Windows Remote Desktop Protocol (RDP) is a powerful remote access tool but has been targeted by vulnerabilities like BlueKeep (CVE-2019-0708) in the past and more recent ones such as CVE-2025-48817, which allows remote code execution via the Microsoft Remote Desktop Client. These can be exploited for unauthorized access, ransomware, or worms if unpatched. The primary fix is applying Microsoft security updates, combined with hardening configurations to minimize exposure.
Step-by-Step Fixes and Best Practices
Follow these steps to patch and secure RDP. Prioritize updating your systems first.
1. Apply All Security Patches and Updates
Install the latest Windows updates via Settings > Update & Security > Windows Update (or use WSUS for enterprises). For CVE-2025-48817 (patched in July 2025), apply KB5062553 (Windows 11) or KB5062552 (Windows 10/Server), available through Microsoft Update. This addresses critical remote code execution risks. Regularly check for new patches, as RDP flaws are often fixed in monthly Patch Tuesday releases.
2. Do Not Expose RDP to the Internet
Avoid port forwarding RDP (default TCP/UDP 3389) directly to the public internet. Use a firewall to block inbound RDP traffic from external sources. In Windows Firewall: Go to Advanced Settings > Inbound Rules > Enable “Remote Desktop - User Mode (TCP-In)” but restrict to specific IPs or networks.
3. Use a VPN for RDP Connections
Route all RDP traffic through a VPN (e.g., Windows built-in VPN, OpenVPN, or Azure VPN) to encrypt sessions and hide RDP from direct attacks. This prevents man-in-the-middle exploits and brute-force attempts. Configure VPN first, then connect RDP over the VPN tunnel.
4. Enforce Strong Passwords and Account Policies
Require passwords of at least 16 characters (mix of uppercase, lowercase, numbers, symbols; use passphrases). Via Group Policy (gpedit.msc):
• Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy: Set minimum length to 16, enable complexity.
• Account Lockout Policy: Set lockout after 5-10 failed attempts (threshold 5, duration 15-30 minutes).
Avoid password reuse and audit regularly.
5. Enable Multi-Factor Authentication (MFA)
Add a second factor (e.g., Microsoft Authenticator app, SMS, or hardware token) for RDP logins. Use Azure AD or third-party tools like Duo Security integrated with RDP. This blocks credential-stuffing attacks even if passwords leak.
6. Apply Least Privilege Access
Grant RDP only to necessary users/groups. Remove local admin rights from RDP sessions: In Group Policy, under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment, deny “Allow log on through Remote Desktop Services” to Administrators. Use standard user accounts for daily RDP, elevating only when needed.
7. Harden RDP Security Settings
Use Group Policy (Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security):
• Set “Set client connection encryption level” to Enabled > High (or Client Compatible for legacy clients).
• Enable “Require secure RPC communication.”
• Set “Require use of specific security layer for remote (RDP) connections” to Enabled > SSL (TLS 1.0).
• Enable “Require user authentication for remote connections by using Network Level Authentication” (NLA) – this authenticates before full session load, blocking many exploits.
Restart the Remote Desktop Services after changes.
8. Change the Default RDP Port (Optional)
Edit the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp > Set PortNumber to a high port (e.g., 57329, decimal). Update firewall rules and router port forwarding accordingly. This reduces automated scans but isn’t a full fix.
9. Disable RDP If Unused
Turn off RDP via Settings > System > Remote Desktop > Off, or Group Policy: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Set “Allow users to connect remotely by using Remote Desktop Services” to Disabled.
10. Monitor and Audit
Enable logging for RDP events in Event Viewer (Security log, Event ID 4624 for logons). Use tools like Microsoft Defender for Endpoint to detect anomalous RDP activity.
Additional Notes
• For older systems (e.g., Windows 7/Server 2008), upgrade or migrate, as support ended years ago.
• If you’re facing CredSSP errors post-update (common after May 2018 patches), update both client and server or temporarily enable the encryption oracle workaround via registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle = 2), but revert ASAP.
• Test changes in a staging environment to avoid disruptions. For enterprise setups, consider Microsoft Remote Desktop Services (RDS) Gateway for added SSL/TLS protection.
These steps, when combined, significantly reduce RDP risks. If you encounter a specific error or CVE, provide more details for tailored advice.