How to Secure an Internet-Exposed Windows Remote Desktop Server: Best Practices for Developers


3 views

Opening RDP (TCP 3389) to the internet is like leaving your front door unlocked in a bad neighborhood. Automated scanners constantly probe for exposed RDP services - Shodan.io shows over 4 million publicly accessible RDP endpoints at any given time. Brute force attacks against these services increased by 768% in 2022 according to Microsoft's Digital Defense Report.

Here's my multi-layered approach developed through securing enterprise environments:

# Basic NLA enforcement via GPO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"UserAuthentication"=dword:00000001
"SecurityLayer"=dword:00000001

Before traffic even reaches your server:

  • Implement geo-IP blocking for countries you don't operate in
  • Set up port knocking (sequence of connection attempts to open RDP)
  • Use Azure AD Application Proxy for cloud-based pre-authentication

On the host itself:

# Rename Administrator account via PowerShell
Rename-LocalUser -Name "Administrator" -NewName "BreakfastTacos"
Set-LocalUser -Name "BreakfastTacos" -Description "Not the admin account"

# Enable Windows Defender Application Control
$PolicyPath = "C:\WDAC\ExamplePolicy.xml"
New-CIPolicy -FilePath $PolicyPath -Level FilePublisher -Fallback Hash -ScanPath "C:\Windows\System32\"

Regarding the mentioned product - while it adds MAC/computer name filtering, it's not a silver bullet. The security depends on:

  • How credential validation is implemented (could be bypassed if not properly signed)
  • Whether the filtering occurs before authentication (ideal) or after
  • Logging capabilities for forensic analysis

Consider these more secure patterns:

# Sample WireGuard config for VPN access
[Interface]
PrivateKey = base64_private_key
Address = 10.8.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = base64_server_key
AllowedIPs = 10.8.0.1/32
Endpoint = yourdomain.com:51820
PersistentKeepalive = 25

For web-based access, Guacamole with Duo 2FA provides excellent security while maintaining usability.

Essential logging to implement:

# PowerShell to enable detailed RDP logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "LogEachSession" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "LogonTimeout" -Value 30

Combine with SIEM rules to detect brute force attempts and lockout events.

Opening RDP (Remote Desktop Protocol) to the internet is like painting a target on your server. According to Microsoft's telemetry, internet-facing RDP servers receive approximately 800,000 brute force attempts per month. The standard port 3389 is constantly scanned by automated bots.

1. Network Layer Protection:

# Example PowerShell to configure Windows Firewall
New-NetFirewallRule -DisplayName "Restricted RDP" -Direction Inbound -LocalPort 3389 -Protocol TCP -Action Allow -RemoteAddress 192.0.2.100,203.0.113.50

2. Authentication Enhancements:

  • Enforce Network Level Authentication (NLA)
  • Implement account lockout policies (example below)
# Account lockout GPO settings
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

RDP Gateway Solution:

# Sample RD Gateway configuration in PowerShell
Add-RDServer -Server "rdgw01.domain.com" -Role "RDS-GATEWAY" -ConnectionBroker "rdcb.domain.com"
Set-RDDeploymentGatewayConfiguration -GatewayMode "Custom" -BypassLocal "Enabled" -LogonMethod "Password" -UseCachedCredentials $true

2X SecureRDP Alternative:
The product mentioned in your edit provides additional filtering capabilities. While it adds MAC address and computer name filtering (unavailable in native RDP), consider these technical limitations:

  1. MAC addresses aren't routable beyond local subnet
  2. Computer names can be spoofed
  3. Adds another component to maintain/update

For maximum security, implement these additional controls:

# Conditional Access policy example (Azure AD)
New-AzureADPolicy -Definition @('{"ConditionalAccessPolicy":{"Applications":["Microsoft Remote Desktop"],"Users":["All"],"Conditions":{"ClientAppTypes":["Browser","MobileAppsAndDesktopClients"],"Locations":{"IncludeLocations":["NamedLocation Id=12345678-ABCD-..."],"ExcludeLocations":["All"]}}}}') -DisplayName "RDP CA Policy" -Type "ConditionalAccessPolicy"

Essential logging configuration for security auditing:

# Enable enhanced RDP logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name "LogEachSession" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "LogonTimeout" -Value 30