Home » Tips & Tricks » How to Enable and Secure Remote Desktop on Windows

How to Enable and Secure Remote Desktop on Windows

         

Whereas there are various possible choices, Microsoft’s Faraway Pc is a wonderfully conceivable choice for gaining access to different computer systems, but it surely must be correctly secured.  After advisable safety features are in position, Faraway Personal computer is a formidable device for geeks to make use of and allows you to steer clear of putting in 1/3 birthday party apps for this sort of performance.

This information and the screenshots that accompany it are made for Home windows eight.1.  On the other hand, you will have to have the ability to observe this information so long as you’re the usage of such a variations of Home windows:

  • Home windows eight.1 Professional
  • Home windows eight.1 Endeavor
  • Home windows eight Undertaking
  • Home windows eight Professional
  • Home windows 7 Skilled
  • Home windows 7 Endeavor
  • Home windows 7 Final
  • Home windows Vista Trade
  • Home windows Vista Final
  • Home windows Vista Undertaking
  • Home windows XP Skilled

Enabling Far off Computer

First, we wish to let Far off Personal computer and make a selection which customers have faraway get entry to to the pc.  Hit Home windows key + R to carry up a Run suggested, and sort “sysdm.cpl.”

Otherwise to get to the identical menu is to sort “This PC” to your Begin menu, proper click on “This PC” and go to Houses:

Both means will carry up this menu, the place you want to click on on the Far flung tab:

Make a choice “Enable faraway connections to this laptop” and the choice under it, “Permit connections best from computer systems operating Far flung Laptop with Community Stage Authentication.”

It’s now not a necessity to require Community Degree Authentication, however doing so makes your laptop safer through defending you from Man in the Middle attacks.  Systems even as old as Windows XP can connect to hosts with Network Level Authentication, so there’s no reason not to use it.

You may get a warning about your power options when you enable Remote Desktop:

If so, make sure you click the link to Power Options and configure your computer so it doesn’t fall asleep or hibernate.  See our article on managing power settings if you need help.

Next, click “Select Users.”

Any accounts in the Administrators group will already have access.  If you need to grant Remote Desktop access to any other users, just click “Add” and type in the usernames.

7-addusers

Click “Check Names” to verify the username is typed correctly and then click OK.  Click OK on the System Properties window as well.

Securing Remote Desktop

Your computer is currently connectable via Remote Desktop (only on your local network if you’re behind a router), but there are some more settings we need to configure in order to achieve maximum security.

First, let’s address the obvious one.  All of the users that you gave Remote Desktop access need to have strong passwords.  There are a lot of bots constantly scanning the internet for vulnerable PCs running Remote Desktop, so don’t underestimate the importance of a strong password.  Use more than eight characters (12+ is recommended) with numbers, lowercase and uppercase letters, and special characters.

Go to the Start menu or open a Run prompt (Windows Key + R) and type “secpol.msc” to open the Local Security Policy menu.

Once there, expand “Local Policies” and click on “User Rights Assignment.”

Double-click on the “Allow log on through Remote Desktop Services” policy listed on the right.

It’s our recommendation to remove both of the groups already listed in this window, Administrators and Remote Desktop Users.  After that, click “Add User or Group” and manually add the users you’d like to grant Remote Desktop access to.  This isn’t an essential step, but it gives you more power over which accounts get to use Remote Desktop.  If, in the future, you make a new Administrator account for some reason and forget to put a strong password on it, you’re opening your computer up to hackers around the world if you never bothered removing the “Administrators” group from this screen.

Close the Local Security Policy window and open the Local Group Policy Editor by typing “gpedit.msc” into either a Run prompt or the Start menu.

When the Local Group Policy Editor opens, expand Computer Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, and then click on Security.

Double-click on any settings in this menu to change their values.  The ones we recommend changing are:

Set client connection encryption level – Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.

Require secure RPC communication – Set this to Enabled.

Require use of specific security layer for remote (RDP) connections – Set this to SSL (TLS 1.0).

Require user authentication for remote connections by using Network Level Authentication – Set this to Enabled.

Once those changes have been made, you can close the Local Group Policy Editor.  The last security recommendation we have is to change the default port that Remote Desktop listens on.  This is an optional step and is considered a security through obscurity practice, but the fact is that changing the default port number greatly decreases the amount of malicious connection attempts that your computer will receive.  Your password and security settings need to make Remote Desktop invulnerable no matter what port it is listening on, but we might as well decrease the amount of connection attempts if we can.

Security through Obscurity: Changing the Default RDP Port

By default, Remote Desktop listens on port 3389.  Pick a five digit number less than 65535 that you’d like to use for your custom Remote Desktop port number.  With that number in mind, open up the Registry Editor by typing “regedit” into a Run prompt or the Start menu.

When the Registry Editor opens up, expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp > then double-click on “PortNumber” in the window on the right.

With the PortNumber registry key open, select “Decimal” on the right side of the window and then type your five digit number under “Value data” on the left.

Click OK and then close the Registry Editor.

Since we’ve changed the default port that Remote Desktop uses, we’ll need to configure Windows Firewall to accept incoming connections on that port.  Go to the Start screen, search for “Windows Firewall” and click on it.

When Windows Firewall opens, click “Advanced Settings” on the left side of the window.  Then right-click on “Inbound Rules” and choose “New Rule.”

The “New Inbound Rule Wizard” will pop up, select Port and click next.  On the next screen, make sure TCP is selected and then enter the port number you chose earlier, and then click next.  Click next two more times because the default values on the next couple pages will be fine.  On the last page, select a name for this new rule, such as “Custom RDP port,” and then click finish.

Last Steps

Your computer should now be accessible on your local network, just specify either the IP address of the machine or the name of it, followed by a colon and the port number in both cases, like so:

To access your computer from outside your network, you’ll more than likely need to forward the port on your router.  After that, your PC must be remotely available from any software that has a Far off Pc shopper.

In case you’re questioning how one can preserve monitor of who’s logging into your PC (and from the place), you could open up Experience Viewer to peer.

After you have Adventure Viewer opened, increase Purposes and Services and products Logs &#sixty two; Microsoft &#sixty two; Home windows &#sixty two; TerminalServices-LocalSessionManger after which click on Operational.

Click on on any of the situations in the proper pane to look login data.