When you have a server in the cloud, it's important to keep in mind its security, regarding a Windows server, it's important to protect the RDP access.
There are several options in order to do that:
- Limiting access by IP, connecting to the server through a VPN
- Changing the RDP ports
- Using software such as RDPGuard or IPBAN
Below we detail the different options so that you can implement them on your servers.
Limiting access by IP
To limit the access by IP you have to access the client panel and click on the name of the server you want to limit by IP.
Then click on "Network" and the pencil icon and select "edit".
Find the rules that affect port 3389 and disable them.
Once disabled, click on the "+" icon to add a new rule.
Select "Custom Rule" and click on the "+" icon to start filling in the information for the rule you want to add.
Fill in the data as shown in the image below, changing the Source IP by the one chosen by you. You'll only be able to acces to the server throuh this IP. Once you've filled in the information, click on "Submit".
Once added, you can see that it shows on the Firewall rules.
At this point you'll only be able to connect through the IP you've inserted. In this example, it's "220.127.116.11" IP.
Connect to the cloud server through a VPN
One of the most effective ways to protect RDP access is to create a server with the VPN role and then connect to the server using the internal network. The internal network is available when you have two or more servers.
To set up a VPN on in Clouding server, please, check the following article:
If you have any doubts about which VPN to choose for your platform, you can contact with our technical support.
Once you have the VPN installed, you must allow the connection from the public or private IP of your VPN server in the firewall of the server you want to protect access by RDP.
Change RDP ports
To change the port used by RDP, click on the start button, type "regedit" and click on "Run command".
Once regedit is open, scroll through the folders until you reach the path "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\". Click on the folder "RDP-Tcp" and look for the variable "PortNumber". Double-click on the variable and click on "Base" select "Decimal". finally in "Value Data" change the port to the one you want and click "OK".
Restart the servers in order to apply the changes:
In order to connect through the new port you'll have to open the port in the client panel firewall.
If the Windows firewall is enabled, you'll have to open the port or disable the Windows firewall.
Once the server is restarted and the ports are open, when connecting via remote desktop, add the port at the end of the IP as follows: 18.104.22.168:4489.
To protect your Windows server from brute-force attacks, there are softwares such as RdpGuard that help you mitigate these attacks. In this case, having properly configured RdpGuard, it protects you from the following protocols: RDP, FTP, IMAP, POP3, SMTP, MySQL, MS-SQL, IIS Web Login, ASP. NET Web Forms, MS Exchange, RD Web Access, VoIP / SIP, etc.
To install RdpGuard, download the installer at the following URL: https://rdpguard.com/download.aspx.
Once downloaded, run it and follow the process as shown in the images below:
Once RdpGuard is installed, a new window is shown and, by default, RDP protection is enabled.
Windows 2003/10/2012/2016/2016/2019 versions need no extra configuration, since Windows registry events is used to mitigate the attacks.
Windows 2008 and Windows 2008 R2 have advanced configurations, such as specifying the port to be protected.
If the Windows firewall is turned off (as in the image above), click on "Click here to turn on Windows" and "Click here to turn on Windows" to activate the Windows firewall. If Windows firewall is not turned on, RdpGuard won't work.
Additionally, in the Windows Firewall you will have to allow the traffic to the the IP 169.254.169.254.
The IPBAN program is an alternative to RdpGuard with a similar functionality and a free version, but without a graphical interface. So, just like RdpGuard, it blocks fraudulent login attempts through RDP.
IPBAN Installation Guide
If you need detailed information on how to install this program you can click on this link to see our installation tutorial.