Improving Security for your Remote Desktop Connection
Remote Desktop Protocol (RDP) is that the best and most typical technique for managing a Windows server. Enclosed all told versions of Windows server and contains an intrinsically shopper on all Windows desktops. There also are free applications accessible for Macintosh and UNIX system primarily based desktops. Sadly, as a result of it’s thus wide used, RDP is additionally the target of an over sized range of brute force attacks on the server. Malicious users can use compromised computers to try to attach to your server victimization RDP, though the attack is unsuccessful in shot your administrator positive identification, simply the flood of tried connections will cause instability and alternative performance problems on your server. Luckily, there are some approaches you’ll be able to use to attenuate your exposure to those forms of attacks.
Virtual Personal Network:
Using a Virtual personal Network (or VPN) is one in all the most effective ways that to safeguard your server from malicious attacks over RDP. Employing a VPN association implies that before trying to succeed in your server, a association should 1st be created to the secure personal network. This personal network is encrypted and hosted outside of your server, therefore the secure association itself doesn’t need any of your server’s resources. Once connected to the personal network. Now, your digital computer is allotted a non-public informatics address that’s then wont to open the RDP association to the server.
Once employing a VPN, the server is organized solely to permit connections from the VPN address, rejecting any tries from outside informatics addresses (see Scoping Ports in Windows Firewall). The VPN not solely protects the server from malicious connections. However it conjointly protects the info transmitted between your native digital computer and also the server over the VPN association.
All Liquid Web accounts come with one free Cloud VPN user. For a small monthly fee, you can add additional users. See our Hosting Advisors if you have any questions about our Cloud VPN service.
Using a Hardware Firewall:
Like using a VPN, adding a hardware firewall to your server infrastructure further protects your server from malicious attacks. You can add a Liquid Web firewall to your account to allow only RDP connection from a trusted location. Our firewalls operate in much the same way that the software Windows firewall operates. But the functions are handled on the hardware itself, keeping your server resources free to handle legitimate requests.
Scoping the RDP Firewall Rule:
Similar to employing a VPN, you’ll use your Windows firewall to limit access to your RDP port (by default, port 3389). The method of limiting access to a port to one IP address or cluster of IP addresses is understood as “scoping” the port. Once you scope the RDP port, your server can not settle for association tries from any IPaddress not enclosed within the scope. Scoping frees up server resources as a result of the server doesn’t ought to method malicious association tries, the rejected unauthorized user is denied at the firewall before ever reaching the RDP system. Here are the steps necessary to scope your RDP port:
Step 1: Log in to the server, click on the Windows icon, and type Windows Firewall into the search bar.
Step 2: Click on Windows Firewall with Advanced Security.
Step 3: Click on Inbound Rules.
Step 4: Scroll down to find a rule labeled RDP (or using port 3389).
Step 5: Double-click on the rule, then click the Scope tab.
- Make sure to include your current IP address in the list of allowed Remote IPs (you can find your current public IP address by going to http://ip.liquidweb.com.
- Click on the radio button for These IP Addresses: under Remote IP addresses.
- Click OK to save the changes.
Changing the RDP Port
While scoping the RDP port is a great way to protect your server from malicious attempts using the Remote Desktop Protocol, sometimes it is not possible to scope the port. For instance, if you or your developer must use a dynamic IP address connection, it may not be practical to limit access based on IP address. However, there are still steps you can take to improve performance and security for RDP connections.
Most brute force attacks on RDP use the default port of 3389. If there are numerous failed attempts to log in via RDP. Then, you can change the port that RDP uses for connections.
- Before changing the RDP port, make sure the new port you want to use is open in the firewall to prevent being locked out of your server. The best way to do this is duplicate the current firewall rule for RDP. Then update the new rule with the new port number you want to use.
- Login to your server and open the Registry editor by entering regedit.exe in the search bar.
- Once in the registry navigate to the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- Once there scroll down the list till you find “PortNumber”
- Double-clicking on this will bring up the editor box.
- Change it from HEX to DEC so it’s in numbers.
- Set the port number here and hit OK (you can use whatever port number you wish, but you should pick a port that already isn’t in use for another service. A list of commonly used port numbers can be found on MIT’s website.)
- Close the registry editor and reboot the server.
- Be sure to reconnect to the server with the new RDP port number.