This tutorial will outline a few simple steps to secure the Windows Remote Desktop Protocol on Windows 7 and Windows 8. The tutorial is divided up into 5 parts which are independent, so if you only require help with one of these parts you may freely skip to that part that takes your interest.
Part 1
Enable remote desktop and give remote access to specific user(s).
1. Open advanced system properties
Windows 8
- Windows button + X
- Choose “System”
- Then choose “Advanced system properties”
Windows 7
- Click start
- Right click “Computer”
- Choose “Advanced System Properties”
2. Choose the “Remote” tab
3. Under “remote Assistance” deselect “Allow remote assistance connection to this computer” unless you would like to have the
option to invite other people to access your PC.
4. Under “Remote Desktop” select:
- Windows 8: “Allow remote connections to this computer” and also tick the box “Allow connections only from computers running Remote Desktop with Network Level Authentication”
- Windows 7: “Allow connections only from computers running Remote Desktop with Network Level Authentication” Notice: The above settings may prevent older Windows systems from connecting (Windows 2000, Windows XP and Windows server 2003)
5. Under “Remote Desktop” click “Select Users…” and click on the “Add” button. Type in your username and click “Check”. Then confirm with Ok. This will give your user the right to connect using remote desktop.
6. Close System properties and return to the desktop.
Part 2
Configuring the local security policy for remote desktop
1. Press Windows button + R to bring up the run command window
2. Type in secpol.msc and press enter
3. Under Security settings expand “Local Policies”
4. Click on “User Rights Assignment”
5. Double click “Allow log on through “Remote Desktop Services”
6. Remove “Administrators” from this window and click ok. This way only users added to the Remote Desktop users group will be able to access this PC remotely. We have added our user to this group in Part 1 step 5.
7. Under local policies (In the folder tree to the left) click on “Audit Policy”, then open “Audit logon events”. Check both Success and Failure and click ok. Our machine will now log any attempts to log in; either via a terminal, remote desktop or the actual machine itself. The logs can be check in the Windows event viewer (Right click computer and click manage, expand “Event viewer”, “Windows Logs” and choose “Security”).
8. You can now close the Local Security Policy window.
Part 3
Configuring advanced remote desktop settings
1. Open the run command dialog (Windows button + R)
2. Type gpedit.msc and click enter
3. Go down the following path in the tree hierarchy: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
4. Choose “Security”
5. Open “Set client connection encryption level” and choose “High Level”, click ok
6. Open “Always prompt for password upon connection”, set to enabled and click ok
7. Open “Require secure RPC communication”, set to enabled and click ok
8. Open “Require use of specific security layer for remote (RDP) connections”, set to enabled and select “SSL (TLS 1.0)” in the drop down menu. Click ok
9. Open “Require User Authentication for remote connections by using Network Level Authentication”, set to enabled, and click ok.
Part 4
How to change the remote desktop port number.
The reason for this change is that most would be attackers will most often port scan a range of IP-addresses looking for port 3389. For a normal consumer we would evaluate our threat base as kids who are just having a play or maybe someone who will do damage if they gain access. A pinpointed attack on our home is unlikely, for most normal citizens.
To change the standard port number of 3389 to one of our choosing we need to open the registry editor.
Choosing a port number: Choosing any number from 8000 to 65535 would be optimal however you can choose almost any number up to 65535 if you wish.
1. Windows + R
2. Type regedit.msc
3. Drill down the registry to the following to RDP-TCP:
- HKEY_LOCAL_MACHINE>
- SYSTEM>
- CurrentControlSet>
- Control>
- Terminal Server>
- WinStations>
- RDP-Tcp
4. In the window to the right hand side you will see a entry called “PortNumber”
Tip: Click in the window on the tight and press “PO” on the keyboard.
5. Double click this entry and choose “Decimal” as the Base and type in your desired port number, click ok
PICTURE OFFLINE – Will be reposted ASAP: 17.12.2012
Part 5
Allowing the new port number through the windows firewall.
Open up the Windows firewall either from the control panel or via a search command box
Windows 8: Windows button + W and search after “Settings”
Windows 7: Press start and type in the search box
1. Click “advanced settings” in the windows firewall dialog window
2. Select “Inbound rules” in the pane to the left
3. Select “New rule” in the pane to the right
4. Select “Port”
5. Select “TCP” and “Specific local ports” and type in your port number you choose in part 4
6. Click Next
7. Make sure “Allow this connection” is selected, click next
8. In “When does this rule apply”, tick all the boxes if you are unsure and click next.
9. Give the rule a name. I choose “RDP Custom port number”. I also gave it a short description so I know what I have done.
10. Click finish
11. Restart your computer to complete the port change
IMPORTANT: You must forward your chosen port number through your router to your desired PC. It would therefore be useful to give your desktop a static internal IP address.
Part 6
Connecting to your PC via remote desktop
1. Open the Remote Desktop Connection utility. In the “Computer” field type in your IP and your port number, like this:
- IP:PORT – 192.168.1.2:1111
- If you are outside your internal LAN you will need to use your external IP address instead of your internal IP address
That’s it. I hope your feel more secure now when connecting using Microsoft remote desktop protocol
Jack.
