IV. Hardening steps to secure Remote Desktop access. (Basic Security Recommendations)


/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */

The following security recommendations or guidelines help secure your server:

1. Rename the Administrator Account - Renaming the Administrator Account will help to prevent a brute force attack on the Administrator account. Most brute force attacks will use the account name "Administrator". This is the default name and this account is not subject to account lockout. This configuration change is done by editing the Local Security Policy.

2. Change the default RDP port - For the attack surface exposure of the common RDP port (TCP 3389), the RDP session can be configured to use a different port. The modification must be applied to both the terminal server itself and all of the TS clients. Modification of registry will be required to change the default of the terminal server, and modification of the Client Connection Manager will be required to alter the port for client side. Please refer to http://support.microsoft.com/kb/187623 for details of configuration.

3. Use the highest level of encryption- Use the High encryption option which encrypts the data transmission in both directions by using a 128-bit key. Use this level when the Terminal Server runs in an environment that contains 128-bit clients. RDP traffic is encrypted using 128-bit encryption when connecting to Windows Server 2003 from a Windows XP client computer. By default, both the Web-based and the standalone remote desktop client send the encrypted RDP traffic over TCP port 3389.

4. Set Group Policy settings for the remote desktops -By making end users members of the Remote Desktop Users group you grant these users the necessary privileges for connecting to Terminal Server.

The Remote Desktop Users group allows the same access as the Users group with the additional ability to connect remotely. By using this group, you save administrative resources by not having to set up these rights for each user individually. By default, the permissions for a Terminal Server environment are set to provide maximum security while allowing users to run applications. Users can save files within their profile directory, but cannot delete, or modify certain files.

5. Restrict users to specific programs - Software restriction policies provide administrators with a policy-driven mechanism to identify software programs running on computers in a domain and to control the ability of those programs to execute. You can use policies to block malicious scripts, to lock down a computer, or to prevent unwanted applications from running.


[Previous article][Next article]