Securing Remote Desktop connections
Changing default port of RDP
The reason for this change is that most would be attackers will most often port scan a range of IP-addresses looking for port 3389. For a normal consumer we would evaluate our threat base as kids who are just having a play or maybe someone who will do damage if they gain access. A pinpointed attack on our home is unlikely, for most normal citizens.
To change the standard port number of 3389 to one of our choosing we need to open the registry editor.
Choosing a port number: Choosing any number from 8000 to 65535 would be optimal however you can choose almost any number up to 65535 if you wish.
1. Windows + R
2. Type regedit.msc
3. Drill down the registry to the following to RDP-TCP:
HKEY_LOCAL_MACHINE>
SYSTEM>
CurrentControlSet>
Control>
Terminal Server>
WinStations>
RDP-Tcp
4. In the window to the right hand side you will see a entry called “PortNumber”
Tip: Click in the window on the tight and press “PO” on the keyboard.
5. Double click this entry and choose “Decimal” as the Base and type in your desired port number, click ok
Don't forget to open the new port in firewall
Advanced Remote desktop settings
1. Open the run command dialog (Windows button + R)
2. Type gpedit.msc and click enter
3. Go down the following path in the tree hierarchy: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host
4. Choose “Security”
5. Open “Set client connection encryption level” and choose “High Level”, click ok
6. Open “Always prompt for password upon connection”, set to enabled and click ok
7. Open “Require secure RPC communication”, set to enabled and click ok
8. Open “Require use of specific security layer for remote (RDP) connections”, set to enabled and select “SSL (TLS 1.0)” in the drop down menu. Click ok
9. Open “Require User Authentication for remote connections by using Network Level Authentication”, set to enabled, and click ok.
