How to: how to lock a remote desktop protocol server
It is becoming increasingly common for many employees to remotely access the company network while working from home. The connection is good, but it may not be enough to protect the network from attackers. Many companies have switched to Remote Desktop Protocol (RDP) to allow remote access, which is also used as a major attack vector. Here’s how to lock RDP connections more effectively.
How do I lock a remote desktop session?
Basics: Patches, VPN and strong passwords
Verify that all remote systems connected to the network have been patched to include the latest RDP vulnerability. You should also include a Windows 7 workstation, you can purchase any number of Windows 7 Extended Security Updates (ESUs). If you redeploy your Windows 7 workstation to support telecommuting, you must patch it.
Next, only RDP combined with VPN is allowed. Port 3389 should not be exposed directly to the web. Ransomware attackers ‘sniff’ the outgoing transmission of the location and use a tool such as TSgrinder to defeat the credentials of the RDP location. You should not allow outbound port 3389 connections unless your company’s inbound firewall rules have a setting to restrict access to specific static IPs under control.
Implement a strong password policy. Do not allow employees to reuse passwords. Remind the attackers of the violations that revealed the password. Do not store passwords on RDP-connected computers.
It is recommended to add 2FA (two-factor authentication) to the remote desktop. Many vendors offer robust 2FA options,how to lock a remote desktop protocol server some of which are currently available for free trial extensions.
How do I restrict remote access?
Using network level authentication for the RDS server
RDP should never be publicly disclosed, according to recent advice to mitigate Bluekeep vulnerability attacks. Some companies have trouble following it right now. Since NLA (Network Level Authentication) requires the user to authenticate before connecting to the remote system, the probability of success of RDP-based malware is significantly reduced.
Windows 10 enables NLA by default, but older platforms may not. Set NLA on the host platform and Remote Desktop Services (RDS) using Group Policy. Select in the following order in Group Policy.
3. Windows Components
4. Remote Desktop Services (RDS)
5. Remote Desktop Session Host (RDSH)
the server acting as a secure Remote Desktop Session Host “ Enable user authentication for remote connections using network level authentication ”.
Disable user exit feature how to lock a remote desktop protocol server
When new users log in to the RDP server, they are unaware that their work on the remote computer affects all users in this environment. Therefore, it is important to disable the ability for the user to shut down the system by following these steps.
1. Click ‘Start’ on the RDP server host system.
2. Click ‘Run’.
3. Enter gpedit.msc .
4. Go to ‘User Configuration> Administrative Templates’.
5. Go to ‘Start menu and task bar’.
6. Click ‘Remove and block access to shutdown, restart, sleep, hibernation commands’.
7. Activate the settings.
To allow reboot for some users who are administrators, perform the following steps.
1. Log in with administrative privileges.
2. Click ‘Start’.
3. Click ‘Run’.
4. Type secpol.msc to start the security policy editor.
5. Go to ‘Local Policy’.
6. Go to ‘User Rights Assignment’.
7. Go to ‘Shutdown’.
8. Right-click on ‘Properties’.
9. After removing the user, add an administrator or a group of administrators who can reboot the system.
If the user experience is not satisfactory when deploying RDP, users will find a way to solve the bottleneck, including security risks such as emailing files to their personal email accounts. In Group Policy, fine-tune performance settings according to the following procedure.
1. Go to ‘Computer Configuration’.
2. Go to ‘Administrative Templates’.
3. Go to ‘Windows Components’.
4. Go to ‘Remote Desktop Services’.
5. Go to ‘Remote Desktop Session Host’.
6. Go to ‘Remote Session Environment’.
You can also adjust the following settings.how to lock a remote desktop protocol server
- Maximum color depth limit = 15bit
- Force remote desktop wallpaper removal = true
- Optimizing visual experience when using RemoteFx = (screen capture speed: lowest + image quality: lowest)
- Set compression algorithm for RDP data = Optimized to reduce network bandwidth usage
- Optimize visual experience for Remote Desktop Services session = (visual experience = text)
- Image quality configuration for RemoteFx Adaptive Graphicsd = Medium
- RemoteFx Adaptive Graphics configuration = optimized for minimum bandwidth usage
In ‘Device and Resource Redirection’, you can limit clipboard redirection, drive redirection, LPT port redirection, or other settings appropriate for your company. In ‘Printer Redirection’, how to lock a remote desktop protocol serveryou can allow users to redirect the printer to their local computer. Connecting the printer via a USB connection did not find any major problems with using remote printing.
SSL / TLS settings
When configuring SSL and TLS on the server, pay attention to the settings of the RDP server. Incorrect SSL settings can cause users to lock up. In particular, if TLS 1.0 is disabled on a Windows 7 system or server 2008, the RDP client must be updated to RDP 8.1 how to lock a remote desktop protocol server .
For Server 2008 R2, a patch that supports TLS 1.1 or 1.2 for RDP is required. Install KB3080079 to support higher TLS settings. Set a Group Policy object to disable SSL 1.0, 2.0, 3.0, and TLS 1.0 through the registry key and explicitly enable TLS 1.1 and 1.2 for both the server and client settings mentioned in this article.
You can use IISCrypto to set and review TLS settings. If RDgateway is used, the SSL configuration is reviewed through an external SSL test. Review KB245030 to limit the encryption in use by your organization.