The data sent during a Remote Desktop connection is sent through an encrypted channel. This makes it impossible for anybody to spy on your session by listening in on the network. However, in older versions of RDP, the mechanism that was used to encrypt sessions has a security hole that might allow for unauthorized access. Because of this security flaw, an unauthorized user may be able to access your session by performing a man-in-the-middle attack (link is external).
For Windows Vista, Windows 7, Windows 8, Windows 10, and Windows Server 2003/2008/2012/2016, the Remote Desktop protocol may be encrypted using SSL/TLS for added security. * Some of the systems on this list are no longer maintained by Microsoft, and as a result, they do not satisfy the requirements for campus security. If people are still using systems that aren’t supported, the security policy must be changed.
Even though Remote Desktop is more secure than other remote administration solutions like VNC, which do not encrypt the whole session, there are still potential dangers involved whenever an administrator account is allowed remote access to a computer system. The Remote Desktop connection to computers and servers that you provide may be made more secure with the aid of the following suggestions:
Basic Security Tips for Remote Desktop
1. Use strong passwords
Before activating Remote Desktop, it is strongly recommended that robust passwords be set on any accounts that will need access to the feature. Tips may be found in the password complexity recommendations posted throughout campus.
2. Make use of two separate authentication methods
The use of a system known as two-factor authentication is an option that departments need to give some thought to. This is a topic that will not be discussed in this article; however, RD Gateways may be configured to work in conjunction with the instance of DUO that is utilized on campus if the user so chooses. One of the other possible possibilities, which involves managing authentication in a clear manner via the use of smartcards that are based on two different certificates, is one that is not approved by the school. In addition to YubiKey and RSA as exemplary examples, this technique also makes use of the Remote Desktop host computer itself.
3. Make sure your software is up to date
If you use Microsoft’s Remote Desktop instead of other third-party remote administration solutions, one of the benefits you’ll enjoy is that elements will be automatically updated with the latest security patches as part of the typical patch cycle that Microsoft uses. This is in addition to the other benefits you’ll enjoy from using Microsoft’s Remote Desktop. You may verify that you are running the most current versions of the server and client software by turning on automatic Microsoft Updates and monitoring their status. This will allow you to enable the updates and turn them on. If you use clients for Remote Desktop on operating systems other than Windows, you should double verify that those clients are still maintained and that you have the most current version of each of those clients. There is a possibility that previous versions may not support robust encryption and may also have additional security flaws.
4. Implement access controls such as firewalls
Restricting access to remote desktop listening ports may be accomplished via the use of firewalls, either software or hardware depending on the circumstances (default is TCP 3389). When limiting RDP access to desktops and servers, it is strongly advised to make use of a Remote Desktop Protocol (RDP) Gateway (see discussion below). You may utilize the university VPN software to get a campus IP address and then create an exception rule to your RDP firewall that allows connections from off-campus by including the campus VPN network address pool in that rule. This is an alternate way to facilitate off-campus connectivity. Please see our website for details on the VPN service available on campus.
5. Activate authentication at the network level
Network Level Authentication (NLA) is also included by default in Windows 10, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. Because NLA adds an additional layer of verification before a connection is made, it is in your best interest to let this setting remain unchanged. If you use Remote Desktop clients on platforms other than those that support NLA, the only time you should set up your Remote Desktop servers to enable connections without NLA is if you utilize such clients.
- NLA ought to be activated automatically on Windows 10 and Windows Server 2012 R2/2016/2019 by default.
- You may verify this by looking at the settings under Group Policy. Use the Network Level Authentication that can be found under Computer > Policies > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security to mandate user authentication for remote connections. This can be done by navigating to Computer > Policies > Security is the third option under Remote Desktop Services, which comes after Remote Desktop Session Host. This Group Policy setting has to have its toggle button activated on the server that is functioning as a Remote Desktop Session Host in order for it to be effective.
Place restrictions on the people who may sign in using Remote Desktop.
Any and all Administrators have the capacity to log in to the Remote Access since the default setting makes it open to them. If your computer contains several Administrative access, you should restrict remote access to just the accounts that are being used at this time. This is of utmost significance if your personal computer has more than one account set to the Administrator role. If the use of Remote Desktop Protocol is not necessary for the administering of the system, then only those users that are needed to utilize the procedure should be permitted, and all other management RDP connectivity should be banned. This is because only those user accounts are required to use the protocol. If your department manages a considerable number of remote workstations, you may want to consider removing the local Administrator account from RDP access and replacing it with a technical group. This is something to think about if you maintain a big number of remote workstations. If you have a large number of workstations that need to be managed remotely, this is something you should think about implementing.
- Navigate to Local Security Policy by selecting Start > Programs > Administrative Tools > Local Security Policy.
- Navigate to the “Allow login using Terminal Services” option found in the “Local Policies -> User Rights Assignment” menu. Alternately, “Enable logging in through Remote Desktop Services.”
- Leave the Remote Desktop Users group alone and delete the Administrators group.
- To add users to the Remote Desktop Users group, go to the System control panel and utilise the Add User button.
The following configuration, which can be found in the Local Security Policy, will be present by default in a normal Microsoft operating system:
The issue is that the “Administrators” option is selected here by default, and your “Local Admin” account may be discovered inside the administrators subdirectory. This is the source of the problem. The problem may be traced back to this. When working on the computer remotely from another location while signed in as an admin privileges, activity on the machine is not appropriately recorded, nor is the user who is using the system properly identifiable. This is the case even if the user is logged in as the local administrator. This is the case even though it is recommended to make use of a login convention in order to prevent having identical administrator – level passcodes on the local computer and to manage access to these passcodes or conventions as stringent as is humanly practicable. It is important to implement the most stringent access control measures feasible for these passwords and conventions. Utilizing a Workgroup Setting in such a way that it takes precedence over the security policy that is in place locally is something that is strongly advised.
Utilizing “Restricted Groups” via the use of Group Policy is also beneficial in order to get a higher level of access control over the systems.
If you utilize the “Restricted Group” option to assign your group, such as “CAMPUSLAW-TECHIES,” into “Administrators” and “Remote Desktop Users,” then the techies in your organization will still have access to administrative functions remotely. You will, however, have eliminated the possibly problematic “local admin account” that had RDP access if you complete the actions that are mentioned above. Your settings will continue to work properly even if new machines are added to the organizational unit (OU) in the future if they are governed by the GPO.
Establish guidelines for the locking of accounts
By setting your computer to lock an account after a preset number of unsuccessful password guesses, you may help stop hackers from utilizing automated password guessing programmes to get access to your system. These programmes are used by hackers to gain access. This feature is available in the vast majority of today’s operating systems (this is known as a “brute-force” attack). To set a lockout policy for an account, the following steps must be taken:1. Select “Programs” from the Start menu, then “Administrative Tools,” and finally “Local Security Policy.”
Navigate to the Account Policies menu, choose Account Lockout Policies, and provide values to all three of the available choices. Reasonable options include three failed login attempts with lockout lengths of three minutes each.
Best Practices for Additional Security
- Do not permit direct remote desktop protocol (RDP) access from outside campus to any clients or servers.
- It is strongly advised to leave RDP (port 3389) available to off-campus networks since it is a recognised vector for many different types of assaults. The following are some measures that may improve system security while still enabling remote desktop protocol (RDP) access.
- Once an RDP gateway has been established, hosts should be configured to only accept RDP connections from the Gateway host or campus subnets if necessary. This should be done as soon as possible after an RDP gateway has been established.
Employ the use of RDP Gateways (Best Option)
It is strongly recommended that you make use of an RDP Gateway. It provides a means for limiting access to Remote Desktop ports in a severe manner while still allowing for remote connections to be established through a single “Gateway” server. This may be accomplished by using the approach offered by this technology. When you are using an RD Gateway server, you need to ensure that all of the Remote Desktop services on your desktop and workstations are configured to only permit access from the RD Gateway. This is a prerequisite for using an RD Gateway server. It is the responsibility of the RD Gateway server to establish a connection between the client and the Remote Desktop service that is active on the target machine. It achieves this by keeping an ear out for queries sent to the Remote Desktop via HTTPS (port 443).
-
Use the Campus RDP Gateway Service as your first step.
This is the best approach to provide remote desktop protocol (RDP) access to systems with a UC P2 classification or below. Including connection with the DUO. The RDP Gateway Service is something that the Windows team takes care of. The documentation may be found at the following location: https://berkeley.sharepoint.com/sites/calnetad/gateway (link is external).
The RDP Passporting also fulfills the new need of the latest MSSND upgrade, which is to provide support for Remote Access Services (requirement 8). Because of this, gaining access to the UC Berkeley system from the public Internet requires the use of a sanctioned service, such as a remote desktop protocol (RDP) gateway, a specialized entry point, or a bSecure virtual private network (VPN) connection. The RDP Gateway Service also fulfills the new need of the latest MSSND upgrade, which is to provide support for Remote Access Services. This precondition can only be satisfied by creating a relationship to the UC Berkeley system through remote management services. There is no other way for it to be satisfied.
-
A Service That Is Dedicated
To The Gateway (Managed). Required for RDP access to computers running UC P4 or higher operating systems. Additionally, it is required to be set up for DUO.
Some departments on campus make use of an IST-managed virtual private server (VPS) as their RD Gateway. A reasonable estimate would suggest that one RD Gateway can support anywhere between 30 and 100 users at the same time. Access that is sufficiently fault-tolerant and dependable is provided by the HA at the virtual layer. However, an RD gateway implementation that is somewhat more complex may be accomplished using network load balancing.
-
A Service That Is Dedicated
To The Gateway (Unmanaged). RD Gateway installation and configuration on hardware that is operated by the department.
There is a large number of documentation available online that may be used to configure this integrated Windows 2016/2019 component. The official documentation may be found at the following location: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-s… (this is an external link)
Installing and installing the role service is largely the same as mentioned; however, it is strongly suggested that you use a Calnet-issued trustworthy Comodo certificate. When testing, it is OK to use a certificate that has been self-signed, and utilising a CalnetPKI certificate may be successful provided all clients have already trusted the UCB root. Your end users will not be presented with certificate warnings if you use the Comodo certificate since it is generally more widely recognised.
It is not difficult to configure your client such that it uses your RD Gateway. Here is where you can get the official documentation for the MS Client: http://technet.microsoft.com/en-us/library/cc770601.aspx (this is an external link)
All that is required, in essence, is a simple adjustment to be made on the advanced tab of your RDP client:
-
Change the listening port for Remote Desktop
If you change the listening port, you may “hide” Remote Desktop from hackers that search the network for PCs that are waiting on the port number for Remote Desktop. These hackers look for PCs that have Remote Desktop installed and are listening on port 3389. (TCP 3389). This provides a strong barrier of defense against even the most cutting-edge RDP worms, such as Morto. To do this, make the necessary changes to the registry key as indicated below: (WARNING: you should not attempt this unless you have prior experience working with the Windows Registry and TCP/IP.) HKEY LOCAL, HKEY LOCAL.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp. Change the listening port number from 3389 to a different number, and make sure the firewall rules are updated to reflect the new port number. This tactic is effective, but it depends on security via obscurity, which is not the most reliable security option. Nevertheless, it is worth pursuing. You have an obligation to ensure that, in addition to the methods described in this article, you are making use of any and all additional possibilities that are at your disposal to limit access. I Tunnel Remote Desktop connections through IPSec or SSH
You may add an additional layer of authentication and encryption to your Remote Desktop connections by tunneling them over IPSec or SSH in the event that utilizing an RD Gateway is not a viable option for you. Since Windows 2000, IPSec has been an integral part of every Windows operating system; however, its usage and control have been much enhanced in Windows 10 (for more information, see: http://technet.microsoft.com/en-us/network/bb531150; link opens in a new tab). The SSH tunneling protocol may be used for Remote Desktop sessions if an SSH server is readily accessible.
-
Use existing management tools for RDP logging and configuration
It is not suggested to utilize other components such as VNC or PCAnywhere since it is possible that they do not log in a manner that is auditable or secured. When using RDP, logins are audited not just to the local security log but also, in many cases, to the auditing system of the domain controller. When monitoring the local security logs, you should be on the lookout for any RDP session irregularities, such as attempts to log in using the local Administrator account. As was mentioned before, another advantage offered by RDP is centralized administration via the use of GPO. Utilize Group Policy Objects (GPOs) and any other Windows configuration management tools whenever you can. This will guarantee that all of your servers and workstations have an RDP setup that is both consistent and safe.
You are provided with a third level of auditing that is not only simpler to understand than sifting through the logins for the domain controllers, but it is also physically separated from the system that it is auditing, which means that it cannot be altered in any way. This is due to the fact that the RDP gateway does not have a connection with the computer that it is auditing. Utilizing this form of log may make monitoring how and when RDP is used across all of the devices in your environment much easier, which may result in a significant reduction in the amount of time spent on this task.
For Discount and Offers, Visit our Official Twitter Page