Oct 10, 2017 With the built-in tools in Windows, you can access files and control another computer remotely. We explain what you need to know about Remote Desktop Connection in Windows 10.
Microsoft today its Microsoft Remote Desktop client for Windows 10 out of preview. You can download the new Remote Desktop app now from the.Until now, Windows 10 users interested in Remote Desktop, released in March 2015. The new Universal Windows Platform was available for the past few months, but only as a preview.Now, the Universal app will replace the 8.1 version for both Windows 10 and Windows 10 Mobile. If you’re using an older version of Windows, you won’t be able to use this latest Remote Desktop release, which works on Windows 10 desktops, tablets, phones, and even through Continuum for Windows 10 Mobile.This is a gradual rollout. The Windows 10 version will be made available “to an increasing number of users over the next couple of weeks.” After upgrading, your desktop connections, usernames, gateways, and general settings will be preserved.
You’ll have to re-enter your passwords, and while remote resources are preserved from Windows Phone 8.1, they won’ t be from Windows 8.1.Also keep in mind that not all features have been ported over. Here’s a list of features that Microsoft still needs to add:. Multiple simultaneous connections. Dynamic resolution and rotation.
Printer redirection. Smartcard redirection. Microphone support. Localized app (currently English only)If you need any of these features, Microsoft recommends that you use the Remote Desktop Connections app that ships with Windows. The company promises that a new set of features is already in the works and that it will “continue monitoring the Store comments and our feature requests site” for the next set.Keep in mind that the preview version is still available in the.
Unlike the new app, which has a slower update cadence and minimized risks, this one is for those who want to use pre-release software to try new features and provide feedback.Best of all, both the stable and preview apps can be installed side-by-side. And for those who don’t have Windows 10 or Windows 10 Mobile, Remote Desktop is also available for:,.
How secure is Windows Remote Desktop?Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a. Remote Desktop can be secured using SSL/TLS in Windows Vista, Windows 7, and Windows Server 2003/2008.While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks. The following tips will help to secure Remote Desktop access to both desktops and servers that you support. Basic Security Tips for Remote Desktop Use strong passwordsStrong passwords on any accounts with access to Remote Desktop should be considered a required step before enabling Remote Desktop.
Refer to the for tips. Update your softwareOne advantage of using Remote Desktop rather than 3rd party remote admin tools is that components are updated automatically with the latest security fixes in the standard Microsoft patch cycle. Make sure you are running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates. If you are using Remote Desktop clients on other platforms, make sure they are still supported and that you have the latest versions. Older versions may not support high encryption and may have other security flaws. Restrict access using firewallsUse firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below). As an alternative to support off-campus connectivity, you can use the campus VPN software to get a campus IP address and add the campus VPN network address pool to your RDP firewall exception rule. See for more information on the campus VPN service. Enable Network Level AuthenticationWindows Vista, Windows 7, and Windows Server 2008 also provide Network Level Authentication (NLA) by default.
It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it.Enabling NLA on Windows 2008 Server:.Enabling NLA on Windows 2012 Server, Windows 8, and Windows 10:. NLA should be enabled by default on Windows 2012 Server, Windows 8, and Windows 10. To check you may look at Group Policy setting Require user authentication for remote connections by using Network Level Authentication found at ComputerPoliciesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity. This Group Policy setting must be enabled on the server running the Remote Desktop Session Host role.Limit users who can log in using Remote DesktopBy default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP, and only allow user accounts requiring RDP service.
For Departments that manage many machines remotely remove the local Administrator account from RDP access at and add a technical group instead. Click Start-Programs-Administrative Tools-Local Security Policy.
Under Local Policies-User Rights Assignment, go to 'Allow logon through Terminal Services.' Or “Allow logon through Remote Desktop Services”. Remove the Administrators group and leave the Remote Desktop Users group. Use the System control panel to add users to the Remote Desktop Users group.A typical MS operating system will have the following setting by default as seen in the Local Security Policy:The problem is that “Administrators” is here by default, and your “Local Admin” account is in administrators. Although a password convention to avoid identical local admin passwords on the local machine and tightly controlling access to these passwords or conventions is recommended, using a local admin account to work on a machine remotely does not properly log and identify the user using the system. It is best to override the local security policy with a Group Policy Setting.To control access to the systems, even more, using “Restricted Groups” via Group Policy is also helpful.If you use a “Restricted Group” setting to place your group, e.g., “CAMPUSLAW-TECHIES” into “Administrators” and “Remote Desktop Users,” your techies will still have administrative access remotely, but using the steps above, you have removed the problematic “local administrator account” having RDP access. Going forward, whenever new machines are added in the OU under the GPO, your settings will be correct.Set an account lockout policyBy setting your computer to lock an account for a set number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a 'brute-force' attack).
To set an account lockout policy:. Go to Start-Programs-Administrative Tools-Local Security Policy. Under Account Policies-Account Lockout Policies, set values for all three options.
Three invalid attempts with 3-minute lockout durations are reasonable choices.Best Practices for Additional Security Change the listening port for Remote DesktopChanging the listening port will help to 'hide' Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms such, as Morto. To do this, edit the following registry key (WARNING: do not try this unless you are familiar with the Windows Registry and TCP/IP): HKEYLOCALMACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp.
Change the listening port from 3389 to something else and remember to update any firewall rules with the new port. Although this approach is helpful, it is security by obscurity, which is not the most reliable security approach. You should ensure that you are also using other methods to tighten down access as described in this article. Use RDP GatewaysUsing an RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single 'Gateway' server. When using an RD Gateway server, all Remote Desktop services on your desktop and workstations should be restricted to only allow access only from the RD Gateway.
![Windows 10 Remote Desktop Over Internet Windows 10 Remote Desktop Over Internet](/uploads/1/2/5/5/125519947/797954697.png)
The RD Gateway server listens for Remote Desktop requests over HTTPS (port 443) and connects the client to the Remote Desktop service on the target machine.There are many online documents for configuring this embedded Windows 2008 component. The official documentation is here: (WS.10).aspxInstalling the configuring, the role service is mostly as described; however, using a Calnet issued trusted Comodo certificate is recommended. Using a self-signed cert is ok for testing, and using a CalnetPKI cert can work if all clients have trusted the UCB root. The Comodo cert is usually better accepted so that your end users do not receive certificate warnings.Some campus units use an IST managed VPS as an RD Gateway, and a VPS seems fine for this purpose. A rough estimate might be that 30-100 concurrent users can use one RD Gateway. The HA at the virtual layer provides enough fault-tolerant and reliable access; however a slightly more sophisticated RD gateway implementation can be done with network load balancing.Configuring your client to use your RD Gateway is simple. The official documentation for the MS Client is here:In essence, a simple change on the advanced tab of your RDP client is all that is necessary:Tunnel Remote Desktop connections through IPSec or SSHIf using an RD Gateway is not feasible, you can add an extra layer of authentication and encryption by tunneling your Remote Desktop sessions through IPSec or SSH.
IPSec is built-in to all Windows operating systems since Windows 2000, but use and management are greatly improved in Windows Vista/7/2008 (see: ). If an SSH server is available, you can use SSH tunneling for Remote Desktop connections. Use existing management tools for RDP logging and configurationUsing other components like VNC or PCAnywhere is not recommended because they may not log in a fashion that is auditable or protected. With RDP, logins are audited to the local security log, and often to the domain controller auditing system. When monitoring local security logs, look for anomalies in RDP sessions such as login attempts from the local Administrator account.
RDP also has the benefit of a central management approach via GPO as described above. Whenever possible, use GPOs or other Windows configuration management tools to ensure a consistent and secure RDP configuration across all your servers and desktops.By enforcing the use of an RDP gateway, you also get a third level of auditing that is easier to read than combing through the domain controller logins and is separate from the target machine so it is not subject to tampering. This type of log can make it much easier to monitor how and when RDP is being used across all the devices in your environment. Use Two-factor authentication on highly sensitive systemsDepartments with sensitive data should also consider using a two-factor authentication approach. That is beyond the scope of this article, but RD Gateways do provide a simple mechanism for controlling authentication via two-factor certificate based smartcards.
Other two factor approaches need another approach at the Remote Desktop host itself, e.g., YubiKey, RSA. Additional security with Network Access Protection (NAP)Highly motivated admins can also investigate the use Network Access Protection (NAP) with an RD Gateway, however, that technology and standard are not well developed or reliable yet. Many clients will not work if you enforce it, although by following the documentation, you can audit the system to see if it.thinks. the clients are security compliant.Special thanks to Forrest Smalley of IST for providing content and screenshots for this article.