RD Session Host Security settings in Windows Server 2016 (SSL, High encryption, etc.)
Gpedit.msc, computer configuration, administrative templates, windows components, remote desktop services, remote desktop session host, security, see various options.
- “Require use of specific security layer for remote (RDP) connections” – Changing Security Layer to SSL is the recommendation listed in Windows 2016,
- “Client Connection Encryption Level to High” – enabled/Yes
- “Require Secure RPC communication” – enabled/Yes
- “Require user authentication for remote connections by using NLA” – enabled/Yes
Limit users who can login via RDP
By default, all users in the “Administrators group” have RDP access rights. And, of course, all users in the “Remote Desktop Users group” have RDP access rights too. If you only want some members of the Administrators group to have RDP access, you can adjust this in Local Security Settings as follows: by removing the “administrators group” and then making sure all required remote users are part of the “Remote Desktop Users group”.
Local Security Policy (secpol.msc) -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Logon Through Remote Desktop Services, change settings to remove “Administrators group” (but make sure any users you want to have RDP access are already part of the “Remote Desktop Users Group” especially the one you are currently logged in with).