Securing campus desktop computers which has RDP turned on

Colleagues working from home may have the practice of accessing their campus desktop computers remotely using RDP (Remote Desktop Protocol). Although RDP is a convenient tool, ITSO does NOT recommend it.

With RDP turned ON, your PC is exposed to security attack from malicious machines on campus. Also, having the computers powered on overnight or over long holiday is not green.

For colleagues who need to access their data residing on local hard disks or file shares, they can avoid that by switching to OneDrive or departmental SharePoint sites as data repositories.

In case colleagues still need to use RDP, they should observe the security measures below.

Details

RDP Security Measures

  • Do not have RDP always on. Enable RDP only when needed, and turn off after use.
  • Install DUO for RDP for your desktop so that logon will be protected by 2FA.
  • Restrict RDP to be accessible from VPN IP pool only by configuring it using Window firewall.
  • Limit which account can log on using RDP.

Other best practice for protecting your desktop

  • Remove the administrator rights of your logon account. This will help to minimize the damage if your account or desktop are compromised. Use the administrator privilege ONLY when needed. You can set a password for the administrator account but do not use it for daily log on.
  • Do not enable any kind of SMB service (e.g. file share) which attracts attack. OneDrive is a safe and easy-to-use alternative.
Available To
Staff
Getting Started
  • Step-by-step guide for implementing the above security measures
  • For assistance, please approach your departmental Computer Security Coordinator (CSC)