Microsoft Azure helps system administrators to securely access systems using Network Security Groups and Azure Policies. Considerations for selection and implementation of a remote access solution should always consider the security posture and risk appetite of your organization.
Leveraging remote desktop services offers great flexibility by enabling remote workers to have an experience like that of working in the office, while offering some separation from threats on the endpoints i. At the same time, those benefits should be weighed against the potential threats to the corporate infrastructure network, systems, and thereby data. Regardless of the remote access implementation your organization uses, it is imperative that you implement best practices around protecting identities and minimizing attack surface to ensure new risks are not introduced.
Skip to main content. Security considerations for remote desktop include: Direct accessibility of systems on the public internet.
Vulnerability and patch management of exposed systems. Internal lateral movement after initial compromise. Multi-factor authentication MFA. Session security. Controlling, auditing, and logging remote access. Identify RDP use To identify whether your company is using the Remote Desktop Protocol, you may perform an audit and review of firewall policies and scan internet-exposed address ranges and cloud services you use, to uncover any exposed systems.
Use this guidance to help secure Remote Desktop Services Remote Desktop Services can be used for session-based virtualization, virtual desktop infrastructure VDI , or a combination of these two services.
Microsoft Forefront TechCenter. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Answered by:. Archived Forums. When using an RD Gateway server, all Remote Desktop services on your desktop and workstations should be restricted to only allow access only from the RD Gateway.
Includes DUO integration. Dedicated Gateway Service Managed. Needed for rdp access to systems that are UC P4 or higher. A rough estimate might be that concurrent users can use one RD Gateway. The HA at the virtual layer provides enough fault-tolerant and reliable access; however a slightly more sophisticated RD gateway implementation can be done with network load balancing. Changing the listening port will help to "hide" Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port TCP This offers effective protection against the latest RDP worms such, as Morto.
Change the listening port from to something else and remember to update any firewall rules with the new port. Although this approach is helpful, it is security by obscurity, which is not the most reliable security approach.
You should ensure that you are also using other methods to tighten down access as described in this article. Using other components like VNC or PCAnywhere is not recommended because they may not log in a fashion that is auditable or protected. With RDP, logins are audited to the local security log, and often to the domain controller auditing system.
When monitoring local security logs, look for anomalies in RDP sessions such as login attempts from the local Administrator account. Whenever possible, use GPOs or other Windows configuration management tools to ensure a consistent and secure RDP configuration across all your servers and desktops.
By enforcing the use of an RDP gateway, you also get a third level of auditing that is easier to read than combing through the domain controller logins and is separate from the target machine so it is not subject to tampering.
This type of log can make it much easier to monitor how and when RDP is being used across all the devices in your environment. You can authorize the RD Gateway by adding the following subnet to your firewall rule:. To access your system via RDP while on campus, add the appropriate campus wireless or wired networks to your firewall rule:. Skip to main content. How secure is Windows Remote Desktop? Basic Security Tips for Remote Desktop 1.
Use strong passwords Strong passwords on any accounts with access to Remote Desktop should be considered a required step before enabling Remote Desktop. Use Two-factor authentication Departments should consider using a two-factor authentication approach.
0コメント