- If a user has to access multiple recourse use remote access VPN
If you must use RDP externally:
- Use non-default port TCP port 3̵3̵8̵9̵
- Use a single source address
- If not possible. Block to single ISP
- If that’s not viable Geo block
- To protect RDP use EvlWatcher or RDPGuard, both use Windows firewall.
EvlWatcher can be configured by editing the config file. Default config is: Lockout time 3600 (an hour)
trigger count 5 (number of failed logins), Permanent ban 3 temp bans.
- Or Local Security policy > Account policy > account lockout policy
- If RDP must be global enroll MFA
duo.com has a solution for RDP MFA. Guide https://youtu.be/KA9xGt4sqds
