As our working environments become increasingly orientated towards remote or hybrid paradigms, so does our reliance on remote technologies such as RDP. However, while this solution might be crucial to productivity in remote environments, it also comes with its associated risks. Knowing how to secure Windows Remote Desktop protocol is becoming increasingly important for general security, productivity, and compliance.
Microsoft Windows RDP component is encrypted by default, leading many to believe it is inherently secure. While that’s true to an extent, there are still vulnerabilities, particularly at the authentication level and newly discovered exploits for new and old RDP versions is still a regular occurrence. That’s why we’ll look at some measures you can implement to help secure remote desktop connections within your network below.
Enforce Passwords Security Best Practices
Any user accounts with RDP access should be forced to use strong passwords as a matter of course. Reusing passwords for multiple accounts or services should also be discouraged. This will go a long way to prevent brute force and credential stuffing attacks perpetrated via RDP.
Set Account Lockout Policies
Brute force attacks are still a common attack vector aimed at RDP connections. Limiting the number of attempts a user has to successfully login to a computer will hamper the use of automated password guessing tools or other brute force attempts by attackers.
Use Multi-Factor Authentication
Multi-factor authentication (MFA) or two-factor authentication (2FA) can provide a massively effective extra layer of security on top of secure login practices. MFA can be configured in various ways, such as configuring RDP gateways to integrate with MFA/2FA services or using MFA/2FA certificate based smartcards.
Keep Your Software Updated
New and existing security flaws are continuously being uncovered across both old and new versions for RDP components and the systems they run in. Microsoft, for example, provides automated updates that apply security fixes for newly discovered exploits. You should ensure that all your clients and servers are running the latest software versions and monitor zero-day notices for vulnerabilities that may affect your network. Latest software versions are generally more secure, stable, and may support higher levels of encryption.
Use Firewalls to Restrict Access
Depending on the level of security you need, both hardware and software firewalls can be employed to remote desktop listening ports. A firewall allows you to specify only specific IPs that are allowed to connect via your RDPs ports. Combining a firewall with a RDP Gateway can provide a powerful security chokepoint.
Enable Network Level Authentication
Network Level Authentication (NLA) provides a level of authentication first before establishing a remote desktop session. If used, users have to authenticate themselves to the network before successfully making the connection. Most Windows OS versions, such as Windows 10 and Windows Server 2012 R2/2016/2019 have NLA enabled by default.
Limit User and Administrative Access
You should review your local security policies on a regular basis to ensure that remote desktop access is limited only to the accounts that need it. In Windows, for example, all Administrators are given access to RDP by default. Just because an account should have local admin rights doesn’t mean it necessarily needs RDP access. It’s best to configure specific groups if you do want to give RDP access to multiple users or to just specify these rights individually.
Limit RDP Access to External Clients or Servers
It has become an unavoidable operational requirement today to interface with parties outside your organization. However, with each external client or server you provide RDP access, your threat surface expands as well as the potential for compromise as a result of non-standard practices.
Set Up a Remote Desktop Gateway
A RD Gateway server helps to regulate RDP connections by removing all remote user access to your systems and replacing it with a point-to-point remote desktop connection. Remote users login to a portal using their credential to be granted access through the firewall. It provides secure, encrypted connections to the server from RDP clients. This is one way to allow remote users to connect to internal network resources from external sources securely.
Tunnel RDP Connections Through IPSec or SSH
IPSec and SSH can be alternatives to using a RDP server to add additional layers of authentication and encryption to remote connections. IPSec is built-in to all Windows operating systems since Windows 2000.
Monitor Your RDP Logs and Security Configuration
Implementing RDP security measures does not ensure your systems will never be compromised. You should regularly audit your RDP logs and security configuration for signs of anomalous behavior, such as unexpected login volumes, or where there might be mismatches in security settings between clients and servers on your network.
