Skip links

IT Tips: How To Secure Remote Desktop Connection

 

Remote Desktop is the client application which uses remote desktop protocol to login to remote computers. Remote Desktop protocol provides graphical user interface to users to connect remotely to another computer over network connection.It is developed by Microsoft

In windows, remote desktop connection will work on local network only by default. To use RDC over the internet we will need forward ports on router and it is 3389 by default for RDC.

When you setup the remote desktop connection over the internet, there are so many vulnerabilities which effect the security of your connection.

For example, we setup the database server (Windows Server 2012 R2) at our office and want to connect this server from laptop at home over the internet. If we use Remote desktop connection with default parameters  then our connection is vulnerable to many risks like :

  • Denial of Service attack ( which prevent the normal use of network or device authorized user)
  • Man in the Middle attack (in which deceptive user alters the communication between two trusted endpoints)
  • Brute Force attack (hackers tries to find out correct username and password by passing random username and dictionary passwords)
  • Data can be stolen in transit if it is not encrypted.

So in order to use Remote Desktop connection for our easy access to remote servers or computers we also need to make sure that our data should be secured. Given below are some parameters we can use to secure our RDC connection:

  • First choice to secure Remote desktop connection is to set up VPN(Virtual Private Network).It is most secured and recommended option to setup remote desktop connection.

 VPN – It acts as a protected tunnel between our laptop and database server when we are connected them through RDC over the public network ( internet).This connection provides us layer of    authentication as well as encryption.

  1. Connect to network.
  2. Make VPN connection.
  3. Once VPN connection is set up, Open RDC .
  4. Enter the IP address or full name of your server in the computer text box.
  5. Type your username and password which you need to connect to server
  6. Click on connect.
  • Second choice after VPN that we can also use TLS /SSL based certificates for secure connection of RDC. We need to install  TLS/SSL certificates on server and import these certificates to trusted client only.  Only authorized clients should be able to trust the root certification authority(CA) that has issued the computer based certificate residing on the terminal server. This will ensure that a TLS/SSL connection can be established from a trusted client.
  • Third choice is not as secure as VPN and TLS/SSL certificates, since it is easy to set up, we are elaborating this option here:

   Change default listening port 3389 for RDC to something else on server or any computer which you want to access remotely and also update the firewall rules with this new port. To do this, we need to edit following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal      Server\WinStations\RDP-Tcp/port-number.

1.To edit registry key >Go to start button > type regedit

 

2. Edit the sub-key port-number.Right-click on Port-number and click on modify.

 


    

     3. The default value is 3389.

  1. Change its value data which you want to use for Remote Desktop Connection port. For example : 3361 is new port number and click on OK. Quit the registry editor and restart your computer.

 

5.When using a computer outside the office, go to start > type remote desktop connection:

 

6.You will see this prompt. In computer tab, enter Public IP address or FQDN( fully qualified domain name) of the computer followed by colon and port number. Examples:

          12.23.34.45:3361 or 

          database.company1.com:3361    

After that, it provides you prompt to enter your credentials to login to that device.

You might also be interested in this article:

Duo Authentication for Windows Logon and RDP