- If a user has to access multiple recourse use remote access VPN
If you must use RDP externally:
- Use non-default port TCP port 3̵3̵8̵9̵
- Use a single source address
- If not possible. Block to single ISP
- If that’s not viable Geo block
- To protect RDP use EvlWatcher or RDPGuard, both use Windows firewall.
EvlWatcher can be configured by editing the config file. Default config is: Lockout time 3600 (an hour)
trigger count 5 (number of failed logins), Permanent ban 3 temp bans.
![](https://skripts.eu:8088/wp-content/uploads/2023/05/100000010000032700000284B72BF6180C11FB7C.webp)
![](https://skripts.eu:8088/wp-content/uploads/2023/05/100000010000022F000000DFD9796CCED8AEC48F.webp)
- Or Local Security policy > Account policy > account lockout policy
![](https://skripts.eu:8088/wp-content/uploads/2023/05/100000010000031500000234B54181169AB695CC.webp)
- If RDP must be global enroll MFA
duo.com has a solution for RDP MFA. Guide https://youtu.be/KA9xGt4sqds
![](https://skripts.eu/wp-content/uploads/2023/06/user.avif)
![](https://skripts.eu:8088/wp-content/uploads/2023/05/10000001000003810000022BAFFD8C74299DC8AC.webp)