With remote working becoming increasingly popular and cybercrime at its highest level, IT professionals and software companies need to ensure that Remote Desktop Servers are set up securely, ensuring clients are given the best available protection.
Change default ports
Some hackers scan the internet looking for common ports that can be accessed. They use specialist software or scripts to generate lists of servers to attack, then run login scripts to try combinations of the most common usernames and passwords.
Changing the port makes it harder for basic scanning tools to realise the port open is Remote Desktop.
There are a couple of ways to do this. Firstly, if you are not using a VPN and have open ports on your router firewall, do not use port 3389 as your external port. Instead, change it to a random number to hide the connection. If you are using a VPN or looking to protect an internal network you should look to change the port being used directly on the server.
How to change your RDS port
- Start Registry Editor.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber.
- On the Edit menu, click Modify, and then click Decimal.
- Type the new port number, and then click OK.
- Quit Registry Editor.
- Restart the computer.
VPN access is secure by design – you can use a username and password, secret keys and client certificates to protect access to your network and servers. This ensures that your remote desktop servers won’t need to have open RDS ports accessible on the internet.
Keep servers updated
It’s best practice to regularly patch your servers and desktops. This prevents hackers using exploits to gain access to your system and ensures you are using the most secure version of the software.
Using strong passwords
Enforcing strong passwords is paramount for security before any user is enabled for remote access this should be checked as a requirement.
A strong password consists of at least eight characters that are a combination of letters (both upper and lowercase), numbers and symbols.
Installing an SSL certificate on your server will mean that there is an additional check to verify the identity of the server that is being connected to. This prevents MITM (Man in the Middle) attempts to steal information.
Specialist software to protect terminal servers exists. RDP Guard works on the basis of Fail2Ban. The software checks the event log for failed attempts and then blocks the network IP on the local firewall. This is a must-have if for some reason a VPN is not in use or you want to protect your server from a local network brute force attack.
Enable network level authentication
NLA gives another level of authentication and is turned on by default in Windows Server 2008 and above. Another benefit of this is that it doesn’t allow sessions to be created until a successful login has occurred, saving server resources.
Two-Factor Authentication (2FA)
Two-Factor Authentication software such as Duo can further enhance your security. With 2FA enabled you have another layer of authentication added to your Remote Desktop Server. The great thing about 2FA is that the passwords will be constantly changing making it almost impossible to access via a brute force attempt.
Securing terminal servers is extremely important as they are big targets for cybercriminals and have even been used to spread ransomware.
Using the methods provided will help you achieve a more secure RDS meaning better performance and lowering the risk of an attacker gaining access to your network.