Skip to Content

Securing Remote Desktop Access

Securing Remote Desktop Access

Securing Remote Desktop Access

Photo by Dan Nelson on Pexels

Building on the fundamentals of RDP security, this lesson dives into advanced configuration, monitoring, and hardening techniques that small businesses can implement for free. We'll cover real-world scenarios and provide step-by-step instructions for locking down remote desktop access.

Advanced RDP Hardening Checklist

1. Configure Firewall Rules

Even with VPN protection, configure the Windows Firewall to only accept RDP connections from specific IP ranges. This adds a second layer of defense.

  1. Open Windows Firewall with Advanced Security
  2. Navigate to Inbound Rules > find "Remote Desktop - User Mode (TCP-In)"
  3. Right-click > Properties > Scope tab
  4. Under "Remote IP address," select "These IP addresses" and add only your VPN subnet (e.g., 100.64.0.0/10 for Tailscale)
  5. Repeat for the UDP rule

2. Change the Default RDP Port

While not a substitute for proper security, changing the default port from 3389 to a non-standard port reduces automated scanning attacks. Combined with VPN, this makes your RDP service essentially invisible.

  1. Open Registry Editor (regedit)
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Find "PortNumber" and change from 3389 to your chosen port (e.g., 13389)
  4. Update firewall rules to allow the new port
  5. Update your RDP client to connect with server-ip:13389

Warning: This alone does NOT make RDP safe. You still need VPN or a gateway in front.

3. Implement Session Timeouts

Idle RDP sessions are a security risk — if a worker steps away, anyone who accesses their device can use the open RDP session. Configure automatic disconnection for idle sessions.

  1. Open Group Policy Editor (gpedit.msc)
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Session Time Limits
  3. Enable "Set time limit for active but idle Remote Desktop Services sessions" — set to 30 minutes
  4. Enable "Set time limit for disconnected sessions" — set to 1 minute
  5. Apply the policy

Monitoring RDP Access

You need to know who's connecting, when, and from where. Windows logs all RDP events, but you need to know where to look.

Key Event IDs to Monitor

Event ID Meaning Action
4624Successful loginVerify it's expected
4625Failed loginInvestigate if repeated
4778Session reconnectionVerify source IP
4779Session disconnectNormal event

Setting Up RDP Alerting

  1. Enable Windows Event Forwarding (WEF): Centralize logs from all RDP-enabled machines to a single collector. Free with Windows Server.
  2. Use Wazuh (free SIEM): Install the free Wazuh agent on RDP machines. It can alert on failed login bursts, unusual connection times, and known attack patterns.
  3. Set up email alerts: Create a scheduled task triggered by Event ID 4625 that sends an email when more than 5 failures occur in 10 minutes.

Real-World Scenario: Securing a 5-Person Accounting Firm

A small accounting firm needed remote access to their tax preparation software, which only runs on office computers. Here's what they implemented:

  • VPN: Tailscale on all office computers and worker devices — free, set up in 15 minutes
  • RDP: Each worker RDPs to their dedicated office computer via Tailscale IP — no RDP exposed to internet
  • Firewall: RDP rules scoped to Tailscale subnet only (100.x.x.x) — even on the office LAN, only Tailscale connections work
  • Authentication: MFA on all Windows accounts using Windows Hello or Microsoft Authenticator
  • Monitoring: Wazuh agent on each office computer — alerts on failed logins and off-hours access
  • Session limits: 30-minute idle timeout, 1-minute disconnect timeout
  • Backup: Daily automated backups of all office computers to an external drive and cloud storage

Result: Secure remote access with zero monthly cost beyond internet. Workers connect in under 30 seconds and have full access to their tax software.

Securing Non-Windows Remote Desktop

For Linux systems, VNC is the standard remote desktop protocol. Apply the same principles:

  • Never expose VNC to the internet (port 5900) — always use SSH tunneling or VPN
  • Use encrypted VNC: Configure VNC to use TLS encryption, or tunnel through SSH
  • Set VNC passwords: Use strong passwords — VNC's 8-character limit is a known weakness, so use SSH tunneling instead
  • Free option: TightVNC or TigerVNC with SSH tunneling provides secure remote desktop for Linux

Free Tools for RDP Security

  • Wazuh (wazuh.com): Free SIEM and intrusion detection — monitors RDP logs and alerts on suspicious activity
  • Sysinternals Sysmon (free from Microsoft): Enhanced system monitoring, logs process creation and network connections
  • BlueKeep scanner (Nessus Essentials): Scan for known RDP vulnerabilities like BlueKeep (CVE-2019-0708)
  • Apache Guacamole: Free web-based RDP gateway — eliminates need for RDP client software

Key Takeaways

  • Scope RDP firewall rules to your VPN subnet only — double layer of protection
  • Configure session timeouts to prevent idle session hijacking
  • Monitor Event IDs 4624 and 4625 — set up alerts for failed login bursts
  • Wazuh provides free enterprise-grade monitoring for RDP and other services
  • The accounting firm scenario shows that complete RDP security is achievable for free

Securing Remote Desktop Access

Securing Remote Desktop Access

Photo by Dan Nelson on Pexels

Building on the fundamentals of RDP security, this lesson dives into advanced configuration, monitoring, and hardening techniques that small businesses can implement for free. We'll cover real-world scenarios and provide step-by-step instructions for locking down remote desktop access.

Advanced RDP Hardening Checklist

1. Configure Firewall Rules

Even with VPN protection, configure the Windows Firewall to only accept RDP connections from specific IP ranges. This adds a second layer of defense.

  1. Open Windows Firewall with Advanced Security
  2. Navigate to Inbound Rules > find "Remote Desktop - User Mode (TCP-In)"
  3. Right-click > Properties > Scope tab
  4. Under "Remote IP address," select "These IP addresses" and add only your VPN subnet (e.g., 100.64.0.0/10 for Tailscale)
  5. Repeat for the UDP rule

2. Change the Default RDP Port

While not a substitute for proper security, changing the default port from 3389 to a non-standard port reduces automated scanning attacks. Combined with VPN, this makes your RDP service essentially invisible.

  1. Open Registry Editor (regedit)
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Find "PortNumber" and change from 3389 to your chosen port (e.g., 13389)
  4. Update firewall rules to allow the new port
  5. Update your RDP client to connect with server-ip:13389

Warning: This alone does NOT make RDP safe. You still need VPN or a gateway in front.

3. Implement Session Timeouts

Idle RDP sessions are a security risk — if a worker steps away, anyone who accesses their device can use the open RDP session. Configure automatic disconnection for idle sessions.

  1. Open Group Policy Editor (gpedit.msc)
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Session Time Limits
  3. Enable "Set time limit for active but idle Remote Desktop Services sessions" — set to 30 minutes
  4. Enable "Set time limit for disconnected sessions" — set to 1 minute
  5. Apply the policy

Monitoring RDP Access

You need to know who's connecting, when, and from where. Windows logs all RDP events, but you need to know where to look.

Key Event IDs to Monitor

Event ID Meaning Action
4624Successful loginVerify it's expected
4625Failed loginInvestigate if repeated
4778Session reconnectionVerify source IP
4779Session disconnectNormal event

Setting Up RDP Alerting

  1. Enable Windows Event Forwarding (WEF): Centralize logs from all RDP-enabled machines to a single collector. Free with Windows Server.
  2. Use Wazuh (free SIEM): Install the free Wazuh agent on RDP machines. It can alert on failed login bursts, unusual connection times, and known attack patterns.
  3. Set up email alerts: Create a scheduled task triggered by Event ID 4625 that sends an email when more than 5 failures occur in 10 minutes.

Real-World Scenario: Securing a 5-Person Accounting Firm

A small accounting firm needed remote access to their tax preparation software, which only runs on office computers. Here's what they implemented:

  • VPN: Tailscale on all office computers and worker devices — free, set up in 15 minutes
  • RDP: Each worker RDPs to their dedicated office computer via Tailscale IP — no RDP exposed to internet
  • Firewall: RDP rules scoped to Tailscale subnet only (100.x.x.x) — even on the office LAN, only Tailscale connections work
  • Authentication: MFA on all Windows accounts using Windows Hello or Microsoft Authenticator
  • Monitoring: Wazuh agent on each office computer — alerts on failed logins and off-hours access
  • Session limits: 30-minute idle timeout, 1-minute disconnect timeout
  • Backup: Daily automated backups of all office computers to an external drive and cloud storage

Result: Secure remote access with zero monthly cost beyond internet. Workers connect in under 30 seconds and have full access to their tax software.

Securing Non-Windows Remote Desktop

For Linux systems, VNC is the standard remote desktop protocol. Apply the same principles:

  • Never expose VNC to the internet (port 5900) — always use SSH tunneling or VPN
  • Use encrypted VNC: Configure VNC to use TLS encryption, or tunnel through SSH
  • Set VNC passwords: Use strong passwords — VNC's 8-character limit is a known weakness, so use SSH tunneling instead
  • Free option: TightVNC or TigerVNC with SSH tunneling provides secure remote desktop for Linux

Free Tools for RDP Security

  • Wazuh (wazuh.com): Free SIEM and intrusion detection — monitors RDP logs and alerts on suspicious activity
  • Sysinternals Sysmon (free from Microsoft): Enhanced system monitoring, logs process creation and network connections
  • BlueKeep scanner (Nessus Essentials): Scan for known RDP vulnerabilities like BlueKeep (CVE-2019-0708)
  • Apache Guacamole: Free web-based RDP gateway — eliminates need for RDP client software

Key Takeaways

  • Scope RDP firewall rules to your VPN subnet only — double layer of protection
  • Configure session timeouts to prevent idle session hijacking
  • Monitor Event IDs 4624 and 4625 — set up alerts for failed login bursts
  • Wazuh provides free enterprise-grade monitoring for RDP and other services
  • The accounting firm scenario shows that complete RDP security is achievable for free
Rating
0 0

There are no comments for now.

to be the first to leave a comment.