Secure Windows Remote Desktop – Quick Guide

Remote Desktop operations operate on a secure encrypted channel. It prevents other users to monitor your sessions. However, you need to know remote desktop sessions are susceptible to vulnerable man-in-middle attack. You can fix the problem using SSL/TLS.

Remote Desktop is far more secured compared to VNC. Since VNC doesn’t encrypt the session completely, desktops are highly vulnerable. The following guideline will help you to ensure security for Remote Desktop.

Always Use Strong Passwords

Do not forget to set a strong password for the accounts from which you decide to access Remote Desktop. Use a combination of alphabets, digits and special characters while setting up a password. Alphanumerics add an extra layer of security to your passwords.

Update Your Remote Desktop Software

You can get one benefit if you use the Remote Desktop instead of any third party remote admin tools. Components of Remote Desktop gets installed automatically with the Windows Update. If you are running Remote Desktop clients on any other platform, ensure you are running the latest version. Older versions may not support or may have any security flaws.

remote desktop connection

Use the Firewalls to Restrict Listening Port Access

Use both the hardware and the software firewalls to prevent access to the remote desktop listening ports. Also, use the RDP Gateway to restrict RDP access to the servers and the desktops.

Acquire campus IP address to use the campus VPN software. Next, add the campus VPN Network address pool to the exception.

Use the Network Level Authentication

All the Windows version, including the latest desktop and the server version, provide Network Level Authentication. Before any connection gets set up, Network Level Authentication provides an extra level of network protection. Always configure Remote Desktop servers to use with NLA. Use Remote Desktop servers without NLA where it is not supported.

Limit the Users Who Can Log In Using Remote Desktop

All the administrators have the right to get access to the Remote Desktop.  If you are having multiple Administrator accounts on your computer, use only those that you need. If you do not use the Remote Desktop for the system administration, then remove those accounts those do not contain the RDP service.  

Setting An Account Lockout Policy

  • First of all, go to Start
  • Then, go to Programs and thereafter tools.  Now visit Local Security Policy
  • Under Account Policies, select the account lockout policies
  • Set values for all the three options

Changing Listening Port For Remote Desktop

  • Change the listening port. It will assist to hide ‘Remote Desktop from the attackers

The following action will provide secure your system from the RDP worms Like Morton. First of all, make an edit in the registry key by the following steps-

  • Browse for RDP-TCP in Registry Editor
  • Change the port number from 3389 to any other number of your choice

Changing Listening Port For Remote Desktop

Using RDP Gateways

It is recommended to use the Calnet issued Comodo certificate. For the testing purpose, you can use any self-signed cert. However, you need to know that you can use CalnetPKI only if all the users have the trusted UCB root. Everybody should have a Comodo certificate, otherwise, the end users can get a certificate warning.

There are certain campus units which use an IST managed VPS as the RD Gateway. On an average, 30- 100 users use RD Gateway for their safety and security.

HA at the virtual layer offers both faults tolerant and reliable access. However, you can get more sophisticated RD gateway if you want. And you can do it with the aid of more network balancing.

Setting Up Tunnel Remote Desktop connections Via SSH or IPSec

You may think that using only an RD gateway is not enough and you want more. You can add an extra layer of authentication by tunnelling your RD through SSH or IPSec. IPSec comes pre-installed with Windows since Windows 2000 however, in Windows 7/8, it comes with advanced usage and management.

Usage of Tools for RDP Configuration

You are not recommended to use VNC or PCAnywhere as they do not offer secure login. However, you can use GPOs. There is a benefit of using GPOs- you can assure a consistent RDP configuration.

You can a third level auditing with the aid of RDP Gateway. And they are quite easy to read.

Two-factor Authentication for Sensitive Data

Two-factor authentication comes handy during sensitive data handling and management. RD Gateways offer an easy method to control authentication with the help of two-factor certificate-based smart cards.  

Network Access Protection with RD Gateway

Administrators who are highly passionate and motivated can test and use the Network Access Protection with RD Gateway. But the technology does not seem to be reliable. You will find most of the clients do not work. You can follow the documentation. And can audit the system to check whether the clients are security compliant or not.