Best Remote Desktop Access Security Configuration
Many users continue to leave wide open remote control software which can be easily exploited by a hacker. It is highly recommended to use secure methods for remote access and control stations; for example, the use of a VPN connection. Below you will find some guidelines to help secure your remote access stations. While not all the policies listed below may be necessary, it is recommended that you properly understand all network vulnerabilities and implement a series of policies based on potential exposure.
- Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
- Limit the number of users and workstations who can log in using Remote Desktop.
- Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
- Change the default Remote Desktop listening port.
- Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
- Require two-factor authentication (2FA) for remote desktop access.
- Install a Remote Desktop Gateway to restrict access.
- Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH, or SSL.
- Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
- Limit administrative privileges for users and applications.
- Periodically review systems (local and domain controllers) for unknown and dormant users.
Resources: US-CERT – Department of Homeland Security
See related links: