How To Secure Windows Remote Desktop
In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol. See the announcement here which includes some suggestions (with additional considerations below) https://www.ic3.gov/media/2018/180927.aspx
Considerations For Securing your Windows Server / RDP Terminal Server
Here is a list of various actions to consider to help secure your remote server environment:
- Utilize strong, complex usernames/passwords for all accounts (very important)
- Keep your server firewall enabled and configured correctly
- Keep your server updated with the latest security patches for Windows Server OS and other programs
- Install Anti-virus (note: Windows 2016 comes with Defender built-in)
- Whitelist IPs within the Windows Firewall – Allow RDP connections from only specific IPs
- Change RDP listening port from default port 3389
- Disable the built-in Administrator account (or disable RDP access from Administrator account)
- Use Multi-factor / Two-factor Authentication (using software like Duo Software, www.duo.com)
- Use VPN – Allow RDP connections from VPN clients only
- Install RDP Intrusion Prevention Software to block IPs with repeated failed login attempts
- Limit users who can login via RDP (i.e. by default all Administrator group members have access)
- Enable Account Lockout policies to create delay or lock-out accounts with recurring failed logins
- Don’t provide local administration rights to regular users
- Setup Remote Desktop Gateway role to tunnel RDP traffic through https port 443 instead of port 3389
- Enable Network Level Authentication for RDP (so credentials are authorized before session established)
- If using Dedicated Hardware server hosting, utilize a hardware VPN/firewall device like a Sonicwall, etc.
- Design and Implement backup plan
- Disable user accounts no longer being used
- Use software security products that combine some or all of the following: VPN, Firewall, AV/anti-malware, Intrusion Protection (IPS), Intrusion Detection (IDS), etc.
- Enable policies to automatically logoff disconnected sessions or idle sessions after a time period
- Adjust RD Session Host Security settings to require SSL communication, High Encryption, etc.
- Disable redirection of clipboard and hard drives using group policies at Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource a Redirection: Do not allow Clipboard redirection – enabled, etc. (reboot)
After applying any of the actions above, make sure to test whether they are working properly. You can open multiple RDP sessions using different user names initiated from one PC which can be useful for testing.
The information provided in this document/post is intended to provide general information only and is not a complete listing of available considerations. The content is provided AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness, reliability, or fitness for a particular purpose. You should be discussing all security policies and related procedures, configurations, monitoring and other server management functions with your IT staff or consultants. Riptide Hosting does not provide managed services and is not a substitute for you maintaining your own IT staff/consultants.