Securely Using Remote Desktop
Remote Desktop is a convenient way to retain access to your office computer while not in your office, but the default configuration also makes it accessible to the Internet and increases your risk of a system compromise.
To reduce the risk of compromise, the BU Information Security Incident Response Team (IRT) recommends you make the following changes to the configuration of Remote Desktop:
- Change the port number used by Remote Desktop to a number that is less than 1024 that is also blocked by the campus firewall.
- Configure your Remote Desktop client to use this alternate port number to connect.
- Use the campus VPN service to first connect to campus, and then remote desktop to the BU PC.
- Consider if you need RDP at all; if not please ensure it is disabled.
We discourage the use of gotmypc.com for privacy reasons mostly. We discourage the use of other third party software for security vulnerabilities concerns.
The easiest way to change the port involves un-checking “remote desktop” in the windows firewall exception tab and use the add port option to open up a lower numbered port and assign it a new name like “BU remote desktop”. Then assign that port to the remote desktop service via the registry:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
3. On the Edit menu, click Modify, and then click Decimal.
4. Type the new port number, and then click OK.
5. Quit Registry Editor.
Active Directory Organization Unit administrators can configure these settings for their users easily via group policy.
From the remote PC, clients will need to append “:port#” to the end of the hostname or IP address entered into the Computer field of the Remote Desktop Connection client . For example to connect to a pc named, myworkpc.bu.edu on a low numbered port that is NOT on the allowed inbound port list, such as tcp 200, I would need to enter myworkpc.bu.edu:200 in the RDC client hostname field as shown in the example below. This step usually is all the end user needs to learn.
Go to Control Panel, click System And Security, and then click System (or just System if using the classic view).
- On the System page, click Remote Settings in the left pane. This opens the System Properties dialog box to the Remote tab.
- To disable Remote Desktop, select Don’t Allow Connections To This Computer,
- Also uncheck the Allow Remote Assistance box only if already checked.
- Click Apply
Click System in Control Panel.
- On the Remote tab, clear the Allow users to connect remotely to your computer check box, and then click OK.