VPN Articles and News

How To Secure Remote Desktop Connections

By Paul Liu
Thursday, June 5th, 2014

Remote desktop is a Windows utility that provides an easy way to access other computers. However, this feature could also lead to security challenges especially since it allows hackers to gain access to other computers without the system owner’s knowledge. This article will discuss several ways to make a secure remote desktop connection so that you can use the feature without facing any kind of security problems.

1. Use Strong Passwords

All user accounts with access to Remote Desktop should use strong passwords so that their accounts cannot be used to hack into other computers. Since it is easy to crack weak passwords through dictionary and brute force attacks, user accounts with less secure passwords (and access to remote desktop) could not only compromise their own security but also the security of other systems without the system owner’s knowledge. This is the reason why a strong password policy should be enforced by the IT department of the companies.

2. Use Network Level Authentication

Even when you allow access to a system through remote desktop, you need to ensure that only users with genuine credentials are able to use the feature. This can be done by allowing remote connections only from those user accounts that have passed network level authentication. Most organizations permit user accounts with administrator privileges to access the Remote Desktop feature but you can also add a user account (or IP address) manually if you wish to grant permission to another user to connect to your system.

3. Encrypt the Connection

For total security of remote desktop connections, it is advisable to encrypt them. This can be done through the Local Group Policy Editor which is used by network administrators to grant permissions to other user accounts. Specifically you need to use a High level of encryption (128 bit) as well as enable secure RPC communications and SSL (TLS 1.0) security layer for your remote connections.

4. Change the Default Port

A lot of hackers are able to gain access into networks because network administrators rely on default ports for remote connections. To enhance the security of your network, you should change the default port (3389) used by remote desktop connections. This can be done by changing the Port Number for remote connections through the Registry. After changing the default port, you also need to allow your system firewall to allow inbound connections through that port.

5. Lockout Policy

To prevent hackers from wreaking havoc through remote connections, you should lock user accounts for some time after a user enters incorrect password several times in a row. Since you can never be sure whether the user has genuinely forgotten his password or if a hacker is using an automated script to look for security vulnerabilities, it is a good idea to play safe and have an account lockout policy in place.

6. Enable Logging

As a final measure, you should also enable session logging on machines for which remote connections are allowed. This would allow you to trace back a system breach and take corrective actions. The session level logging can be activated through the Event Viewer application which is available under Administrative Tools section of the Control Panel.