Best Practices for Improving the Security of Remote Desktop Services (Port 3389)

Total 2659 characters, estimated reading time: 7 minutes.

Best Practices for Improving the Security of Remote Desktop Services (port 3389)

Remote Desktop Protocol (RDP) is a common method of managing servers with a default port of 3389. While this provides convenience for users, it is also an easy target for attackers. In order to effectively protect servers from brute-force and other cyberattacks, it is crucial to adopt a series of security measures. This article will detail how to enhance the security of remote desktop services and provide specific steps to optimize security settings.

Why you need to change the default port 3389

Many hackers or malware find vulnerable targets by scanning default ports such as 3389. If the default port continues to be used, it not only increases the likelihood that the server will be scanned and attacked, but it may also make threats such as brute-force cracking easier to accomplish. By changing the default port, you can effectively reduce the chances of your server being attacked by automated tools.

Steps to modify the default port:

1. Open the Registry Editor::
   • In the Run dialog box, type regedit and press enter.
2. Navigate to the following path::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
3. Modify the port number::
   • locate PortNumber key, changing its value from the default 3389 Modify to another unoccupied port number (for example:45678).
4. Update firewall rules::
   • Make sure the firewall has allowed access to the new port number.
5. restart sth.::
   • Restart the Remote Desktop Service or the entire server to apply the changes.

Strong passwords and account management

1. Use of strong passwords

Strong passwords are the first line of defense in securing servers. Weak passwords are easily breached by brute force tools, which can lead to server intrusion.

Strong password requirements:

• Not less than 12 characters in length.
• Contains upper and lower case letters, numbers and special characters.
• Avoid using dictionary words or content related to personal information (e.g., birthdays, names, etc.).

2. Disabling default accounts

• Disable the system default Administrator account from becoming a preferred target for attackers.
• Create a new account with equivalent permissions but a unique name.

3. Limiting the number of login attempts

• Configure a limit on the number of failed login attempts in Group Policy to lock the account or delay login attempts after the set number is exceeded.
• Prevents attackers from brute-force breaking passwords through numerous attempts.

network layer protection

1. Configure firewall rules

• Limit the range of IP addresses allowed to access the Remote Desktop service through a security group rule provided by Windows Firewall or the cloud service.
• For example, only fixed IP access from the office network is allowed.

2. Use of port mapping

• If you are using RDP in a local environment, you can set up port forwarding through your router to direct external access to a non-default internal port.
• This not only improves security, but also optimizes the network structure.

3. Enabling network-level authentication (NLA)

• Enable network-level authentication in the RDP settings to ensure that only authenticated users can initiate remote sessions.

Addition of Multi-Factor Accreditation (MFA)

Enabling double authentication (2FA) for remote logins is one of the most effective security measures available today. Even if an attacker obtains a username and password, he or she will still be unable to log in without a second authentication factor, such as a dynamic CAPTCHA.

Configuration Steps:

1. Add MFA using a third-party tool such as Duo Security or the authentication features built into Windows.
2. Install and configure the appropriate client application (such as Google Authenticator or Microsoft Authenticator).

Enhancing Security with VPNs

Bind the RDP service to an intranet IP to access the remote desktop via a VPN connection. the encrypted tunnel of the VPN greatly enhances the security of transmitted data.

Configuration Recommendations:

1. Install and configure a VPN server (e.g., OpenVPN, WireGuard).
2. Ensure that users connect to the VPN before accessing RDP services on the internal network.
3. Regularly update and maintain the VPN service.

Log Monitoring and Protection Tools

1. Regularly check the log-in log

• Monitor suspicious login attempts by periodically checking the login logs using Event Viewer.
• Immediate action should be taken for frequent failed attempts.

2. Installation of intrusion prevention tools

• Deploy Fail2Ban or a similar tool to automatically block malicious IPs by analyzing logs.
• Work with firewalls to dynamically block suspicious sources.

Summarize and sequence the implementation of the security policy

In order to fully enhance remote desktop security, it is recommended to follow the following step-by-step implementation:

1. Modify the default port to reduce the likelihood of being scanned.
2. Enhance account security by setting strong passwords and disabling default accounts.
3. Configure firewall rules or enable VPNs to allow only trusted network access.
4. Add multi-factor authentication to add an extra layer of protection for logins.
5. Regularly monitor logs and use protection tools to block malicious behavior.

With the above measures, your server will have a high level of security and will be able to effectively defend against most common network attacks.

First, enter the registry regedit

And if you are using a remote connection from your own computer it is equally important to pay attention to the security of the remote connection, and then find the

(HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp)

Or directly in the Edit - Find, PortNumber character, and then find to adjust to the decimal modify their own needs of the port can be.

Of course the last to restart the server is ok. Default 3389 do not need to add the port can be, change the other ports remember to add a colon port number in order to log in smoothly!

Say goodbye to complex port numbers: Cloudflare DDNS + TLS certificates + rule-based policies, realizing secure remote access for FlyingNiu's NAS.

Youtube Video Tutorial Click to Enter In the previous article, we successfully utilized Cloudflare DDNS to achieve efficient dynamic domain name access to Flying Niu NAS, completely saying goodbye to the speed limitations of the free version of FN Connect. The speed bottleneck is solved [...]

NAS server setup SMB/NFS share mount Windows/UNRAID-NAS usage

With the increasing demand for data storage, more and more people and businesses are choosing NAS (Network Attached Storage) servers to store and share files.NAS servers can provide a home, office, or small business with the ability to set [...]

One UPS, Multiple NAS Sharing: Unraid + Santak TG-BOX 850 UPS Practical Sharing

In the previous post, we talked about the importance of UPS for NAS and how to do basic UPS setup in Unraid. In fact, Unraid has an even more powerful feature -- netserver mode, which means letting Un [...]

Immersive Translation: Bilingual webpage translator for all platforms to learn and use at the same time.

In our daily use of computers or cell phones, we often need to access various web pages or management platforms, such as PVE, Unraid, QunHui NAS, routing backend, etc. Although most of these systems already support Chinese interface, sometimes the English original is more accurate, especially for learning, tuning, and so on. Although most of these systems already support Chinese interface, sometimes the original English expression is more accurate, especially in learning, tuning [...].