Secure RDP

shkv · 2023-01-27T09:20:21.000Z

How to make our internal network secure for remote access. We are enabling RDP for remote access, by the way. There are numerous security risks while using RDP. So how can RDP be made secure? How can I configure RDP to use a different port than 3389?

matt7863 · 2023-01-27T11:45:58.000Z

What do you mean by for remote access?
Do you mean from the internet generally? from company managed devices on the internet? from known specific third parties?

External communications should be secured using VPN. For remote users - remote access vpn, for third parties a site to site VPN.
RDP should not be exposed directly (do not port forward on a firewall to internet). You could use RD Web gateway but I would still provide via VPN.
If you really must provide it over web to remote users then use https and use 2 factor login to the web RD gateway.

No need to change the rdp port as it is only available internally. host firewalls should have an appropriate rule e.g. only allow rdp from the lan subnet (if actually required) and from the vpn subnets.

RDP should require NLA (valid certificates from an internal CA) and all the other usual hardening.

kevinhsieh · 2023-01-27T14:03:19.000Z

As previously posted, you can use VPN or RD Gateway. Note that RD Web does something different.

If you use VPN, that might be a little harder for your users to use, and then you should take proper care to only let RDP traffic through the VPN. Keep up with the VPN patches.

RD Gateway works very well, but requires a Windows server. It also needs to be patched monthly.

Whichever route you take, you should enable MFA and account lockout policies.

shkv · 2023-01-29T07:38:21.000Z

Appreciate your response. We require certificate-based RDP. As I don’t know much knowledge about this, kindly help me with the following concern.

1.How do I configure RDP with a certificate base?
2. Where can we purchase a certificate from?
3-Can we create an RDP certificate from our Windows 2016 server without purchasing from third party?
4-How do we centrally distribute these certificates to all computers once we receive them?

Ethan6123 · 2023-01-30T15:07:02.000Z

Sounds like a homework question.

I suggest you don’t do this without a remote access VPN. You might be able to set it up securely without VPN. But then again you might not.

kevinhsieh · 2023-01-30T15:26:22.000Z

Certificates don’t help you secure the servers. Certificates in RDP only help to try to prevent you from connecting to a different server than the one you think you’re connecting to.