Using Windows Server 2012 for personal projects or for business usage, security should be a top priority when setting up your server’s operating system. But using these 2 simple steps, you can increase the security every time you connect to your server using the Remote Desktop Protocol.
Enhance security for remote sessions
By default, Windows Server 2012 does not log the IP addresses of clients that are using the remote desktop protocol, making every intrusion attempt, be it failed or successful, untraceable.
By forcing Windows to log every login attempt, you can have a better understanding of the security situation you are in, if you are the victim of a brute force attack or if your server has already been breached.
- In a command line window run “gpedit” to open the “Local Group Policy Editor”.
- Navigate to the following directory:
Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
Modify the following settings accordingly:
- “Set client connection encryption level”: set to “High Level”
- “Require use of specific security layer for remote (RDP) connections”: Set to “SSL (TLS 1.0)”
- “Require user authentication for remote connections by using Network Level Authentication”: set to “Enabled”
! Now every time you will connect to your Windows Server using RDP, all data sent will be encrypted, every session will use SSL to connect and user authentication will be needed for every remote connection.
Set TLS and encryption level using registry
- Write “regedit” in a command line shell to open the Registry Editor.
- Navigate to the following registry keys to modify the Remote Desktop security settings:
- Security Layer 0 – With a low security level, the remote desktop protocol is used by the client for authentication prior to a remote desktop connection being established. Use this setting if you are working in an isolated environment.
- Security Layer 1 – With a medium security level, the server and client negotiate the method for authentication prior to a Remote Desktop connection being established. As this is the default value, use this setting only if all your machines are running Windows.
- Security Layer 2- With a high security level, Transport Layer Security, better knows as TLS is used by the server and client for authentication prior to a remote desktop connection being established. We recommend using this setting for maximum security.
To change the encryption level, navigate to the following registry key:
- Security Layer 1 – With a low security level, communications sent from the client to the server are encrypted using 56-bit encryption. Data sent from the server to the client is not encrypted. This setting is not recommended as you can be exposed to various attacks.
- Security Layer 2 – Having a client compatible security level, communications between the server and the client are encrypted at the maximum key strength supported by the client. Use this level when the Terminal Server is running in an environment containing mixed or legacy clients as this is the default setting on your OS.
- Security Layer 3 – With a high security level, communications between server and client are encrypted using 128-bit encryption. Use this level when the clients that access the Terminal Server also support 128-bit encryption. If this option is set, clients that do not support 128-bit encryption will not be able to connect.
- Security Layer 4 – This security level is FIPS-Compliant, meaning that all communication between the server and client are encrypted and decrypted with the Federal Information Processing Standard (FIPS) encryption algorithms. We recommend using this setting for maximum efficiency but only if both machines support this type of encryption.
Thank you for reading our tutorial and enjoy your secured Windows Server!