Windows Remote Desktop Protocol (RDP)

Use of strong passwords is HIGHLY suggested on any user accounts with access to RDP. This is a required consideration before enabling RDP on any system. We also suggest using a sentence or phrase familiar to the user that incorporates minimum complexity standards. At a minimum, following Microsoft’s complexity guidelines should be required. The guidelines require a password over 7 characters containing three of the four character types: 

• Uppercase
• Lowercase
• Numbers
• Special Characters

Click here for our Password Policy & Best Practices.

One small advantage of using Windows RDP, rather than 3^rd party remote tools, is that components are automatically updated to the latest security fixes in the standard Microsoft patch cycle. Care will need to be made to ensure that both clients and servers are running the latest versions of the software by enabling and auditing Microsoft Updates. Desktop clients on other platforms (non-Windows) should only be allowed if they are still supported and the client has the latest version of that software, as older and unsupported versions may not support higher encryption methods, or may have other security flaws. Ensure updates are run at least monthly on all servers in the farm.

Currently supported version of the Windows Operating System provide Network Level Authentication (NLA) by default. It is highly recommended to leave this configured, as NLA provides an extra level of authentication before a connection is established. RDP should only be configured to allow connections without NLA if using client software on other platforms that don’t support it.

By default, all Administrators can log in through RDP. If there are multiple administrator accounts on the computer, care should be taken to limit access only to those accounts that need it. It is recommended that the local administrator account be removed from RDP access and a technical group be added instead. Although both a password convention to avoid identical local admin passwords on the local machine and tightly controlling access to these passwords or conventions is recommended, using a local admin account to work on a machine remotely does not properly log and identify the user using the system.

By setting your computer to lock an account for a period of time after a number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a "brute-force" attack). 3 – 5 invalid attempts with a 15-minute lockout duration is a reasonable option.

Restricting access using RDP Gateways or firewalls and tunneling RDP connections through IPSec or SSH are a few ways to provide additional security for RDP connections. Changing the default listening port is often suggested as an additional security measure that can be taken. While this measure can slow down a small number of people that are attempting to thwart server security, it is largely ineffective in today’s world. Malicious users generally do port scans on targeted networks to identify open ports and what programs are listening on those ports.

One of the more effective methods to better secure RDP is to establish some form of two-factor authentication, particularly on mission critical systems, or those with highly sensitive information. This method of securing connections does have a much higher cost for implementation and continued maintenance.

Here some additional security options:

• Rename administrator account in both local and domain environments.
• Limit access to only those requiring access. Do not allow administrator access.
• Lockout policy should be a minimum of 3 invalid with 15 minute duration.
• Restrict access to the farm through an RDP gateway residing in a DMZ and utilizing SSL. VPN access is another suggested method of access. Never expose the farm directly to the Internet.
• If possible, limit access to the farm based on IP ACL.
• If possible create deny ACL’s based on country.
  • If you don’t have foreign workers, why allow access from foreign countries?
• Utilize token or certificate based authentication in addition to username/password.
• Security layer should be SSL (TLS 1.2) and required encryption.
• Install and configure Intrusion Detection/Prevention Systems (IDS/IPS) that are RDP-aware.
• Have alerting in place for locked-out accounts and invalid login attempts.