Like most cybersecurity topics, there is no way to 100% stop remote desktop hacking but we can make it very difficult
I have heard from other techs that you should never have RDP open to the outside world and that if you do you have to have a radius server or VPN but I don’t agree
It’s like saying you shouldn’t have a login page on a website, or an FTP server or any login fields that are open to the whole of the internet
We have hundreds of computers opened up to the outside world (including 100 user terminal servers) and we don’t have any problems
Don’t get me wrong, a radius server or a VPN and then RDP are nice layers of security but my goal is always simplicity without sacrificing security and I think we’ve accomplished that with our 3 step procedure
Only allow specific users RDP access
Keep in mind RDS access only works on Windows Pro machines
Go into computer manager and make sure that only the users who are supposed to be accessing the computer are added into the remote desktop users group
It’s a numbers game, and these bots will eventually get someone in your organization’s password correct.
So, make sure that only the users who will be remoting in are in the remote access group.
It’s a numbers game, and these bots will eventually get someone in your organization’s password either through brute force or phishing emails
Install a 2 Factor Security Tool
After making sure that only the users who will be remoting in are in the remote access group we need to install a 2 Factor Authentication tool so that if a password does get exposed we are still protected
We prefer DUO
Create a company account and then install the desktop app on their computer and the app on their phones
Set it to Fail Open, AutoPush and Only Prompt for RDP
With 2FA enabled your RDP security is now tight
Purchase and Install RDP Guard
Last but not least, let’s go ahead and make this SUPER TIGHT
Let’s make it so that these bots can’t simply bombard your computers
RDP guard is a simple tool that adds a windows firewall block rule for IPs that fail a password attempt 3 straight times
The tool is cheap and easy to use and will block hundreds, if not thousands, of bot IPs in minutes
From time to time a real IP from someone who doesn’t remember their password will get blocked but its easy to go in and remove them
RDP guard is simple and easy to use and is the cherry on top for your RDP security sundae
RDP has its holes but with a simple 3 step process of locking down remote access to limited users, incorporating 2FA and installing RDP guard will let you rest assured that your Windows remote desktop is properly secured
