This tutorial will teach you how to set up, and more importantly secure, Remote Desktop on Windows 7. Remote Desktop is extremely vulnerable without taking time to properly secure it. Please note that after going through this tutorial some older systems (XP, 2000, Server 2003) may not be able to access your Windows 7 system because of the newer security features that Windows 7 employs. You can simply skip the appropriate steps if you need to retain compatibility with the older Windows operating systems.
Before we begin, make sure that the user you plan on accessing your computer with has a complex password. When I say complex, I mean eight or more alphanumeric and special characters (I stick with 16 characters). Don’t use words found in the dictionary, either.
Once you have a complex password, we can move on to enabling Remote Desktop. Click Start, right click Computer, and go to Properties. Alternatively, you can open Control Panel > System and Security > System. On the left side of the menu, click on “Remote settings.”
This is what you should see:
Click “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)” and then click “Select Users…” towards the bottom of the menu.
You should see that no users currently have access other than the one listed below the white box area. If you are going to be using an account to connect through Remote Desktop that doesn’t have Administrator privileges, then you will need to specify them with the “Add…” button. Otherwise, your Administrator account already has access and you can click Cancel.
You can hit OK on the System Properties window. Now, go to Start and type “Local Security Policy”
Click on Local Security Policy.
Expand “Local Policies” and then click “User Rights Assignment”:
Open up the “Allow log on through Remote Desktop Services” policy.
You’ll see that the “Administrators” and “Remote Desktop Users” groups are already listed. Remove them both, along with any thing else listed. Now, click “Add User or Group…” and type the name of your user, click “Check Names” and then click OK. By editing this policy, we can ensure that only one user has access to our Remote Desktop.
As you can see from the picture above, I only have one user, tr1x, being allowed to access my computer through Remote Desktop.
While still in the “Local Security Policy” screen, we can set up auditing of account logons, to track who is logging in (or attempting to) to our computer and where from. Highlight “Audit Policy” under “Local Policies”
Edit the “Audit account logon events” and “Audit logon events” policies to log on Success and Failure. Now, the logging of an account (or logon attempt) is recorded in Event Viewer. You can check these logs by typing “Event Viewer” into your Start search bar, opening Event Viewer, expanding Windows Logs, and clicking Security.
You can click on individual logs for more information about the specific event.
There is one more setting that I’d like to mention before we close the Local Security Policy window. Expand “Account Policies” and click on “Account Lockout Policy.”
You can edit the policies in here to lockout your account after so many login attempts. I would advise against this because it can lock you out of your own account if someone decides to guess a bunch of passwords in an attempt to hack your system. I would only recommend configuring these settings if you have ridiculously sensitive information on the computer or if there is someone available to logon as a local administrator to unlock your account any time there is a hack attempt.
Next, we’ll edit some Group Policy settings. Go to Start and open a Run prompt (type run into the search bar). Type gpedit.msc into the box and click OK:
Once in the Group Policy Editor, expand Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, and then click on Security.
I personally enabled every policy in here, but you can pick which ones you’d like to use depending on your preference. I highly recommend enabling the following:
Set client connection encryption level – enable and select high level – This forces the connection to use 128-bit encryption
Always prompt for password upon connection – This way there is no “remember my password” on computers connecting to yours (for example, in case the connecting laptop was ever stolen and then used to connect to your computer)
Requre secure RPC communication – Encrypts RPC communication
Require use of specific security layer for remote (RDP) communications – enable and set Security Layer to SSL (TLS 1.0) – This provides authentication and encryption
Requre user authentication for remote connections by using Network Level Authentication – Better authentication process, harder to hack
At this point, our Remote Desktop is pretty secure. There’s one more setting that we can use to really decrease the chance of being hacked, and that is to change the port number that Remote Desktop is operating on. By default, Remote Desktop uses port 3389. When hackers look for Remote Desktop connections to break into, this is obviously the primary port that they scan for.
To change the port number, open a Run prompt and type “regedit”.
Expand the following:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Terminal Server
WinStations
RDP-Tcp
And then look for the entry “PortNumber”
Open this registry key up, click “Decimal” and then enter a random number that you’d like to use for the port. It should be over 10000 and can’t be more than 65535. After you’ve entered the number, click OK and close the Registry Editor.
Since we changed the port number, we’ll need to manually add an exception in Windows firewall to allow the connection. Click Start and type firewall. Click “Windows Firewall with Advanced Security”.
Click on “Inbound Rules” towards the left of the screen, and then click “New Rule…” towards the right.
Select Port > Next > Click “Specific local ports” and type the port you chose earlier > Next > Next > Next > Type a name such as “RDP custom port” and click Finish.
You’ll need to restart your computer for all these changes to take effect, and then we’re completely finished. When connecting to your computer through Remote Desktop, you will have to specify the IP address of the computer (see IP Chicken to see what yours is) followed by colon and the port number you chose. For example: 10.150.11.21:1234
If your computer is behind a router, you will need to forward the port for Remote Desktop. See this tutorial for help doing that.
———–
If this guide helped you, give us a like on Facebook, or post a question if there’s something we can help you with.