Securing Remote Desktop Connection
Recently I’ve gotten tired of using logmein. Their servers are getting slow and finishing my daily tasks is getting difficult. So what am I gonna do? Remote Desktop. Well of course, I will have to do this in three steps:
- Use Dyndns to connect remotely to my home router (DDWRT).
- Open and Forwart NAT ports to my computer.
- Secure my computer’s Remote Desktop Services.
Use Dyndns to connect remotely to my home router:
Go ahead and create a free account at dyndns.org. Give it your desired hostname. Provide your Dyndns credentials to your router and let it connect. You confirm this connectivity by pinging your Dyndns hostname from outside your network. For more details, click here.
Open and Forward NAT Ports to my computer:
Opening and forwarding NAT ports to your computer is a crucial part of this. You should read this document and follow their instructions.
Secure my computer’s Remote Desktop Services:
Let me say it out loud, if you do not secure your computer’s remote desktop services, you are going to get hacked. Here is what you need to do:
- Change default Remote Desktop listening port. Either use Microsoft Fix IT tool or follow their steps defined below:
- Start Registry Editor.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-TcpPortNumber
- On the Edit menu, click Modify, and then click Decimal.
- Type the new port number, and then click OK.
- Quit Registry Editor.
- Restart the computer.
Due to the fact that we change default RDP port, we need to allow this port through our Windows Firewall. Here are the steps:
Click Start and type firewall. Click “Windows Firewall with Advanced Security”.
Click on “Inbound Rules” towards the left of the screen, and then click “New Rule…” towards the right.
Select Port > Next > Click “Specific local ports” and type the port you chose earlier > Next > Next > Next > Type a name such as “RDP custom port” and click Finish.
- Tighten local security settings.
Look for Local Seurity Policy using Start Menu search:
Find User Rights Assignment in Local Policies:
Open up the “Allow log on through Remote Desktop Services” policy. Add and remove desired groups. Please remember, only allow those groups/users access through Remote Desktop that definitely need it.
After done with User Rights Assignment, stay in Local Policies window and set to audit Logon Events and Account Logon Events. This can be done by navigating to Audit Policy.
Once done with this, navigate to Account Policies and Account Lockout Policy. These policies will help you stop hackers by locking out an account after certain amount of invalid log on attempts.
Now close this window. Go back to Start Menu and in search bar type gpedit.msc. Here you can configure encryption settings for your Remote Desktop Session:
I personally enabled every policy in here, but you can pick which ones you’d like to use depending on your preference. I highly recommend enabling the following:
Set client connection encryption level – enable and select high level – This forces the connection to use 128-bit encryption
Always prompt for password upon connection – This way there is no “remember my password” on computers connecting to yours (for example, in case the connecting laptop was ever stolen and then used to connect to your computer) , Requre secure RPC communication – Encrypts RPC communication, Require use of specific security layer for remote (RDP) communications – enable and set Security Layer to SSL (TLS 1.0) – This provides authentication and encryption , Require user authentication for remote connections by using Network Level Authentication – Better authentication process, harder to hack
You will need to restart your computer for these changes to finish. Once rebooted, try loging on to your computer through an external network by typing : [Dyndns Host name]:[port number] — e.g. I used hakamonline.com:7098 There you go, your remote desktop is secure and private.