Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack.
Remote Desktop is secured using SSL/TLS in the current versions of Windows and Windows Server.
While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks.
Our security procedures will assist you to secure Remote Desktop access to your desktops and servers by adding multi-factor security to the standard Windows Remote Desktop application.
(1) Strong passwords on any accounts with access to Remote Desktop should be considered a required step before enabling Remote Desktop.
(2) Our security uses a two-factor authentication approach. This topic is beyond the scope of this article, however once you register as a user, you will be provided with instructions to allow your RD Gateway to integrate with our server based SecuRDT service. This approach utilizes the standard Windows Remote Desktop host in conjunction with our Mobile SecuRDT client.
(3) One advantage of using the Standard Windows Remote Desktop rather than 3rd party remote admin tools is that components are updated automatically with the latest security fixes in the standard Microsoft patch cycle. Subject to you making sure you are running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates. If you are using Remote Desktop clients on other platforms such as Apple products, the same attention to upgrading to the latest versions is recommended. Older versions may not support high encryption and may have other security flaws.
(4) Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389, ***this should be updated to a unique port number range for your organisation). Using a dedicated RDP Gateway is highly recommended for restricting RDP access to desktops and servers.
(4a) ***Changing the listening port will help to “hide” Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms such, as Morto. To do this, edit the following registry key (WARNING: do not try this unless you are familiar with the Windows Registry and TCP/IP): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Change the listening port from 3389 to something else and remember to update any firewall rules with the new port. Although this approach is helpful, it is security by obscurity, which is not the most reliable security approach. You should ensure that you are also using other methods to tighten down access as described in this article.
(5) The latest versions of Windows and Windows Server also provides Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don’t support it.
(6) By setting your computer to lock an account for a set number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a “brute-force” attack).
(7) Using other components like VNC or PCAnywhere is not recommended because they may not log in a fashion that is auditable or protected. With RDP, logins are audited to the local security log, and often to the domain controller auditing system. When monitoring local security logs, look for anomalies in RDP sessions such as login attempts from the local Administrator account. By choosing to use the standard Windows RDP gateway, you also get a third level of auditing that is easier to read than combing through the domain controller logins and is separate from the target machine so it is not subject to tampering. This type of log can make it much easier to monitor how and when RDP is being used across all the devices in your environment.
(8) .
Security is a shared responsibility. We all have a part to play. Know what you are working with and protect yourself by regularly reviewing your server and workstation windows logs.
