Remote Desktop: Lockdown Windows RDP Port - TCP/3389 (MS-RDP)

*****NOTE This KB article is no long considered a security best practice as there are RDP exploits. Machines are considered "clients" and by using RDP the machine becomes a server. After the Corona virus passes, this KB article will be retired.*****

There are a few things which can be done to secure RDP from remote exploit when it is exposed to the Internet at large. You can be exposed to the internet if:

• Your Server has a Public (129.123.0.0/16 or 144.39.0.0/16) IP.
• You have a firewall exception that exposes your computer. This can happen when a USU admin configures a computer in OpenIPAM to have a global Nac-profile.

Limit the types of authentication

• When you set up the RDP service on a machine, make sure to leave the checkbox checked for Network Level Authentication, if possible. If all of your hosts are recent Windows versions, then use Network Level Authentication.

• If you are providing RDP to a varied mix of OS's and Windows versions, you may not be able to use Network Level Authentication.

• You should also be sure to limit the users allowed to connect.

Limit access using the Windows Firewall

Whether you move the RDP port or not, you should restrict the scope of what network addresses can access it using the Windows Firewall

In windows 7+, server 2008+, open Windows Firewall with Advanced Security as an administrator. To get there you can:

• Search for it

• Find it in the Control Panel under Administrative Tools

• Bring up the Control panel then System and Security then Windows Firewall then Advanced settings

In the Inbound Rules list, sort by group and scroll down to the Remote Desktop group.

For any rule that is enabled (or any in the group if desired), double-click to open the Properties and select the Scope tab.

In the Remote IP address section, select the radio button next to These IP addresses, then click the Add button to put in addresses that you wish to allow to have access.

Please set your scope as 129.123.119.0/24 (Staff VPN).

With this scope in place, you can then leverage the USU Staff VPN to encrypt your traffic from your off-campus device to campus and then establish a remote desktop session.

Change the RDP port

One of the most effective ways to avoid break-ins, is to change the RDP port. To do this, you must make a registry change, and then add a new firewall rule to allow the new RDP port. This takes a little work, but, in many situations, it gives you very real protection.

Remember:

• You are unlikely to know if your RDP server is exploitable until it is too late. Most of the time when Microsoft pushes out an RDP update, attackers have already been using the exploit (Sometimes for years!).
• Even the best managed box sometimes gets exploitable credentials. The use of keys helps, but does not eliminate this possibility. Windows Pass The Hash attacks provide opportunity to utilize the most protected credentials.

USU IT Security monitors attacks against USU RDP servers. We observe hourly attacks against USU RDP servers that are configured to run on TCP/3389. We have checked FOR YEARS and we have not yet seen a single instance of an attack against an RDP server that used a properly obscured TCP port.

If you wish to use a non-standard port number as a shared secret, you need to think about a few things:

1. Can I share this secret? If you have a very large community of people using the service, then you might not be able to share the secret with everybody who needs to know it.
2. Can I keep this secret? If you have a large number of people using the service, somebody is going to write it down on a web page somewhere. Once it gets indexed by Google, you don't have a secret any more.
3. Both 1 and 2 imply that changing the RDP port number works best when the system's RDP is used by a small number of people for system administration. If you are providing RDP, Citrix or Terminal Services to a community, you should probably keep the default port.
4. The Windows Domain management tool called Config Manager may have issues with a changed RDP port.
5. Can I pick a non-obvious port? You need to pick a port that is higher than 1025. You need to pick a port that is not included in the 1700 ports that NMap/Nessus scans by default.
6. Can I detect when it is time to change again? You need to check to see if anybody's found your secret port. Check your logs from time to time. If an attacker ever finds your port, you need to change.
7. Lest We Forget..

To change the default port of your RDP service:

• Change the RDP port settings in the Registry. Microsoft provides guidance for this process at: http://support.microsoft.com/kb/306759
• Add a incoming hole in your firewall for expected hosts to the new RDP port. (See below.)
• When you connect from an untrusted network, you may wish to first connect to USU's VPN server to obscure the final RDP port.

Once you change the RDP port in the Registry, you need to add a new firewall rule for it: 

• Follow the above instructions to open Windows Firewall with Advanced Security as an administrator.
• Click New Rule.

There are a few different ways to define a new rule for a custom port. For RDP, I usually do the following:

Type "system" in the program path. You could also put "%SystemRoot%\system32\svchost.exe” there as well:

Select TCP and put the new specific port you’ve defined for RDP:

Set the Scope:

In the Remote IP address section, select the radio button next to These IP addresses, then click the Add button to put in addresses that you wish to allow to have access.

Once again, we are asking that users set their scope to 129.123.119.0/24, doing so will encrypt your data to the USU Staff VPN. 

Allow the connection:

Select the networks you wish the rule to apply to. Depending on how you classified the USU network when you connected to it for the first time on this computer, you may want to select all three.

Give the new rule a name:

In order to access your remote desktop, you must be connected to the USU Staff VPN.

Guidance regarding connecting to the USU VPN can be found here.

Follow Best Practices

• Keep up to date with your patches.
• Carefully monitor and control access to Administrative accounts.

Related Links

• Security Best Practice

For further assistance, please contact your Department IT Support or the IT Service Desk