Windows – Increase security for remote desktop machine – use 2FA and/or limit to LAN connection only

remote desktopSecuritytwo-factor-authenticationwindows

I'm looking at setting up Windows remote desktop on a W10 Pro machine.

I'd like to increase the security on the connection and wonder if any of the following are possible:

A password, different from the username used to login when physically using the machine. This way it could use a random generated string which I could input once from the dial out computer.
2 factor authentication.
Limit all incoming connections to machines on the same LAN only.

There will be 3 computers that will connect to the host, mostly Macs.

Is any/all of these possible and are there some other things I should be looking at?

Best Answer

The article Securing Remote Desktop (RDP) for System Administrators lists these tips:

Use strong passwords
Update your software
Restrict access using firewalls
Enable Network Level Authentication (enabled by default for Windows 10)
Limit users who can log in using Remote Desktop (default is all Administrators)
Set an account lockout policy (lock an account after a number of incorrect guesses)
Change the listening port for Remote Desktop (default is TCP 3389)
Do not use other products like VNC or PCAnywhere

For your question about two-factor authentication, I don't believe this exists on Windows 10 Pro, only on Windows Server.

The article The 5 Best Alternatives To Google Authenticator lists six products which have a free plan (but also paid ones) : Google Authenticator, Authy, Duo, HDE OTP, Authenticator Plus, Sound Login Authenticator. I have never used such products, so do not know how useful these are for you.

Best Answer

Related Solutions

Security implications of allowing remote desktop

Windows – RDP to remote domain doesn’t work from specific LAN

Related Question