Skip to Content

RDP Security and Best Practices

RDP Security and Best Practices

RDP Security and Best Practices

Photo by Skylar Kang on Pexels

Remote Desktop Protocol (RDP) is one of the most useful tools for remote work — and one of the most dangerous if misconfigured. RDP is the #1 target for ransomware attacks worldwide. This lesson covers what RDP is, why it's risky, and how to use it safely.

What Is RDP?

RDP (Remote Desktop Protocol) is Microsoft's technology for remotely controlling a Windows computer. When connected, you see the remote computer's screen on your local device and can use it as if you were sitting in front of it. The mouse, keyboard, and display are all transmitted over the network.

RDP is built into every version of Windows Professional and above. The client (Remote Desktop Connection) is available on Windows, Mac, iOS, Android, and Linux. It's free, widely available, and easy to use — which is exactly why attackers love targeting it.

Why RDP Is Dangerous

When you expose RDP directly to the internet (port 3389), you're putting a "come on in" sign on your network. Attackers scan the entire internet for open RDP ports. When they find one, they attack it with automated tools that try thousands of passwords per second. Once they break in, they have full control of that computer — and from there, your entire network.

Ransomware groups specifically target RDP as their primary entry method. In many documented cases, attackers compromised an RDP connection within 30 minutes of it being exposed to the internet. The cost: ransomware encrypting all company data, with ransom demands from $10,000 to over $1 million.

The Golden Rule: Never Expose RDP to the Internet

Port 3389 should NEVER be accessible from the internet. If your router has port forwarding set up for RDP, remove it immediately. There is no safe way to expose RDP directly. Instead, use one of these methods:

Safe RDP Access Methods

  1. RDP over VPN: Workers connect to VPN first, then use RDP to reach the office computer over the encrypted VPN tunnel. The RDP port is never exposed to the internet.
  2. RDP over Tailscale: Workers connect to Tailscale, then RDP to the office computer's Tailscale IP. Simplest and most secure approach.
  3. RD Gateway: Microsoft's Remote Desktop Gateway server acts as a proxy, adding TLS encryption and authentication before forwarding RDP traffic. More complex but integrates with Active Directory.
  4. Apache Guacamole: Open-source web-based RDP gateway. Workers access a web portal that proxies RDP connections. No RDP client needed on worker devices.

Step-by-Step: Securing RDP on a Windows Computer

  1. Disable direct RDP exposure: Check your router — if port 3389 is forwarded, remove that rule immediately
  2. Enable RDP only where needed: On the target Windows machine, go to Settings > System > Remote Desktop. Enable it only on computers that genuinely need remote access.
  3. Require Network Level Authentication (NLA): Under Remote Desktop settings, ensure "Require computers to use NLA" is checked. This prevents attackers from seeing the login screen before authentication.
  4. Set strong account passwords: Every account with RDP access needs a password of at least 16 characters. Use a password manager to generate and store them.
  5. Disable the Administrator account: Create a separate admin account with a different name. Attackers always try "Administrator" first.
  6. Set account lockout policy: Use Group Policy or Local Security Policy to lock accounts after 5 failed attempts for 30 minutes.
  7. Enable RDP logging: In Event Viewer, enable logging for Terminal Services connections. Review these logs weekly.
  8. Use VPN in front of RDP: Install Tailscale on the target machine. Workers connect via Tailscale, then RDP to the Tailscale IP address (100.x.x.x). The RDP port is never exposed to the internet.

Free RDP Alternatives

  • Chrome Remote Desktop: Free, works through Google's relay servers. No port forwarding needed. Good for basic remote support. Less control than RDP but very easy to set up.
  • Apache Guacamole: Open-source web-based remote desktop gateway. Supports RDP, VNC, and SSH through a browser. No client software needed on worker devices.
  • RustDesk: Open-source alternative to TeamViewer. Self-hosted option available. No account required.
  • VNC over SSH: For non-Windows systems, VNC provides remote desktop access. Tunnel it through SSH for security. TightVNC and TigerVNC are free.

Step-by-Step: Setting Up Chrome Remote Desktop

  1. Install Chrome: Ensure Google Chrome is installed on both the office computer and the worker's device
  2. Install the extension: Go to remotedesktop.google.com and add the Chrome Remote Desktop extension
  3. Set up remote access: On the office computer, click "Set up remote access" and name the computer
  4. Generate PIN: Create a 6+ digit PIN — workers will use this to connect
  5. Worker connects: Workers go to remotedesktop.google.com, select the computer, enter the PIN, and they're connected

Key Takeaways

  • RDP is the #1 ransomware entry point — treat it with maximum caution
  • Never, ever expose port 3389 to the internet — always use VPN or a gateway in front
  • Enable Network Level Authentication (NLA) on all RDP connections
  • Use strong passwords and account lockout policies on all RDP-enabled accounts
  • Chrome Remote Desktop and Apache Guacamole are free, secure alternatives

RDP Security and Best Practices

RDP Security and Best Practices

Photo by Skylar Kang on Pexels

Remote Desktop Protocol (RDP) is one of the most useful tools for remote work — and one of the most dangerous if misconfigured. RDP is the #1 target for ransomware attacks worldwide. This lesson covers what RDP is, why it's risky, and how to use it safely.

What Is RDP?

RDP (Remote Desktop Protocol) is Microsoft's technology for remotely controlling a Windows computer. When connected, you see the remote computer's screen on your local device and can use it as if you were sitting in front of it. The mouse, keyboard, and display are all transmitted over the network.

RDP is built into every version of Windows Professional and above. The client (Remote Desktop Connection) is available on Windows, Mac, iOS, Android, and Linux. It's free, widely available, and easy to use — which is exactly why attackers love targeting it.

Why RDP Is Dangerous

When you expose RDP directly to the internet (port 3389), you're putting a "come on in" sign on your network. Attackers scan the entire internet for open RDP ports. When they find one, they attack it with automated tools that try thousands of passwords per second. Once they break in, they have full control of that computer — and from there, your entire network.

Ransomware groups specifically target RDP as their primary entry method. In many documented cases, attackers compromised an RDP connection within 30 minutes of it being exposed to the internet. The cost: ransomware encrypting all company data, with ransom demands from $10,000 to over $1 million.

The Golden Rule: Never Expose RDP to the Internet

Port 3389 should NEVER be accessible from the internet. If your router has port forwarding set up for RDP, remove it immediately. There is no safe way to expose RDP directly. Instead, use one of these methods:

Safe RDP Access Methods

  1. RDP over VPN: Workers connect to VPN first, then use RDP to reach the office computer over the encrypted VPN tunnel. The RDP port is never exposed to the internet.
  2. RDP over Tailscale: Workers connect to Tailscale, then RDP to the office computer's Tailscale IP. Simplest and most secure approach.
  3. RD Gateway: Microsoft's Remote Desktop Gateway server acts as a proxy, adding TLS encryption and authentication before forwarding RDP traffic. More complex but integrates with Active Directory.
  4. Apache Guacamole: Open-source web-based RDP gateway. Workers access a web portal that proxies RDP connections. No RDP client needed on worker devices.

Step-by-Step: Securing RDP on a Windows Computer

  1. Disable direct RDP exposure: Check your router — if port 3389 is forwarded, remove that rule immediately
  2. Enable RDP only where needed: On the target Windows machine, go to Settings > System > Remote Desktop. Enable it only on computers that genuinely need remote access.
  3. Require Network Level Authentication (NLA): Under Remote Desktop settings, ensure "Require computers to use NLA" is checked. This prevents attackers from seeing the login screen before authentication.
  4. Set strong account passwords: Every account with RDP access needs a password of at least 16 characters. Use a password manager to generate and store them.
  5. Disable the Administrator account: Create a separate admin account with a different name. Attackers always try "Administrator" first.
  6. Set account lockout policy: Use Group Policy or Local Security Policy to lock accounts after 5 failed attempts for 30 minutes.
  7. Enable RDP logging: In Event Viewer, enable logging for Terminal Services connections. Review these logs weekly.
  8. Use VPN in front of RDP: Install Tailscale on the target machine. Workers connect via Tailscale, then RDP to the Tailscale IP address (100.x.x.x). The RDP port is never exposed to the internet.

Free RDP Alternatives

  • Chrome Remote Desktop: Free, works through Google's relay servers. No port forwarding needed. Good for basic remote support. Less control than RDP but very easy to set up.
  • Apache Guacamole: Open-source web-based remote desktop gateway. Supports RDP, VNC, and SSH through a browser. No client software needed on worker devices.
  • RustDesk: Open-source alternative to TeamViewer. Self-hosted option available. No account required.
  • VNC over SSH: For non-Windows systems, VNC provides remote desktop access. Tunnel it through SSH for security. TightVNC and TigerVNC are free.

Step-by-Step: Setting Up Chrome Remote Desktop

  1. Install Chrome: Ensure Google Chrome is installed on both the office computer and the worker's device
  2. Install the extension: Go to remotedesktop.google.com and add the Chrome Remote Desktop extension
  3. Set up remote access: On the office computer, click "Set up remote access" and name the computer
  4. Generate PIN: Create a 6+ digit PIN — workers will use this to connect
  5. Worker connects: Workers go to remotedesktop.google.com, select the computer, enter the PIN, and they're connected

Key Takeaways

  • RDP is the #1 ransomware entry point — treat it with maximum caution
  • Never, ever expose port 3389 to the internet — always use VPN or a gateway in front
  • Enable Network Level Authentication (NLA) on all RDP connections
  • Use strong passwords and account lockout policies on all RDP-enabled accounts
  • Chrome Remote Desktop and Apache Guacamole are free, secure alternatives
Rating
0 0

There are no comments for now.

to be the first to leave a comment.