How to improve RDP security when forwarding from 80/443?

ince HTML5 v7.10 version and higher the RDP traffic forwarding includes additional countermeasures against brute forcing attacks on own web ports even in scenario behind FireWall. However that won't protect you on default direct RDP port like 3389 when hackers attack the server against such direct port. In this case you should enable Oracle Remediation handled later which enforces newer NLA CredSSP communication and stops hacker tools to check credentials against your server. This will work even if your RDP server is behind FireWall and its IP is not directly visible.

But if your server has dedicated INTERNET IP it is recommended to use additional protection tools which may block attacking remote IPs.

Oracle Remediation

Since Windows2012/2016 and Windows10 there exists new option for additional RDP security by enforcing only updated clients to avoid vulnerability exploitation of RDP by potential hackers by brute forcing the connection. This will require the RDP clients to support at least CredSSP v6.

1. start gpedit.msc

2. change: Computer Configuration > Administrative Templates > System > Credential Delegation > Encryption Oracle Remediation > Only Updated Clients >> Force Updated Clients

Remember, this requires at least HTML5 v6.12 client, check you web_log.txt if you are unsure.

We noticed that setting gets resetted from time to time after basic Windows Updates, so please check it regularly at least once in month and re-enable again if needed!

Randomized local remote binding

New HTML5 v6.23 client supports randomized remote addresses for 127.*.*.* address space.

1. open with Notepad *\Clients\webserver\settings.bin


2. add as next line (and save changes)

rdp_remote_address_by_forward="*"

rdp_remote_address_by_html5="*"


3. restart HTML5 server in AdminTool GUI.

It is not recommended to downgrade to old RDP protocol security by disabling NLA (CredSSP) even if it stops brute force attacks by displaying unparsable failure picture of logon screen instead failure message in machine readable form but because it uses RC4 algo which is outdated and could be potentially sniffed by foreign governments.

Did you find this article useful?