# How to resolve RDP service exposure from the internet?
{% hint style="info" %}
This page is a practical hardening guide.
Goal: remove direct Internet exposure of **TCP/3389**.
{% endhint %}
## Protection of the RDP Service
RDP (Remote Desktop Protocol) is a Microsoft protocol for remote access.
It typically uses **TCP port 3389**.
It is a **high-value entry point** for attackers.
{% hint style="info" %}
An exposed RDP service becomes exploitable if:
* it is affected by a public vulnerability (example: BlueKeep)
* credentials are weak, reused, or leaked
That is usually enough for initial access and lateral movement.
{% endhint %}
Expose RDP only on internal networks.
Do not expose it directly to the Internet.
## Solutions
Most observed RDP services are used for two reasons:
* Remote administration
* Access to documents
Regarding remote administration, it is possible to consider the following options (in descending order of preference):
* Implementation of an RDP gateway, called RDG (Remote Desktop Gateway)
* Deployment of a VPN (Virtual Private Network)
* Hardening of the RDP service
Minimum baseline:
* Block inbound **TCP/3389** on the perimeter firewall.
* Allow RDP only **from** your RD Gateway or VPN IP range.
If the second reason applies, namely for the purpose of accessing internal documents, the adoption of Microsoft O365 and its SharePoint storage space should be prioritized.
## Implementation of an RDP Gateway
### Description
Remote Desktop Gateway (RDG) provides a safer way to reach internal RDP servers.
It acts as an intermediary. Only the gateway is exposed to clients.
It uses **HTTPS (TLS)** and typically exposes only **TCP/443**.
Place the gateway in an existing DMZ.
### Gateway installation
Connect to the Windows server that will host the gateway.
Open **Server Manager**.
#### Adding the gateway role
Once launched, it is necessary to access the "Add Roles and Features" functionality from the "Manage" tab of the Server Manager application:
Then, you can proceed with the installation by clicking the "Next" button:
The installation type "Role-based or feature-based installation" must be selected before proceeding to the next section via the "Next" button:
This step allows you to select the server on which the gateway will be installed. Once you have identified it, click on the "Next" button to continue:
This tab allows you to select the roles to add to the server. You must select "Remote Desktop Services" before clicking "Next" to continue:
Certain features can be implemented on the server from this tab. You can leave the default features selected and go further:
This is an informative tab about Remote Desktop Services; it can be skipped:
Select the **Remote Desktop Gateway** role service.
When prompted, accept the required features:
Confirm the selection, then continue:
Certain tabs, related to the features selected previously, have been added automatically. Click "Next" to access them:
This new tab contains information about the network policy and access service feature. Click "Next" to proceed to the next section:
This new tab contains information about the web server functionality. Click "Next" to proceed to the next section:
A list representing all services related to the web server (IIS) is displayed. It is necessary to retain this default configuration before proceeding further:
A window summarising all the services and tools that will be installed is displayed to the user. Click on the "Install" button to confirm the installation (you can authorize the server to restart automatically by ticking the "Restart the destination server automatically" box):
The installation is complete:
### Gateway configuration
Once installation is complete, you must then configure the remote desktop gateway by launching its management tool from the "Server Manager" application and the "Tools" tab, as shown in the following figure:
Once the tool has been launched, the window below is displayed to the user after selecting the server name on the left-hand interface. The newly installed remote desktop gateway must be configured. To do this, you can start by importing a certificate by clicking on the "View or modify certificate properties" feature:
No certificate is installed on the gateway. There are two options:
1. Create a self-signed certificate
2. Or import a certificate corresponding to the server issued by a recognised certification authority.
The best choice is the **second option**. To do this, simply
* Select the option "Import a certificate into the RD Gateway Certificates (Local Computer)/Personal store",
* Then import it using the "Browse and Import Certificate" button:
If a self-signed certificate is to be created and used, simply select the "Create a self-signed certificate" option and click on the "Create and Import Certificate" button. The following window will appear:
The full name of the server must be entered in the first field, "Certificate name". This certificate must then be retrieved from the server and imported into all future machines using this gateway.
Once this step is complete, the window below will reappear. The imported certificate information will be updated, indicating that the import was successful.
Click "OK" to complete the gateway configuration:
Access rules must be added so that this gateway can be used correctly. To do this, click on the server drop-down menu on the left-hand side of the RD Gateway Manager application interface, then click on Policies and finally on Create New Authorization Policies, as shown in the figure below:
The following window is displayed to the user. Two access rules must be created:
* An access rule for the gateway (called RD CAP) **and**
* An access rule for internal resources from the gateway (called RD RAP).
To do this, select "Create a RDP CAP and a RD RAP (recommended)" and then click "Next":
Name the CAP rule, then click "Next":
Select the user group(s) allowed to use the gateway (CAP), then click "Next":
This step allows you to define the redirection properties of the CAP rule. Depending on certain business needs (and for ease of use), some redirections may be important and necessary, such as copy and paste ("Clipboard"):
* If certain redirections are not necessary, it is recommended to select the option "Disable device redirection for the following client device types" and then select them in order to strengthen the gateway configuration.
* If all redirections are necessary, select the "Enable device redirection for all client devices" option and then click "Next".
This window is used to configure user session disconnection and expiry. It is recommended that you enable these options in order to strengthen the gateway configuration before continuing with the "Next" button:
A summary of the CAP rule configuration appears. You must now configure the RAP rule by clicking the "Next" button:
A summary of the CAP rule configuration appears.
Select the user group membership for the RAP rule, then click "Next":
In the same way as the CAP rule, only the group(s) containing legitimate users who are authorised to use the gateway to access internal resources should be selected in the "User group membership (required)" box via the "Add Group..." button.
{% hint style="info" %}
Ideally, a specific user group should be created for this access within Active Directory to ensure their legitimacy.
{% endhint %}
You can then proceed by clicking on the "Next" button:
This window is used to specify all internal resources accessed from the gateway.
{% hint style="info" %}
It is recommended to create a domain group containing all legitimate servers that can be accessed from this gateway and to specify it using the "Select and Active Directory Domain Services network resource group" option.
{% endhint %}
The access ports used must be specified, either the default port 3389 for the RDP service or another port or ports if necessary:
In the same way as the CAP rule, a summary of the RAP rule configuration appears. You must confirm by clicking the "Next" button:
A window pops up, confirming the CAP and RAP rules:
### Launching the gateway service
Finally, the gateway service may be stopped. You can check its status and activate it if it is not already running, as shown in the following figure.
From the Remote Desktop Services tab in the Server Manager application, the "Servers" tab and the "Services" section, the gateway service is identified by its name "Remote Desktop Gateway".
It can be launched if necessary by right-clicking on this service and then clicking on "Start Services":
### Flow filtering
When internal servers must only be accessible from the gateway, it is necessary to configure their internal firewall.
To do this, simply access the Windows firewall configuration and list the incoming flows ("Inbound Rules" or "Incoming Traffic Rules"), as shown in the following figure.
Among these is the rule named "Remote Desktop - User Mode (TCP-In)", corresponding to incoming RDP traffic from the Windows system. You can analyse its properties by right-clicking and selecting "Properties":
You must then go to the "Scope" tab to configure filtering of incoming RDP traffic:
In the "Remote IP Address" section, you must specify all IP addresses from which incoming RDP traffic is permitted:
* If all of these flows must pass through the gateway, the gateway's IP address must be specified.
* If the gateway is installed on the server to which an RDP connection is made, the IP address "127.0.0.1" must be specified.
### Starting an RDP connection
The RDP connection from a legitimate machine and user to an internal server via the gateway must be configured.
After launching the "Remote Desktop Connection" application, you must configure the gateway in the "Advanced" tab, then "Settings", as shown in the following figure:
The following window will appear:
* Select the "Use these RD Gateway server settings" option
* Enter the **FQDN** of the previously configured RD Gateway
* Tick the "Use my RD Gateway credentials for the remote computer" box
* Confirm the configuration by clicking "OK"
Then, simply return to the general tab of the application, enter the name or IP address of the internal server to which the client wishes to connect and their username, before clicking on the "Connect" button as shown in the following figure:
A window is displayed to the user so that they can verify the name or IP address of the RDP gateway and enter the password for the user account they entered previously:
Next, either the connection is successful, or the gateway certificate is not recognised by the client machine (usually the case with a self-signed certificate or one signed by an internal certification authority), and this message is returned:
### RDP protocol hardening
In the event that it is necessary to expose the RDP protocol on the internet, here are several hardening measures to secure the protocol.
{% hint style="info" %}
It should be noted that these methods are not sufficient to guarantee the security of the services and should only be used temporarily.
{% endhint %}
Minimum temporary baseline:
* Enforce **MFA** for remote access (preferably via RD Gateway or VPN).
* Enable **Network Level Authentication (NLA)** on target servers.
* Restrict inbound RDP to a strict **IP allowlist** (ideally only the gateway).
#### Restrict user access
Create a dedicated Active Directory group for allowed RDP users.
Use the Group Policy Management Console ([GPMC](https://www.it-connect.fr/chapitres/la-console-gpmc-group-policy-management-console/)).
Typical approach:
* Add your AD group to the local **Remote Desktop Users** group via GPO.
* Alternatively, set the user right **Allow log on through Remote Desktop Services**.
Example (Restricted Groups / local group membership):
Add the allowed users or groups, then click OK:
#### Deactivate guest account
The Windows Server 2012 R2 operating system has a guest account by default. It is necessary to disable it to prevent an attacker from attempting to elevate privileges on the server.
To do this, type the command `compmgmt.msc` in a command prompt to open Computer Management.
#### Temporarily lock an account in the event of a brute force attack
Attempts to log in to a user account should alert the system to prevent an attacker from launching brute force attacks until they identify a valid password.
Configure an **account lockout policy** (local or domain).
Domain (recommended): use the Group Policy Management Console.
* Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
* Set "Account lockout threshold" to **5** invalid logons
* Set lockout duration and reset counter to **15 minutes** (typical baseline)
{% hint style="info" %}
We recommend locking the account after 5 failed login attempts.
{% endhint %}
#### Use a strong password policy
To reduce the risk of a successful brute force or dictionary attack, the first thing to do is to use strong passwords with all types of characters: Upper case letters, lower case letters, numbers and special characters.
To configure this,
* Type the command `gpedit.msc` in a command prompt to open the Local Group Policy Editor
* Click Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.stoik.io/cyber-best-practices/how-to-resolve-rdp-service-exposure-from-the-internet.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.