etc.
As previously announced by Microsoft, Access-based web apps (Access Web Apps) and Access web databases in Office 365 and Sharepoint Online were shut down last month (April 2018). See link here: https://support.office.com/en-us/article/Access-Services-in-SharePoint-Roadmap-497fd86b-e982-43c4-8318-81e6d3e711e8?ui=en-US&rs=en-US&ad=US
You can also review our pricing calculator here: http://www.riptidehosting.com/Remote-Desktop-Hosting-Pricing.aspx
When comparing options for hosting your Access application online, ask the hosting provider if it will be a Windows Server with Remote Desktop Services or if they are hosting the Access application on a Sharepoint server. We do not provide hosting services on Sharepoint. If your MS Access application has VBA coding, it may not work in a sharepoint environment. You should also ask if your application is hosted in a dedicated OS environment (dedicated VM for you) or if it is on a shared server environment.
Adjusting Server Manager settings to it doesn’t automatically start upon login (or turn it back on)
Update: the steps below for modifying auto-start for server manager within the server manager GUI will only affect the user account under which it is being set. To change the auto-start behavior for all users to not automatically start, you can enable a group policy by going to gpedit.msc, local computer policy, computer configuration, administrative templates, system, server manager, enable the policy for “do not display Server Manager automatically at logon”.
For Windows Server 2016: You may want to adjust the settings for Server Manager so that the Server Manager window opens automatically (or doesn’t open automatically) when logging into a Windows Server 2016 desktop session via RDP. You may want to turn it off so that it doesn’t consume resources during login or if it isn’t useful to users. You can follow the steps below to turn auto-start on or off.
Open Server Manager by clicking the Server Manager icon on the bottom taskbar right next to the start button or clicking start and type “server manager” or look at tiles under start button.
- Under the “Manage” drop-down in upper right corner, select Server Properties, then click the box by “Do Not Start Server Manager Automatically…” (or uncheck it is you want it to start automatically upon login)
- You can always open Server Manager by clicking on the icon in the task manager next to the start button that looks like a toolbox
Microsoft announced earlier this year that Access-based web apps and Access web databases in Office 365 and SharePoint Online will be shut down by April, 2018. See link here:
This does not affect Access Desktop databases (.accdb).
One alternative you should consider is use of a Windows Remote Desktop Server with Access or Access runtime installed. Riptide Hosting has been providing terminal server (remote desktop) hosting solutions for over 15 years. Contact us to discuss pricing and options.
You can follow the steps below to install .net 3.5 on a Windows Server running 2012R2:
- Insert Windows Server 2012R2 installation media into DVD-rom (Riptide will have to do this for your remote server)
- Follow instructions on this link and as described below https://technet.microsoft.com/en-us/library/dn482071.aspx?f=255&MSPPError=-2147217396
- Open Server Manager, add Roles and Features
- Select .NET Framework 3.5 Features
- On the “confirm installation selections” screen, click on the “specify alternative source path” link at bottom of screen
- Type in d:\sources\sxs
- Remember to remove the installation media DVD (Riptide will have to do this)
Azure RemoteApp discontinued – use Riptide Hosting as alternative to Azure RemoteApp and Citrix
Microsoft announced this month that it is discontinuing its Azure RemoteApp service and no new purchases will be available after October 1, 2016. Here is a link to their announcement
Azure RemoteApp shutting down
Riptide Hosting provides Remote Desktop (Terminal Server) Hosting using Windows Server 2012 R2 (soon Windows Server 2016) with Remote Desktop Services for publishing user customizable desktop sessions or RemoteApps. We have several options for delivering cloud hosted remote desktops and applications and can include monthly licensing for Windows Server, RDS user licenses, MS Office, SQL Server and more. You can start with as little as 2 users (not 10 or 20 users minimum as with other hosting provders). Give us a call or email and we will talk with you regarding your specific situation.