How to protect RDP connection?


This instruction contains recommended actions for RDP protection of your server.

Rename the standard administrator account

Press Win + X and select “Computer management”:
RDP-protection-- computer management.png
Then select “Local users” --→ “Users” --→ click with the right mouse button on user’s name “Administrator”  and select “Rename”:
RDP-protection-- rename administrator_0.png
Rename an user and use this name for subsequent connection to the remote desktop.

Blocking of RDP connections for accounts with empty password

Security can be improved by prohibiting to connect to accounts with empty passwords. To do this, you should enable security policy “Accounts”: permit to use empty passwords only for log-in from the console”:
Open local security policy (press Win + R and enter command secpol.msc)
Browse to “Local policies” –-> “Security parameters”.
RDP-protection-- security param.png
Double click on policy “Accounts: permit to use empty passwords...» and make sure that it is enabled:
RDP-protection-- limit of blank password.png
This option is useful, that is why pay attention on this parameter.


Change of standard port Remote Desktop Protocol

It is a good practice to change a standard port, on which RDP protocol works. The method to o this is described in our instruction: Windows Server 2012.


Protection from brute force

In order to block multiple attempts to connect using wrong data, it is possible to trace the event log and manually block attacking IP addresses using Windows fire wall or a ready application. Let’s review the last case in details. 
We will use free SW for blocking of attacking IP addresses - IPBan. This application is verified and operates with Windows Server 2008 an all subsequent versions. Windows XP and  Server 2003 are not supported.  Its operation algorithm is simple: the program monitors Windows event log, record log-in attempts and blocks IP address for 24 hours after 5 attempts of the hacker.
So:
1. Download an archive with the program here;

2. It contains two archives IPBan-Linux-x64.zip and IPBan-Windows-x86.zip, we need the last one. Unpack IPBan-Windows-x86.zip archive into any convenient place (for example, into C: drive root directory);
3. As files, downloaded from Internet, are automatically blocked by the system for security. All files should be unblocked for the application operation. Click with the right mouse button on all extracted files and select properties. Necessarily select “unblock”, if this parameter is available. Or open PowerShell window (Win + R, enter powershell and click on "ОК") and enter the following command: 

get-childitem “folder location” | unblock-file -confirm

For example:
RDP-protection-- powershell - unblock_0.png
4. You should make the following changes in the local security policy, in order to make sure that IP addresses are displayed in system logs. Open “Local security policy” (Win + R, enter secpol.msc and press "OK"). Browse to “Local policies” --> “Audit policy” and enable registration of failures for “Audit account logon events” and “Audit logon events”:
RDP-protection-- audit-on.png
RDP-protection-- audit-chekbox.png   

5. For Windows Server 2008 or equivalent, you should disable NTLM logins and permit only NTLM2 log-in. There is no another method to obtain IP address for log in NTLM in Windows Server 2008. Open “Local security policy” (Win + R, enter secpol.msc and press "OK"). Browse to “Local policies” --> “Security parameters” --> “Network security: NTLM restrictions: NTLM incoming traffic" and set a value “Prohibit all accounts”:
RDP-protection-- local security-NTLM.pngget
 6. Now it is required to create IPBan service, so that the application is launched after the system start-up and operates in the background. Launch PowerShell (Win + R, enter powershell an press "ОК") and run the following command:

sc.exe create IPBAN type= own start= auto binPath= c:\"Directory with program"\IPBan.exe DisplayName= IPBAN

For example:
RDP-protection-- create service IPBan.png
 Go to services (Win + R, enter services.msc an press "OK") and launch IPBAN service. Hereafter, it will be launched automatically:
RDP-protection-- start ipban.png
In “Task dispatcher" you can look up, if the service is launched and operates:
RDP-protection-- task manager.png
Thus, the program monitors failed authorization attempts and add unwanted IP address into the created rule for incoming connections of Windows fire wall:
RDP-protection-- firewall rules.png
Blocked IP addresses can be unblocked manually. Go to “Scope” tab, located in "IPBan_0” rule properties and remove required IP address the list:
RDP-protection-- remove IPs.png