WIN7とWIN8のRDPセキュリティ「メモ帳」

この間、香港に新しいノートブックもデスクトップを買ってきた。

ノートブックにはWIN8がはいっていて、デスクトップにはOSついてないが、ネットのどっかでGHOSTでリストアするとすぐにも使えそうWIN8をいれた。

とりあえず、急にWIN8の環境に巻き込まれたって感じ。ｗ

デスクトップのを主にRDPにするから、RDPの設定をいじってみたが、なんだか、どうしてもうまくいけなさそうで、ネットで丁寧によくできてる説明サイトが見つかったんで、メモとして自分のブログにも載せた。ちなみに、説明サイトを見たら、RDPのポートを変更するのには、レジストリだけなく、ファイアウォールで開放するポートを追加することも必要だ。そういえば、XPの頃もそうだったが、WIN7/WIN8とXPの設定はかなり違ってるので、見つけるまで結構苦労した。

Securing remote desktop on Windows 8 and Windows 7 – JKB: Tech & Security

Securing remote desktop on Windows 8 and Windows 7

By Jack On September 2, 2012 · 27 Comments

This tutorial will outline a few simple steps to secure the Windows Remote Desktop Protocol on Windows 7 and Windows 8. The tutorial is divided up into 5 parts which are independent, so if you only require help with one of these parts you may freely skip to that part that takes your interest.

Part 1

Enable remote desktop and give remote access to specific user(s).

1. Open advanced system properties

Windows 8

• Windows button + X
• Choose “System”
• Then choose “Advanced system properties”

Windows 7

• Click start
• Right click “Computer”
• Choose “Advanced System Properties”

2. Choose the “Remote” tab

3. Under “remote Assistance” deselect “Allow remote assistance connection to this computer” unless you would like to have the
option to invite other people to access your PC.

4. Under “Remote Desktop” select:

• Windows 8: “Allow remote connections to this computer” and also tick the box “Allow connections only from computers running Remote Desktop with Network Level Authentication”

• Windows 7: “Allow connections only from computers running Remote Desktop with Network Level Authentication” Notice: The above settings may prevent older Windows systems from connecting (Windows 2000, Windows XP and Windows server 2003)

5. Under “Remote Desktop” click “Select Users…” and click on the “Add” button. Type in your username and click “Check”. Then confirm with Ok. This will give your user the right to connect using remote desktop.

6. Close System properties and return to the desktop.

Part 2

Configuring the local security policy for remote desktop

1. Press Windows button + R to bring up the run command window
2. Type in secpol.msc and press enter
3. Under Security settings expand “Local Policies”
4. Click on “User Rights Assignment”
5. Double click “Allow log on through “Remote Desktop Services”
6.  Remove “Administrators” from this window and click ok. This way only users added to the Remote Desktop users group will be able to access this PC remotely. We have added our user to this group in Part 1 step 5.

7.  Under local policies (In the folder tree to the left) click on “Audit Policy”, then open “Audit logon events”. Check both Success and Failure and click ok. Our machine will now log any attempts to log in; either via a terminal, remote desktop or the actual machine itself. The logs can be check in the Windows event viewer (Right click computer and click manage, expand “Event viewer”, “Windows Logs” and choose “Security”).

8.  You can now close the Local Security Policy window.

Part 3

Configuring advanced remote desktop settings

1. Open the run command dialog (Windows button + R)
2. Type gpedit.msc and click enter
3. Go down the following path in the tree hierarchy: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
4. Choose “Security”
5. Open “Set client connection encryption level” and choose “High Level”, click ok
6. Open “Always prompt for password upon connection”, set to enabled and click ok
7. Open “Require secure RPC communication”, set to enabled and click ok
8. Open “Require use of specific security layer for remote (RDP) connections”, set to enabled and select “SSL (TLS 1.0)” in the drop down menu. Click ok
9. Open “Require User Authentication for remote connections by using Network Level Authentication”, set to enabled, and click ok.

Part 4

How to change the remote desktop port number.

The reason for this change is that most would be attackers will most often port scan a range of IP-addresses looking for port 3389. For a normal consumer we would evaluate our threat base as kids who are just having a play or maybe someone who will do damage if they gain access. A pinpointed attack on our home is unlikely, for most normal citizens.

To change the standard port number of 3389 to one of our choosing we need to open the registry editor.

Choosing a port number:  Choosing any number from 8000 to 65535 would be optimal however you can choose almost any number up to 65535 if you wish.

1. Windows + R

2.  Type regedit.msc

3. Drill down the registry to the following to RDP-TCP:

• HKEY_LOCAL_MACHINE>
• SYSTEM>
• CurrentControlSet>
• Control>
• Terminal Server>
• WinStations>
• RDP-Tcp

4. In the window to the right hand side you will see a entry called “PortNumber”

Tip: Click in the window on the tight and press “PO” on the keyboard.

5. Double click this entry and choose “Decimal” as the Base and type in your desired port number, click ok

PICTURE OFFLINE – Will be reposted ASAP: 17.12.2012

Part 5

Allowing the new port number through the windows firewall.

Open up the Windows firewall either from the control panel or via a search command box

Windows 8: Windows button + W and search after “Settings”

Windows 7: Press start and type in the search box

1. Click “advanced settings” in the windows firewall dialog window
2. Select “Inbound rules” in the pane to the left
3. Select “New rule” in the pane to the right
4. Select “Port”
5. Select “TCP” and “Specific local ports” and type in your port number you choose in part 4
6. Click Next
7. Make sure “Allow this connection” is selected, click next
8. In “When does this rule apply”, tick all the boxes if you are unsure and click next.
9. Give the rule a name. I choose “RDP Custom port number”. I also gave it a short description so I know what I have done.
10. Click finish
11. Restart your computer to complete the port change

IMPORTANT: You must forward your chosen port number through your router to your desired PC. It would therefore be useful to give your desktop a static internal IP address.

Part 6

Connecting to your PC via remote desktop

1. Open the Remote Desktop Connection utility. In the “Computer” field type in your IP and your port number, like this:

• IP:PORT – 192.168.1.2:1111
• If you are outside your internal LAN you will need to use your external IP address instead of your internal IP address
  

That’s it. I hope your feel more secure now when connecting using Microsoft remote desktop protocol

Jack.

WIN7與WIN8的RDP安全「備忘」

早前,去了香港買手提電腦同埋桌上電腦.

手提電腦的跟有WIN8,而桌上電腦的是沒跟OS的,於是我在網上某處搵到以GHOST回復便可用的WIN8.

總而言之,身邊突然被WIN8環境所包範住.w

那桌上電腦主要用來RDP的,故作了RDP的設定,不過唔知點解好似唔弄都係唔得,喺網上搵到一個寫得幾全面的說明網站,於是攞唻貼埋在我的部格上.而且,睇完個網站說明之後明白,我之前唔得的原因係因為,要改RDP的PORT唔單只要改註冊表,還要到FireWall上加開埋個Port的.話時話,XP果陣時都係咁樣的,不過,WIN7/WIN8與XP的設定唔同咗好多,所以好難先至搵得到.

Securing remote desktop on Windows 8 and Windows 7 – JKB: Tech & Security

Securing remote desktop on Windows 8 and Windows 7

By Jack On September 2, 2012 · 27 Comments

This tutorial will outline a few simple steps to secure the Windows Remote Desktop Protocol on Windows 7 and Windows 8. The tutorial is divided up into 5 parts which are independent, so if you only require help with one of these parts you may freely skip to that part that takes your interest.

Part 1

Enable remote desktop and give remote access to specific user(s).

1. Open advanced system properties

Windows 8

• Windows button + X
• Choose “System”
• Then choose “Advanced system properties”

Windows 7

• Click start
• Right click “Computer”
• Choose “Advanced System Properties”

2. Choose the “Remote” tab

3. Under “remote Assistance” deselect “Allow remote assistance connection to this computer” unless you would like to have the
option to invite other people to access your PC.

4. Under “Remote Desktop” select:

• Windows 8: “Allow remote connections to this computer” and also tick the box “Allow connections only from computers running Remote Desktop with Network Level Authentication”

• Windows 7: “Allow connections only from computers running Remote Desktop with Network Level Authentication” Notice: The above settings may prevent older Windows systems from connecting (Windows 2000, Windows XP and Windows server 2003)

5. Under “Remote Desktop” click “Select Users…” and click on the “Add” button. Type in your username and click “Check”. Then confirm with Ok. This will give your user the right to connect using remote desktop.

6. Close System properties and return to the desktop.

Part 2

Configuring the local security policy for remote desktop

1. Press Windows button + R to bring up the run command window
2. Type in secpol.msc and press enter
3. Under Security settings expand “Local Policies”
4. Click on “User Rights Assignment”
5. Double click “Allow log on through “Remote Desktop Services”
6.  Remove “Administrators” from this window and click ok. This way only users added to the Remote Desktop users group will be able to access this PC remotely. We have added our user to this group in Part 1 step 5.

7.  Under local policies (In the folder tree to the left) click on “Audit Policy”, then open “Audit logon events”. Check both Success and Failure and click ok. Our machine will now log any attempts to log in; either via a terminal, remote desktop or the actual machine itself. The logs can be check in the Windows event viewer (Right click computer and click manage, expand “Event viewer”, “Windows Logs” and choose “Security”).

8.  You can now close the Local Security Policy window.

Part 3

Configuring advanced remote desktop settings

1. Open the run command dialog (Windows button + R)
2. Type gpedit.msc and click enter
3. Go down the following path in the tree hierarchy: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
4. Choose “Security”
5. Open “Set client connection encryption level” and choose “High Level”, click ok
6. Open “Always prompt for password upon connection”, set to enabled and click ok
7. Open “Require secure RPC communication”, set to enabled and click ok
8. Open “Require use of specific security layer for remote (RDP) connections”, set to enabled and select “SSL (TLS 1.0)” in the drop down menu. Click ok
9. Open “Require User Authentication for remote connections by using Network Level Authentication”, set to enabled, and click ok.

Part 4

How to change the remote desktop port number.

The reason for this change is that most would be attackers will most often port scan a range of IP-addresses looking for port 3389. For a normal consumer we would evaluate our threat base as kids who are just having a play or maybe someone who will do damage if they gain access. A pinpointed attack on our home is unlikely, for most normal citizens.

To change the standard port number of 3389 to one of our choosing we need to open the registry editor.

Choosing a port number:  Choosing any number from 8000 to 65535 would be optimal however you can choose almost any number up to 65535 if you wish.

1. Windows + R

2.  Type regedit.msc

3. Drill down the registry to the following to RDP-TCP:

• HKEY_LOCAL_MACHINE>
• SYSTEM>
• CurrentControlSet>
• Control>
• Terminal Server>
• WinStations>
• RDP-Tcp

4. In the window to the right hand side you will see a entry called “PortNumber”

Tip: Click in the window on the tight and press “PO” on the keyboard.

5. Double click this entry and choose “Decimal” as the Base and type in your desired port number, click ok

PICTURE OFFLINE – Will be reposted ASAP: 17.12.2012

Part 5

Allowing the new port number through the windows firewall.

Open up the Windows firewall either from the control panel or via a search command box

Windows 8: Windows button + W and search after “Settings”

Windows 7: Press start and type in the search box

1. Click “advanced settings” in the windows firewall dialog window
2. Select “Inbound rules” in the pane to the left
3. Select “New rule” in the pane to the right
4. Select “Port”
5. Select “TCP” and “Specific local ports” and type in your port number you choose in part 4
6. Click Next
7. Make sure “Allow this connection” is selected, click next
8. In “When does this rule apply”, tick all the boxes if you are unsure and click next.
9. Give the rule a name. I choose “RDP Custom port number”. I also gave it a short description so I know what I have done.
10. Click finish
11. Restart your computer to complete the port change

IMPORTANT: You must forward your chosen port number through your router to your desired PC. It would therefore be useful to give your desktop a static internal IP address.

Part 6

Connecting to your PC via remote desktop

1. Open the Remote Desktop Connection utility. In the “Computer” field type in your IP and your port number, like this:

• IP:PORT – 192.168.1.2:1111
• If you are outside your internal LAN you will need to use your external IP address instead of your internal IP address
  

That’s it. I hope your feel more secure now when connecting using Microsoft remote desktop protocol

Jack.