Any kind of remote desktop solution opens a hole that can potentially be exploited. RDP is no different, and the RDP port (port 3389) is well known and regularly scanned for exploits. If you plan to use Windows Remote Desktop over the internet, you need a strategy in place to secure it.
Enterprise users can use Remote Desktop Gateways to help provide a secure way to connect to an RDP server, but standard Windows users don’t have this luxury. Instead, you’ll need to use some common-sense solutions to establish secure RDP connections. Some tips for establishing a secure RDP connection include:
1- Don’t allow open RDP connections over the internet. If you need to use Windows Remote Desktop over the internet, set up your own virtual private network (VPN) or use an RD Gateway to create a secure tunnel to your local network first. Allowing an open RDP connection over the internet is extremely risky, so don’t leave it to chance.
2- Enable Network Level Authentication (NLA). This should be enabled by default in Windows 10, Windows Server 2012, and newer, but if you’re using older versions of Windows, you should enable this—it ensures that a connection can only occur when it is properly authenticated and a right username and password is provided.
3- Restrict RDP connections to non-administrators. You should only allow non-administrator user accounts to remotely connect to Windows PCs. Standard user accounts can’t change settings, install software, and have limited access to files. This should limit the damage that any potential rogue connection could make.
4- Limit password attempts. You should limit the number of incorrect passwords on an account before it is locked out, which should limit any damage from a denial of service attack.
5- Use complex, secure passwords. Using secure passwords is good advice for any situation, but especially for Windows Remote Desktop connections. Don’t use the same password for multiple accounts, and use a combination of letters, numbers, and symbols.
6- Set RDP for maximum encryption. By default, RDP connections will always try to use the highest possible level of encryption. To ensure that the highest level of encryption is always used, however, you can set the default encryption level using the Group Policy Editor (Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Set client connection encryption level > Enabled > High Level).
