Securing Remote RDP
Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. The following tips will help to secure Remote Desktop access to both desktops and server that you support.
1. Using Strong Password
Use a strong password on any accounts with access to Remote Desktop. This should be considered a required step before enabling Remote Desktop.
2. Enable Network Level Authentication
Windows Vista, Windows 7, and Windows Server 2008 also provide Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established.
Select ?Allow remote connections to this computer? and the option below it, ?Allow connections only from computers running Remote Desktop with Network Level Authentication.?
It?s not a necessity to require Network Level Authentication, but doing so makes your computer more secure.
Next, click ?Select Users.?
Any accounts in the Administrators group will already have access. If you need to grant Remote Desktop access to any other users, just click ?Add? and type in the usernames.
3. Limit User to log in using Remote Desktop
Remove both of the groups already listed in this window, Administrators and Remote Desktop Users. After that, click ?Add User or Group? and manually add the users you?d like to grant Remote Desktop access to.
Double-click on the ?Allow log on through Remote Desktop Services? policy listed on the right.
4. Change Default Port
By default, Remote Desktop listens on port 3389. Changing the listening port will help to "hide" Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port.
When the Registry Editor opens up, expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp > then double-click on ?PortNumber? in the window on the right.
With the PortNumber registry key open, select ?Decimal? on the right side of the window and then type your five digit number under ?Value data? on the left.