Remote Desktop is a Windows service which allows users to connect to a host computer from anywhere. This enables users to access server as well as the data stored on the server from any remote location. RDP is a very useful feature however, it also has several security issues.
In networking world, security and accessibility have always remained as a challenge. When we grant an RDP access to authorized users it always poses a risk of unauthorized users gaining access to your server.
To prevent this, an admin will need to follow some basic security tips to make your RDP session secured:
Some Useful Tips
- Always use strong passwords
- Enable Network Level Authentication
- Restrict access using firewalls
- Change the listening port for RDP
Use strong passwords
When you are up to preparing a password for your RDP connection, make sure that you keep it as long as you can in the allowable limit and also use a mixture of letter, numbers and at least two special characters. This will prevent any program/human to recognize it and thus protect your RDP session from any unauthorized access.
Enable Network Level Authentication
The technology used in RDP connection is said to be a Network Level Authentication Technology. When you attempt to establish an RDP connection, it will first ask for login credentials to verify if the user trying to connect is authorized and on successful verification the login screen appears.
This is a more secure authentication method which is helpful to protect the remote computer from malicious users and malicious software. It provides greater security and reduces the chances of DoS attacks.
To configure Network Level Authentication for a connection
1.Login to VPS, Click Start -> Administrative Tools -> Remote Desktop Services -> click Remote Desktop Session Host Configuration.
2.Under Connections, right-click the name of the connection, and click Properties.
3.On the General tab, check the Allow Connection Only from computers running Remote Desktop with Network Level Authentication check box.
If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and is not enabled, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled from GPEdit (Group Policy Editor)and has been applied to the VPS.
Restrict unauthorized access using windows firewall
A firewall is either a hardware or a software program that protects your machine from attacks stemming from internet. When an attempt is made to gain access to your machine, your firewall decides whether to grant access to your machine or restrict it – based on the settings applied by your system administrator. When you enable the Remote Desktop feature on Windows os, it will automatically configures Windows Firewall with all the most ideal setting.
You can use firewall to block or allow either a range of IP addresses or a single IP address by following steps:
Go to Control Panel -> Administrative Tools -> Windows Firewall with Advanced Settings -> Inbound Rules -> Remote Desktop (TCP-In) -> Properties -> Scope.
This Scope tab allows you to Restrict/Allow IP addresses. For example, if you want the server communicating with a specific IP address, enter that IP address in the remote IP addresses box.
Change the listening port for Remote Desktop
Remote Desktop connection uses the 3389 as a default listening TCP and UDP port, however this default port number can also be altered with another port number. This is especially very useful when the remote computer is behind the firewall which doesn’t allow incoming and outgoing connections other than standard or assigned new ports. To change RDP listening port following steps are used :
- 1.Open regedit.msc (Registry Editor) from run.
- 2.Drill down the registry to the following option:
HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> Terminal Server -> WinStations -> RDP-Tcp
- 3.In the window to the right hand side you will see an entry called PortNumber
- 4.Double click this entry and choose as the Base and type in your desired port number, then click ok.
You can assign integer port number between 1025 and 65535 in the “PortNumber” text box. Also make sure that the port number which you are going to assign is not in use by other application. After changing RDP listening port make sure that the new port is also allowed in firewall.
Warning: Changing the windows registry is risky, therefore this task needs to be undertaken under supervision of an experienced administrator and also you have to make sure that you have taken necessary backup before saving any changes in registry.
When you connect to VPS by using the Remote Desktop connection, you must type the IP: Port Number.