I don’t really trust the security of RDP, so therefore I’d like to take some extra security measures. I found this article explaining a lot.
First put users in the remote desktop group. You can do this by right clicking on my computer, or through the conventional manager.
Administrators are always allowed access and you may want to disable this. To do that, click Start – Programs – Administrative Tools (%SystemRoot%\system32\secpol.msc /s), then Local Security Policy. With “Allow logon through Terminal Services” you can define the groups that can logon with RDP. Remote Administrators if you want.
Now you want to have some kind of automatic block after a certain number of failed attempts. In the same policy editor, go to “Account Policies – Account Lockout Policy”. Set the threshold to something useful, with useful values. I prefer not to use indefinate timeouts, to avoid legitimate people from being blocked forever.
Next you want to change the encryption level. You can do this by running “%SystemRoot%\system32\gpedit.msc /s”, going to Administrative Templates – Windows Components – Terminal Services. From there it depends on the windows version, but look for security and change:
- Set client connection encryption level. Enabled, to high.
- Always prompt client for password upon connection. Enabled.
- Require Secure RPC Communication. Enabled.
Unfortunately, forcing SSL is incompatible with the linux rdesktop client.
You may need to run gpupdate (source).
This may also be of interest. It is much more elaborate.