Securing Remote Desktop (RDP) for System Administrators | Information Security Office

1. Use hard passwords

solid passwords on any accounts with access to Remote Desktop should be considered a command step before enabling Remote Desktop. Refer to the campus password complexity guidelines for tips .

2. Use Two-factor authentication

Departments should consider using a two-factor authentication set about. This subject is beyond the telescope of this article, but RD Gateways can be configured to integrate with the Campus case of DUO. other unsupported by campus options available would be a simple mechanism for controlling authentication via two-factor certificate based smartcards. This overture utilizes the Remote Desktop master of ceremonies itself, in junction with YubiKey and RSA as examples .

3. Update your software

One advantage of using Remote Desktop quite than 3rd party distant admin tools is that components are updated mechanically with the latest security fix in the standard Microsoft bandage cycle. Make indisputable you are running the latest versions of both the node and server software by enabling and auditing automatic rifle Microsoft Updates. If you are using Remote Desktop clients on other platforms, make certain they are still supported and that you have the latest versions. Older versions may not support high encoding and may have early security flaws .

4. Restrict access using firewalls

Use firewalls ( both software and hardware where available ) to restrict access to remote desktop listen ports ( default is TCP 3389 ). Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers ( see discussion below ). As an alternative to support off-campus connectivity, you can use the campus VPN software to get a campus IP address and add the campus VPN network address pool to your RDP firewall exception rule. Visit our page for more data on the campus VPN service.

5. enable Network Level Authentication

Windows 10, Windows Server 2012 R2/2016/2019 besides provide Network Level Authentication ( NLA ) by default. It is best to leave this in station, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use distant Desktop clients on other platforms that do n’t support it .

  • NLA should be enabled by default option onWindows 10, Windows Server 2012 R2/2016/2019 .
  • To check you may look at Group Policy setting Require user authentication for distant connections by using Network Level Authentication found at Computer\Policies\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. This Group Policy setting must be enabled on the server running the Remote Desktop Session Host role .
  • hypertext transfer protocol : //

6. limit users who can log in using Remote Desktop

By default option, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If distant Desktop is not used for system administration, remove all administrative access via RDP, and merely allow exploiter accounts requiring RDP serve. For Departments that manage many machines remotely remove the local Administrator report from RDP access at and add a technical group rather .

  1. Click Start — > Programs — > administrative Tools — > local anesthetic security policy
  2. Under local anesthetic Policies — > User Rights Assignment, go to “ Allow logon through Terminal Services. ” Or “ Allow logon through Remote Desktop Services ”

  3. Remove the Administrators group and leave the Remote Desktop Users group .
  4. Use the System operate panel to add users to the Remote Desktop Users group .

A typical MS function organization will have the following fix by default as seen in the Local Security policy :
rdp pic1
The problem is that “ Administrators ” is here by nonpayment, and your “ local Admin ” account is in administrators. Although a password convention to avoid identical local admin passwords on the local machine and tightly controlling entree to these passwords or conventions is recommended, using a local admin account to work on a machine remotely does not by rights logarithm and identify the exploiter using the organization. It is best to override the local security policy with a Group Policy Setting .
rdp pic2
To control access to the systems, even more, using “ Restricted Groups ” via Group Policy is besides helpful.

If you use a “ Restricted Group ” setting to place your group, for example, “ CAMPUS\LAW-TECHIES ” into “ Administrators ” and “ Remote Desktop Users, ” your techies will still have administrative access remotely, but using the steps above, you have removed the baffling “ local administrator explanation ” having RDP access. Going forward, whenever new machines are added in the OU under the GPO, your settings will be chastise .
rdp pic3

7. Set an account lockout policy

By setting your computer to lock an account for a set number of faulty guesses, you will help prevent hackers from using automated password guess tools from gaining access to your system ( this is known as a “ brute-force ” attack ). To set an account lockout policy :

  1. Go to Start–>Programs–> Administrative Tools–> Local Security Policy
  2. Under Account Policies–> Account Lockout Policies, set values for all three options. Three invalid attempts with 3-minute lockout durations are reasonable choices.
generator :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.