Tag Archives: RDP

Methods to Secure Windows Remote Desktop RDP

How To Secure Windows Remote Desktop

In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol.  See the announcement here which includes some suggestions (with additional considerations below) https://www.ic3.gov/media/2018/180927.aspx

Considerations For Securing your Windows Server / RDP Terminal Server

Here is a list of various actions to consider to help secure your remote server environment:

After applying any of the actions above, make sure to test whether they are working properly.  You can open multiple RDP sessions using different user names initiated from one PC which can be useful for testing.

 

The information provided in this document/post is intended to provide general information only and is not a complete listing of available considerations.  The content is provided AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness, reliability, or fitness for a particular purpose.  You should be discussing all security policies and related procedures, configurations, monitoring and other server management functions with your IT staff or consultants.  Riptide Hosting does not provide managed services and is not a substitute for you maintaining your own IT staff/consultants. 

RD Session Host Security settings in Windows Server 2016

RD Session Host Security settings in Windows Server 2016 (SSL, High encryption, etc.)

Gpedit.msc, computer configuration, administrative templates, windows components, remote desktop services, remote desktop session host, security, see various options.

  • “Require use of specific security layer for remote (RDP) connections” – Changing Security Layer to SSL is the recommendation listed in Windows 2016,
  • “Client Connection Encryption Level to High” – enabled/Yes
  • “Require Secure RPC communication” – enabled/Yes
  • “Require user authentication for remote connections by using NLA” – enabled/Yes

RD Gateway Role in RDS

RD Gateway Role in RDS

Using the Remote Desktop Gateway Role (RDGW) provides additional security by forcing RDP traffic over https/port 443 (requires SSL certificate) instead of port 3389.

General steps to install the RDGW role on Windows Server 2016: (we have a more detailed post on this too)

  • Install RDGW role which will also install IIS
  • In RD Gateway Manager, create CAP and RAP policies for who can login to the gateway and what resources they can access.
  • For initial testing/deployment, you can create a self-signed certification and change the certificate name to IP address in the name field. Using a self-signed certificate will require you to install the certificate on each client device. Using a SSL cert issued by a certificate authority is preferred and can only be issued in the domain name, not IP address).
  • Confirm that all items in the RD Gateway Manager have green checkmarks.
  • From the RD Connection Client on your local PC, go to more options, advanced tab, enter gateway settings before connecting.
  • Turn off port 3389 to the outside on the Windows Firewall on the server to force traffic to use port 443.

Test deployment

Windows Server Lockout Policies

Lockout Policies (based on username attempts, not IP addresses):

To lock out an account for a period of time after a number of incorrect login attempts (to create delay with recurring failed logins), you can set up Account Lockout Policies in Windows.  It does NOT apply to the Administrator account (so you may want to disable the Administrator account and create a different account with administrator rights – see previous suggestion).  Lockout policies can be useful to prevent brute-force password guessing attacks but can cause your accounts to be locked out without you being able to access the server (so plan accordingly).

Local Security Policy (secpol.msc) -> Security Policies -> Account Policies -> Account Lockout Policy, set values for the three options, OR

Gpedit.msc -> Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Policies -> Account Policies -> Account Lockout Policy, set values for the three options

To unlock an account, (if a legit user is locked out) login under an active account (with administrator properties), go to the locked out user’s properties, and uncheck the box by “account is locked out”.

You can see detailed status of a user account by opening the command prompt and typing “net user [username]”

Limit users who can login via RDP

Limit users who can login via RDP

By default, all users in the “Administrators group” have RDP access rights.  And, of course, all users in the “Remote Desktop Users group” have RDP access rights too.  If you only want some members of the Administrators group to have RDP access, you can adjust this in Local Security Settings as follows: by removing the “administrators group” and then making sure all required remote users are part of the “Remote Desktop Users group”.

Local Security Policy (secpol.msc) -> Security Settings -> Local Policies -> User Rights Assignment -> Allow Logon Through Remote Desktop Services, change settings to remove “Administrators group” (but make sure any users you want to have RDP access are already part of the “Remote Desktop Users Group” especially the one you are currently logged in with).

Windows Server 2016 VPN

VPN

Using a VPN with RDP is more secure because it provides two steps to access your network.  You could require clients to connect with a VPN first before being able to RDP to the server.  Unless you are using our Dedicated Server Hosting offering where you can have a hardware vpn device, you will need to install a software VPN on the server.  One option is using the free built-in Windows VPN role service. Other software VPN options available have been Hamachi (acquired by LogMeIn), Zerotier which provides software defined networking capabilities, and other options.

 

WINDOWS SERVER BUILT-IN VPN ROLE:

If you are interested in setting up the built-in VPN role on Windows Server 2016 and then limiting RDP access to private IPs after VPN is connected, contact Riptide Hosting for a post we wrote on how to set this up.  PPTP VPN using Windows Authentication is password based so strong/complex passwords are still very important. Other VPN protocols, certificate authentication, may provide stronger security depending on your needs and environment.  You can use the built-in Windows VPN to setup a L2TP VPN with preshared keys too.

General steps to install the (free) built-in VPN role on Windows Server 2016:

  • Add “Remote Access” server role with “DirectAccess and VPN (RAS)” role service.
  • Open the Getting Started Wizard, select “Deploy VPN only”, “Configure and Enable Routing and Remote Access”, Select “Custom Configuration”, Select “VPN access” only. Start Service.  Reboot
  • Go into “Routing and Remote Access” properties, IPv4 tab to add static IP address pool with private IPs
  • Change Network Adapter settings, IPv4, to add secondary IP from private IP range above
  • Adjust User Properties for each user on the Dial-In tab to Allow “Network Access Permission”
  • Setup VPN Connection on each user PC (may need to uncheck “use default gateway on remote network” if having internet issues on the PC)
  • Adjust Server Firewall rules to disable RDP access on port 3389
  • Test deployment (verify you can’t RDP without using VPN first, etc.)
  • Our steps generally follow the steps in these links with a few additional items noted

https://www.thomasmaurer.ch/2016/10/how-to-install-vpn-on-windows-server-2016/

https://www.starwindsoftware.com/blog/how-to-install-vpn-access-on-windows-server-2016