Stathis Athanasiadis, CISSP

Stathis Athanasiadis, CISSP

a sysadmin puts words together, how-tos and guides. taking good care of your systems since 1998.

Secure Remote Desktop configuration

Enabling Remote Desktop allows remote access for permitted users to connect easily to Windows servers and workstations. This guide will allow you to enable settings to make it more secure:

To enable:

  • Right click Start menu -> select System -> Go to Remote Settings.
  • Disable Remote Assistance & Enable Allow remote connections to this computer

To secure:

  • Change RDP port - The Remote Desktop feature on your computer “hears” the connection request through a defined listening port (3389 by default). To make RDP more secure change that listening port on Windows:
    • Start the registry editor. (Type regedit in the Search box.)
    • Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    • Find PortNumber
    • Click Edit -> Modify, and then click Decimal.
    • Type the new port number, and then click OK.
    • Close the registry editor, and restart your computer.
  • Disable Administrator account - Run C:\Windows\System32\lusrmgr.msc -> Users -> right click Administrator -> select Properties -> tick Account is disabled - alternatively you can run: net user administrator /active:no
  • Put a strong password on the permitted RDP users
  • Limit users who can log on to the host computer. Go to System -> Remote Settings -> click Select Users... -> Make sure that there are only permitted users in the list.
  • Configure Local Security Policy - Run %SystemRoot%\system32\secpol.msc /s ->
    • Expand the Local Policies tree and select the folder titled User Rights Assignment. Go to the “Allow log on through Terminal Services” option and remove the administrators selection from the local security settings screen. If you want to allow a specific administrator or user to access the Remote Desktop Connection, you can always add them through the previous step. I always suggest removing all users and adding only the ones you want to allow manually.
    • Set the number of password attempts until the user is locked out. While still in the local security settings section, expand the Account Policies tree and choose the Account Lockout Policy folder. This folder has three settings that you can alter: Account Lockout Duration, Account Lockout Threshold, and Reset Account Locked After. The Account Lockout Threshold option is the number of times a person can enter the wrong password before being locked out. The Account Lockout Duration and the Reset Account options allow you to set how long a user will be locked out from the system after passing the number in the Account Lockout Threshold section. Change these to whatever is appropriate for your system. I always use 3 attempts threshold and 30min lockout.
  • Configure Group Policy - Run gpedit.msc
    • Computer Policy -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> and then click on Security.
    • Double-click on any settings in this menu to change their values. The ones I recommend changing are:
      • Set client connection encryption level - Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.
      • Require secure RPC communication - Set this to Enabled.
      • Require use of specific security layer for remote (RDP) connections - Set this to SSL (TLS 1.0).
      • Require user authentication for remote connections by using Network Level Authentication - Set this to Enabled.

Thank you for reading! Be sure to share this post if you found it helpful and don’t hesitate to chat with me about it!

This post was first published on Stathis’ log book by Stathis Athanasiadis aka StatAth

Updated:

Comments