Windows Remote Desktop connection (MS RDP protocol)

Windows Remote Desktop connection (MS RDP protocol)

Although this subject would be included in the dedicated thread of PC setups and recommendation, i think its important enough to have its own thread to be easier to find for beginners in SQ, especially after i saw there is a growing interest here on this forum in using a PC remotely.

To be very short and to the point, to quote from a very good article:

What can you do if you need to put RDP on the Internet? First off, don’t. Seriously, don’t.

To protect RDP connections, the following recommendations are:

-change default port 3389 in windows registry and router settings menu
-enable Network Level Authentication NLA
-install an antivirus/internet security software
-put complex passwords (a long passphrase containing 15+ characters with no phrases related to the business, product names, or users is mandatory

the above are easy and free of charge, the following are more complex and some require paid subscription

-Install two-factor authentication (2FA), a type of Multi-Factor Authentication (MFA), password + SMS
-Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
– A Remote Desktop Gateway server

some very good and useful articles:

Secure Your Computer by Modifying the Default RDP Port Number | Alexander’s Blog (zubairalexander.com)

https://www.zubairalexander.com/blog/secure-your-computer-by-modifying-the-default-rdp-port-number/

Adventures of an RDP Honeypot – Part One: RDP Security | TrustedSec

https://www.trustedsec.com/blog/adventures-of-an-rdp-honeypot-part-one-rdp-security/

Adventures of an RDP Honeypot – Part Two: Know Your Enemy | TrustedSec

https://www.trustedsec.com/blog/adventures-of-an-rdp-honeypot-part-two-know-you-enemy/

so leaving an RDP on simple default configuration is plain suicide

i will like to add a few additional information

i didnt specified but all these measures for RDP is for the situation when the user needs to connect outside the local network, from another location

besides the measures above, a few more can be implemented:

https://tweaks.com/windows/39140/create-an-account-lockout-policy/

– Create an Account Lockout Policy: Creating an Account Lockout Policy will protect your account by limiting the number of time a remote application or attacker can try to guess your password.  This works by automatically locking out your account after a designated number of incorrect passwords were entered.  Your account will remain locked out for a designated period of time before it is automatically unlocked and it can be logged into again.  This provides a valuable addition to your account security because it can render brute force password attacks useless.

– under no circumstances, do not grant access to RDP to the account with the username “Administrator” and if possible, never use or never create any user with the username Administrator

Given the old age of the RDP in windows and the many steps necessary to secure it, its understandable that the alternatives are much more reliable and secure and in the following future, i will write here and present the best alternatives

I will also write here about another very useful feature, Wake On LAN

on my VPS servers i am making only 2 things – change the port and use strong password

4 years of trading – no single problem

yes, more advanced/experienced users can use it but especially beginners should understand very well the difference between something opened to the internet and not opened. Because no matter how secure is the RDP, its open by its very design. Once you forward the port, its open. Its a very important distinction.

By contrast, any third party remote software, free or paid, doesn’t require the computer to be opened on the internet, no port forwarding.

So for beginners, its either a VPN service or a reliable third party remote software.

i also use it in the present, momentarily but i am in progress in switching permanently in the near future to something more secure because after reading many reliable articles, its too insecure and constantly in danger of being hacked and many modern viruses can spread inside the local network once inside.

A VPN subscription is also an attractive alternative

Try TeamViewer !

 

https://www.teamviewer.com/

 

It is a free and much easier solution to remote access your PC in a Home Nework from everywere !