Secure Remote Desktop access over Internet

Even though I keep my firewall blocking all incoming traffic, sometimes I still want to have remote access to my Windows Server lab from the Internet for work purposes, so I don’t carry my devbox whenever I go and keep it safe at home.

Exposing RDP directly to the Internet is never a good idea. RDP is never designed for that purpose and Microsoft is regularly patching it to be more secure. SSH is a way more secure protocol that origin from Linux and been there for decades. It provides secure communication to the remote system and has built-in support for key-based authentication without the need to deploy and support the enterprise PKI infrastructure.

Although SSH is rarely seen to be used in Windows Systems, it has been there starting Windows 10 and Windows Server 2019, so basically all supported versions of Windows and Windows Server have it except rusty and deprecating Windows Server 2016 (that you should be moving away from anyways). For all other versions, it’s there, it’s just disabled by default and requires minimal setup like enabling service and configuring authentication

Given that, the best solution I found for myself was to use RDP over SSH for secure access and only exposing SSH hardened for the client certificate auth only while using separate identities for RDP authentication and accessing your desktop remotely.

Microsoft has step-by-step guide on enabling SSH on Windows systems

Get started with OpenSSH Server for Windows | Microsoft Learn (https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse)

And another one for configuring it for the key based authentication:

Key-Based Authentication in OpenSSH for Windows | Microsoft Learn (https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement)

It’s not black magic to enable RDP on the target system, just don’t enable the firewall rule, the traffic coming from the localhost if you tunnel it properly and configure the firewall to allow only connections over TCP 22 or any other port you prefer to use for the openssh server (and configured too). For the rest, there are more than enough articles on the Internet covering how to re-route the RDP traffic into the SSH tunnel, just ask your preferred AI agent about it ;)

What I also noticed is that for some unknown reason using RDP over SSH and connecting to the localhost address instead of a remote provides lower input lag than connecting to the same system over the network using RDP. So that using RDP over SSH not only provides a more secure way to access your remote system UI, but also a faster one.

For maximum security, you may create any user with the minimal privileges to your system for ssh, generate a keypair and deny interactive logon for that user, limiting its usage just for tunneling traffic. Also, make sure you configure certificate authentication as mandatory so no account credentials can be used.
This way you separate credentials, provide MFA for accessing remote system and ensuring only systems with the client certificate installed can connect.

I am working on the commands to do it from the PowerShell and will add it here a bit later. Take care and stay tuned.