Setting up Remote Desktop Securely

I don’t have an ideal home office set up yet. I jacked up my shoulder pretty bad for a few weeks by working too long at my very un-ergonomic desk. To avoid any more of that, I wanted to work on my beefy desktop from the comfort of my living room. It runs Windows 10, so I set up Remote Desktop so I could connect to it from my laptop. I was concerned about security because my whole life is on that thing, so I also looked up some hardening suggestions.

To enable Remote Desktop on the host machine:

  • Settings > System > Remote Desktop
    • Enable Remote Desktop
    • Advanced Settings > Require computers to use Network Level Authentication to connect (recommended)

Administrators all allowed by default, even Local Admin. Local Admin will not be properly logged or identified. Override local security policy with a Group Policy Setting.

  • Local Security Policy > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
  • Remove defaults (Administrators, Remote Desktop Users) and whitelist specific users instead
    • Add User or Group > Advanced > Find Now to list Users
    • Double click desired User
    • OK
    • Repeat if needed for additional Users
    • OK

Set an account lockout policy:

  • Local Security Policy > Account Policies > Account Lockout Policies
    • Set Account lockout threshold to 3
    • Other values will be set to 30 min by default. Adjust as desired.

Enable RDP security settings:

  • Local Group Policy Editor > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
    • Set client connection encryption level: High Level
    • Require secure RPC communication: Enabled
    • Require use of specific security layer for remote (RDP) connections: SSL (TLS 1.0)
    • Require user authentication for remote connections by using Network Level Authentication: Enabled

You can also change the Remote Desktop listening port (default 3389) to dodge any default scans, but remember: security by obscurity is not security.

  • Registry Editor > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp
  • Change PortNumber (select Decimal)
  • Remember to update any firewall rules.

You can now use a Remote Desktop client (official version available free in Windows Store, Google Play, and iOS App Store) to connect securely, but only from the local network.

Some oft-recommended open source Linux RDP clients include Remmina, KRDC from KDE, TigerVNC, and Vinagre from GNOME, but there are many others.

To connect over the internet from anywhere, set up a Remote Desktop Gateway or an IPSec or SSH tunnel. I had an SSH tunnel set up on my router at my old place, but not here yet. However, I don’t anticipate being able to leave the house anytime soon (thanks, coronavirus) so that project will have to wait for another day.