Securing Remote Desktop Services (RDS) on Windows Server
How secure is Windows Remote Desktop?
Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack(link is external).
Remote Desktop can be secured using SSL/TLS in Windows 7, Windows 8, Windows 10, Windows 11 and Windows Server 2012/2016/2019. *Some systems listed are no longer supported by Microsoft and therefore do not meet Campus security standards. If unsupported systems are still in use, a security exception is required.
While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks. The following tips will help to secure Remote Desktop access to both desktops and servers that you support.
Enable Network Level Authentication (NLA)
Network Level Authentication (NLA) adds a security layer by requiring users to authenticate before initiating a Remote Desktop session. This helps protect against denial-of-service and credential-harvesting attacks.
Best Practices:
– Enable NLA on all RDS hosts.
– Ensure client devices support NLA.
– Use with account lockout policies.
How to Apply:
–
– Or via GPO:
Best Practices:
– Enable NLA on all RDS hosts.
– Ensure client devices support NLA.
– Use with account lockout policies.
How to Apply:
–
System Properties → Remote → Enable NLA option.– Or via GPO:
Computer Configuration → Policies → Admin Templates → RDS → Security → Require user authentication using NLA
Use Strong User Authentication
Enforcing strong passwords is critical for securing RDS access.
Best Practices:
– Use complex passwords and enforce regular changes.
– Audit authentication logs.
How to Apply:
– Use GPO to enforce password complexity and length.
– Verify with login tests and audit logs.
Best Practices:
– Use complex passwords and enforce regular changes.
– Audit authentication logs.
How to Apply:
– Use GPO to enforce password complexity and length.
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
– Verify with login tests and audit logs.
Limit User Access
Limiting Remote Desktop Services (RDS) access to only necessary users reduces the attack surface and enforces least privilege. Unrestricted access can lead to unauthorized login attempts or privilege abuse.
Best Practices:
– Grant access only to users or groups that require it.
– Use Active Directory Security Groups for RDS access.
– Periodically review and clean up group memberships.
How to Apply:
1. Create an AD security group (e.g.,
2. Add only authorized users to that group.
3. On the RDS Host, open System Properties > Remote and click “Select Users…”.
4. Add the
5. Optionally enforce with GPO:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services.
Best Practices:
– Grant access only to users or groups that require it.
– Use Active Directory Security Groups for RDS access.
– Periodically review and clean up group memberships.
How to Apply:
1. Create an AD security group (e.g.,
RDS_Users).2. Add only authorized users to that group.
3. On the RDS Host, open System Properties > Remote and click “Select Users…”.
4. Add the
RDS_Users group.5. Optionally enforce with GPO:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services.
net localgroup “Remote Desktop Users” “Domain\\RDS_Users” /add
Change the Default RDP Port
Changing the default Remote Desktop Protocol (RDP) port (3389) helps reduce exposure to automated scanning and brute-force attacks. This is a basic obfuscation technique—not a security mechanism.
Best Practices:
– Use a non-standard port above 1024.
– Document the port change and inform stakeholders.
– Configure firewall rules to match the new port.
How to Apply:
1. Open Registry Editor on the RDS server.
2. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
3. Modify the PortNumber DWORD to your desired port (e.g., 45219).
4. Update your firewall to allow the new port.
5. Reboot the server or restart Remote Desktop Services.
Best Practices:
– Use a non-standard port above 1024.
– Document the port change and inform stakeholders.
– Configure firewall rules to match the new port.
How to Apply:
1. Open Registry Editor on the RDS server.
2. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
3. Modify the PortNumber DWORD to your desired port (e.g., 45219).
4. Update your firewall to allow the new port.
5. Reboot the server or restart Remote Desktop Services.
Set-ItemProperty -Path “HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” -Name “PortNumber” -Value 45219
Use Firewalls and Network Segmentation
Proper firewall rules and network segmentation reduce risk by limiting RDS exposure to the internet or internal threats. Segmenting your network ensures only specific zones can access RDS services.
Best Practices:
– Only allow access from trusted IP ranges or VPN networks.
– Isolate RDS servers in a DMZ or secure VLAN.
– Use internal firewalls (Windows Firewall, Network ACLs).
How to Apply:
1. On RDS server, open Windows Defender Firewall.
2. Create a new inbound rule for TCP using your RDP port.
3. Restrict the rule to a specific IP range or security group.
4. Apply segmentation at the switch/router or NSG level if in Azure/AWS.
5. Test from authorized endpoints and monitor traffic.
Best Practices:
– Only allow access from trusted IP ranges or VPN networks.
– Isolate RDS servers in a DMZ or secure VLAN.
– Use internal firewalls (Windows Firewall, Network ACLs).
How to Apply:
1. On RDS server, open Windows Defender Firewall.
2. Create a new inbound rule for TCP using your RDP port.
3. Restrict the rule to a specific IP range or security group.
4. Apply segmentation at the switch/router or NSG level if in Azure/AWS.
5. Test from authorized endpoints and monitor traffic.
New-NetFirewallRule -DisplayName “Allow RDP from VPN” -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 10.0.0.0/24 -Action Allow
Keep Systems Updated
Keeping your RDS servers and underlying OS up to date is vital for preventing exploits and ensuring performance and security. Attackers often target known vulnerabilities that remain unpatched.
Best Practices:
– Use centralized patch management (WSUS, SCCM, Intune).
– Subscribe to Microsoft’s Security Update Guide for alerts.
– Test patches in staging before production.
How to Apply:
1. Set up Windows Server Update Services (WSUS) or configure Windows Update GPOs.
2. Run patch testing in a lab or staging environment.
3. Regularly apply patches during defined maintenance windows.
4. Validate patch installation via PowerShell or security tools.
Best Practices:
– Use centralized patch management (WSUS, SCCM, Intune).
– Subscribe to Microsoft’s Security Update Guide for alerts.
– Test patches in staging before production.
How to Apply:
1. Set up Windows Server Update Services (WSUS) or configure Windows Update GPOs.
2. Run patch testing in a lab or staging environment.
3. Regularly apply patches during defined maintenance windows.
4. Validate patch installation via PowerShell or security tools.
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
Configure RDP Encryption Settings
Remote Desktop Protocol (RDP) supports different encryption levels to protect data transmitted during remote sessions. These settings define how securely the RDP traffic is encrypted between the client and the host machine. Properly configuring RDP encryption helps prevent eavesdropping, man-in-the-middle attacks, and credential theft.
Best Practices:
– Always set encryption to the highest level supported by both server and client (usually SSL/TLS).
– Use Group Policy to enforce encryption settings across all managed systems.
– Avoid using the “Low” or “Client Compatible” encryption levels.
How to Apply:
1. Open the Group Policy Management Console (GPMC).
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
3. Find and enable: Set client connection encryption level.
4. Choose High Level or SSL (TLS 1.0) for maximum security.
5. Run
Best Practices:
– Always set encryption to the highest level supported by both server and client (usually SSL/TLS).
– Use Group Policy to enforce encryption settings across all managed systems.
– Avoid using the “Low” or “Client Compatible” encryption levels.
How to Apply:
1. Open the Group Policy Management Console (GPMC).
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
3. Find and enable: Set client connection encryption level.
4. Choose High Level or SSL (TLS 1.0) for maximum security.
5. Run
gpupdate /force or reboot the system to apply the settings.
gpupdate /force
Monitor and Audit RDS Access
Monitoring Remote Desktop Services (RDS) access is crucial for detecting unauthorized login attempts, user activity, and overall system usage. Auditing helps identify potential threats, failed logins, and unusual behavior patterns.
Best Practices:
– Enable auditing for both successful and failed logon events.
– Store logs in a centralized logging solution (e.g., SIEM).
– Set up alerts for multiple failed login attempts or logons outside business hours.
How to Apply:
1. Open Group Policy Management Console (GPMC).
2. Go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff
3. Enable: Audit Logon and Audit Logoff for both success and failure.
4. Apply the GPO to the RDS server OU.
5. Use Event Viewer on RDS servers to review logs (Event IDs: 4624, 4625).
Best Practices:
– Enable auditing for both successful and failed logon events.
– Store logs in a centralized logging solution (e.g., SIEM).
– Set up alerts for multiple failed login attempts or logons outside business hours.
How to Apply:
1. Open Group Policy Management Console (GPMC).
2. Go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff
3. Enable: Audit Logon and Audit Logoff for both success and failure.
4. Apply the GPO to the RDS server OU.
5. Use Event Viewer on RDS servers to review logs (Event IDs: 4624, 4625).
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Format-Table TimeCreated, Message -AutoSize
Disable Clipboard and Drive Redirection
Clipboard, printer, and drive redirection allow users to transfer data between their local and remote sessions. While useful, these features can create a vector for data leakage or malware infiltration in high-security environments.
Best Practices:
– Disable unnecessary redirection (especially drives and clipboard) for sensitive environments.
– Apply restrictions using Group Policy or RDS collections.
– Limit features to only users or systems that require them.
How to Apply:
1. Open GPMC.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
3. Enable and set policies like:
– Do not allow clipboard redirection
– Do not allow drive redirection
4. Apply the policy to your RDS servers.
5. Run
Best Practices:
– Disable unnecessary redirection (especially drives and clipboard) for sensitive environments.
– Apply restrictions using Group Policy or RDS collections.
– Limit features to only users or systems that require them.
How to Apply:
1. Open GPMC.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
3. Enable and set policies like:
– Do not allow clipboard redirection
– Do not allow drive redirection
4. Apply the policy to your RDS servers.
5. Run
gpupdate /force or reboot.
gpupdate /force
Use Remote Desktop Gateway and Web Access
Remote Desktop Gateway (RD Gateway) provides a secure method for users to access internal RDS infrastructure over HTTPS. This helps avoid directly exposing RDS servers to the internet, which is a major security risk.
Best Practices:
– Always deploy RD Gateway with a valid SSL certificate.
– Use Network Policy Server (NPS) to enforce authentication and authorization.
– Avoid exposing RDP ports (e.g., 3389) directly to the internet.
How to Apply:
1. Install RD Gateway role via Server Manager.
2. Bind a valid SSL/TLS certificate to the RD Gateway.
3. Configure an RD CAP (Connection Authorization Policy) and RD RAP (Resource Authorization Policy) in the RD Gateway Manager.
4. Deploy Remote Desktop Web Access for browser-based access at
5. Instruct users to connect using
Best Practices:
– Always deploy RD Gateway with a valid SSL certificate.
– Use Network Policy Server (NPS) to enforce authentication and authorization.
– Avoid exposing RDP ports (e.g., 3389) directly to the internet.
How to Apply:
1. Install RD Gateway role via Server Manager.
2. Bind a valid SSL/TLS certificate to the RD Gateway.
3. Configure an RD CAP (Connection Authorization Policy) and RD RAP (Resource Authorization Policy) in the RD Gateway Manager.
4. Deploy Remote Desktop Web Access for browser-based access at
https://yourdomain/RDWeb5. Instruct users to connect using
Remote Desktop Connection → Advanced → Settings → Use RD Gateway.
Get-RDGatewayConfiguration
In Microsoft Remote Desktop Services (RDS), security is implemented through various layers and encryption levels to ensure the protection of data and secure remote connections.
- Security Layer
This setting determines the security method used when clients connect to an RD Session Host server.
The three available security layers are:
- SSL (TLS 1.0) SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.
- Negotiate The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.
- RDP Security Layer Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.
For more information, refer to: Secure RDS (Remote Desktop Services) Connections with SSL | Microsoft Learn
- Encryption Level
This setting determines the extent to which data sent between the client and server is encrypted.
Standard RDP Security supports four levels of encryption: Low, Client Compatible, High, and FIPS Compliant. The required Encryption Level is configured on the server.
- Low: All data sent from the client to the server is protected by encryption based on the maximum key strength supported by the client.
- Client Compatible: All data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client.
- High: All data sent between the client and server is protected by encryption based on the server’s maximum key strength.
- FIPS: All data sent between the client and server is protected using Federal Information Processing Standard 140-1 validated encryption methods.
Enhanced RDP Security supports a subset of the encryption levels used by Standard RDP Security. When a client connects to a server configured for Enhanced RDP Security, the selected encryption level returned to the client is ENCRYPTION_LEVEL_NONE (0). This is due to the fact that the encryption for the session is provided by an External Security Protocol and double-encryption of the RDP traffic (although possible) is not desirable from a performance standpoint.
Conclusion
Securing RDS requires a layered approach, combining authentication, network controls, system hardening, and continuous monitoring. Regularly review your RDS deployment to ensure compliance with security best practices.
