{"id":1482,"date":"2018-11-16T12:02:31","date_gmt":"2018-11-16T12:02:31","guid":{"rendered":"http:\/\/www.RiptideHosting.com\/blog\/?p=1482"},"modified":"2020-11-04T13:25:08","modified_gmt":"2020-11-04T20:25:08","slug":"methods-to-secure-windows-remote-desktop-rdp","status":"publish","type":"post","link":"https:\/\/www.RiptideHosting.com\/blog\/methods-to-secure-windows-remote-desktop-rdp\/","title":{"rendered":"Methods to Secure Windows Remote Desktop RDP"},"content":{"rendered":"<p><strong>How To Secure Windows Remote Desktop<\/strong><\/p>\n<p>In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol.\u00a0 See the announcement here which includes some suggestions (with additional considerations below)\u00a0<a href=\"https:\/\/www.ic3.gov\/media\/2018\/180927.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.ic3.gov\/media\/2018\/180927.aspx<\/a><\/p>\n<p><strong>Considerations For Securing your Windows Server \/ RDP Terminal Server<\/strong><\/p>\n<p>Here is a list of various actions to consider to help secure your remote server environment:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/always-use-complex-usernames-and-passwords-for-user-accounts\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-wplink-edit=\"true\">Utilize strong, complex usernames\/passwords for all accounts (very important)<\/a><\/li>\n<li>Keep your server firewall enabled and configured correctly<\/li>\n<li>Keep your server updated with the latest security patches for Windows Server OS and other programs<\/li>\n<li>Install Anti-virus (note: Windows 2016 comes with Defender built-in)<\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/whitelist-ips-use-windows-firewall-to-restrict-rdp-access-to-specific-ips-only\/\" target=\"_blank\" rel=\"noopener noreferrer\">Whitelist IPs within the Windows Firewall &#8211; Allow RDP connections from only specific IPs<\/a><\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/change-rdp-listening-port\/\" target=\"_blank\" rel=\"noopener noreferrer\">Change RDP listening port from default port 3389<\/a><\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/disable-built-in-administrator-account\/\" target=\"_blank\" rel=\"noopener noreferrer\">Disable the built-in Administrator account (or disable RDP access from Administrator account)<\/a><\/li>\n<li><a href=\"http:\/\/www.RiptideHosting.com\/blog\/two-factor-dual-factor-authentication\/\" target=\"_blank\" rel=\"noopener noreferrer\">Use Multi-factor \/ Two-factor Authentication<\/a> (using software like Duo Software, www.duo.com)<\/li>\n<li><a href=\"https:\/\/www.riptidehosting.com\/blog\/how-to-install-vpn-server-on-windows-server-2019\/\" target=\"_blank\" rel=\"noopener noreferrer\">Use VPN &#8211; Allow RDP connections from VPN clients only<\/a><\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/host-based-intrusion-detection-prevention-software-rdp\/\" target=\"_blank\" rel=\"noopener noreferrer\">Install RDP Intrusion Prevention Software to block IPs with repeated failed login attempts<\/a><\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/limit-users-who-can-login-via-rdp\/\" target=\"_blank\" rel=\"noopener noreferrer\">Limit users who can login via RDP<\/a> (i.e. by default all Administrator group members have access)<\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/windows-server-lockout-policies\/\" target=\"_blank\" rel=\"noopener noreferrer\">Enable Account Lockout policies to create delay or lock-out accounts<\/a> with recurring failed logins<\/li>\n<li>Don\u2019t provide local administration rights to regular users<\/li>\n<li><a href=\"https:\/\/www.riptidehosting.com\/blog\/installing-the-remote-desktop-gateway-role-rdgw-on-windows-server-2019\/\" target=\"_blank\" rel=\"noopener noreferrer\">Setup Remote Desktop Gateway role to tunnel RDP traffic through https port 443 instead of port 3389<\/a><\/li>\n<li>Enable Network Level Authentication for RDP (so credentials are authorized before session established)<\/li>\n<li>If using Dedicated Hardware server hosting, utilize a hardware VPN\/firewall device like a Sonicwall, etc.<\/li>\n<li>Design and Implement backup plan<\/li>\n<li>Disable user accounts no longer being used<\/li>\n<li>Use software security products that combine some or all of the following: VPN, Firewall, AV\/anti-malware, Intrusion Protection (IPS), Intrusion Detection (IDS), etc.<\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/enable-group-policies-to-automatically-logoff-disconnected-sessions-or-idle-sessions-after-x-minutes-hours\/\" target=\"_blank\" rel=\"noopener noreferrer\">Enable policies to automatically logoff disconnected sessions or idle sessions after a time period<\/a><\/li>\n<li><a href=\"https:\/\/www.RiptideHosting.com\/blog\/rd-session-host-security-settings-in-windows-server-2016\/\" target=\"_blank\" rel=\"noopener noreferrer\">Adjust RD Session Host Security settings to require SSL communication, High Encryption<\/a>, etc.<\/li>\n<li>Disable redirection of clipboard and hard drives using group policies at Computer Configuration &gt; Administrative Templates &gt; Windows Components &gt; Remote Desktop Services &gt; Remote Desktop Session Host &gt; Device and Resource a Redirection: Do not allow Clipboard redirection \u2013 enabled, etc.\u00a0 (reboot)<\/li>\n<\/ul>\n<p>After applying any of the actions above, make sure to test whether they are working properly.\u00a0 You can open multiple RDP sessions using different user names initiated from one PC which can be useful for testing.<\/p>\n<p><strong><em>The information provided in this document\/post is intended to provide general information only and is not a complete listing of available considerations.\u00a0 The content is provided AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness, reliability, or fitness for a particular purpose.\u00a0 You should be discussing all security policies and related procedures, configurations, monitoring and other server management functions with your IT staff or consultants.\u00a0 Riptide Hosting does not provide managed services and is not a substitute for you maintaining your own IT staff\/consultants.\u00a0 <\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How To Secure Windows Remote Desktop In September 2018 the FBI issued a public service announcement regarding risks and hacking attempts again the RDP protocol.\u00a0 See the announcement here which includes some suggestions (with additional considerations below)\u00a0https:\/\/www.ic3.gov\/media\/2018\/180927.aspx Considerations For Securing your Windows Server \/ RDP Terminal Server Here is a list of various actions to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,7,15],"tags":[46,48,83,84],"class_list":["post-1482","post","type-post","status-publish","format-standard","hentry","category-all-posts","category-remote-desktop-hosting","category-windows-server-2016","tag-rdp","tag-rdp-remote-desktop-hosting-backup","tag-windows-server-hosting","tag-windows-server-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/comments?post=1482"}],"version-history":[{"count":7,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1482\/revisions"}],"predecessor-version":[{"id":1794,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1482\/revisions\/1794"}],"wp:attachment":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/media?parent=1482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/categories?post=1482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/tags?post=1482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}