Remote Desktop Services (RDS) is a Microsoft Windows Virtualization platform for providing end users with secure remote desktop access, to published applications and remote desktops. RDS is an enhanced private cloud service that supports both WEB and RDS (desktop) clients.
Remote desktop protocol (RDP) is a secure network communications protocol from Microsoft. RDP is designed for remote management, remote access to virtual desktops, applications and an RDP terminal server. RDP allows network administrators to remotely diagnose and resolve problems that individual users encounter.
By installing Remote Desktop Services 2022+, you will opt-in for a significant improvement compared to older versions. Remote Desktop Services supports the latest generation of virtual machines and deployment of personal desktop session.
With RDS, only software user interfaces are transferred to the client system (thin client) . All input from the client system is transmitted to the server, where software execution takes place.
RDS is a very economical private cloud implementation that can provide access from anywhere and to various different device types which may not be well suited to host a Filopto Client installation (i.e.Web).
Filopto works on both the Microsoft and Citrix, Remote Desktop Service. We recommend that you review the various system/network requirements and installation literature available on Microsoft Remote Desktop or the Citrix offering before proceeding. RDS when properly configured can provide secure, encrypted work environments.
You must install the Filopto Workstation-RDS client software in the server(instance) that is going to be your RDS server.
IMPORTANT:
Review the available documentation from Microsoft to properly configure the RDS service. Many online resources / documentation can assist you in establishing the best practices for Remote Desktop Services. Review the RDS Group Policy settings of this help file.
If you will be combining your Filopto Database Server and RDS server in one single (instance)server (not recommended unless you have sufficient RAM memory). Do not install the Filopto Workstation Client-RDS install program in the Filopto Database server. RDS will use the Server copy of Filopto.
For optimal performance the Filopto Database Server should be separate from the RDS Filopto server. You may host them in separate instance (hyper-V environments) on the same physical server as long as the server is properly configured. Each Filopto user using an RDP session must have their own unique user/password for the RDP session as not to overwrite the work of another user. If you use the same RDP user to connect, you will corrupt the Filopto data when a second user using the same credential logon.
Note: Filopto makes extensive use of the Microsoft Desktop Experience feature. Depending on the version of RDS/Terminal Service (pre-2019) you are using you may need to activate additional features for the Desktop Experience to function properly. Review the installation requirements of your selected vendor version of RDS (Microsoft or Citrix). The MultiPoint Services role in Windows Server 2016 and 2019 (not required in Windows 2022+) allows multiple users to simultaneously share one computer.
|
Hints on Installation, Configuration and Security
1.If you are using a low RAM server, always separate the RDS server from the Filopto Database Server environment (such as using the virtual server option) since both will make use of all the RAM memory available. Servers with 32GB or more will reduce the interference each application can have on the other. Providing sufficient RAM memory and CPU power (multi-core) will negate the need to separate both applications in their own environment. See Microsoft recommendation and requirements on installing the RDS service.
2.When installing the Windows RDS server, by default Windows will use the port 3389 to connect to RDS users. Some users will port forward this port from their Internet router, for ease of use directly to their server, this represents a potential security risk. A better alternative is to use a different port to forward the RDS traffic to your server.
The RDP port is well known by hackers and will be constantly attacked by hackers. If you wish to increase your security open and forward the RDS traffic to a different port than the 3389 port from your Internet router (example only do not use this port it is for example purposes only- port 10451) forward the port 10451 to your RDS server default port 3389. ( and other option is not use the default 3389 port but rahter access your RDS by using a direct port such as an address followed with a colon and the designated Internet port you opened. ( Example: RDS address: myoffice.mycompany.com:10451) This port traffic would then be port forwarded to the Internal RDS server port 3389. This doesn’t necessarily secure your server, but it obscures it and makes it harder to find. Just remember that anyone determined to hack you will eventually find the port your RDS server is listening on, so further measures must be taken. Using a VPN or using anti-malware software that include protections against RDS attacks (i.e. Malwarebytes) or multi-factor authentication (2FA) RDS software.
3.Windows RDS supports SSL certificates with their Remote Gateway service to create its own VPN type connection. We strongly recommend that you install and use a SSL certificate in the RDP server. This will encrypt your RDP communication. Make sure you do not allow open RDS connections on the Internet: To establish an open network connection on the internet is full of risks. You should not take this chance. For your security, set up a VPN (Virtual Private Network). You can use the Windows RDP Remote desktop gateway to build a secure VPN tunnel for the respective local network or you can create your own VPN using some other software or hardware solution.
4.Consider using the Windows RDP Remote App capabilities of the RDP server. This option permits users to click on a desktop icon located on their desktop and have Filopto automatically start in RDP mode without the user having to do any additional RDP connection task. It also limits access to the Remote Desktop Service reducing the possibility of users negatively affecting your RDP server. The user credential and password further secures the connection.
5.Do not forget to consider enabling NLA (Network Level Authentication): What does NLA do? It simply ensures an authenticated connection after you enter the correct username and password. Additionally, NLA is by default present in Windows 10/11 or Windows Server 2019/2022+.
6.Set complicated passwords: It’s extremely important to set complex passwords in general, but especially for your remote desktop/Remote App connections. It gives an extra layer of safety. Currently password with more than 16 alpha numeric characters is considered as a minimum.
7.Limit the number of password attempts (Brute Force Attacks) : To limit the number of attempts to insert a password simply implies protection against any kind of destruction from a denial of service attack. The Windows RDS Group Policies can enforce the restrictions you establish. You may also want to consider terminating RDS sessions after a pre-determined time of inactivity ( see Windows RDS Group Policies). If you do not want to activate/manage the Free Group Policy protection built in Windows, the anti-malware software MalwareBytes (www.malwarebytes.com) provides a RDP Brute Force protection in their product which protects against suspicious connections via remote desktop.
8.Set the RDP for maximum encryption: RDP always tries to attain the maximum level of encryption. You yourself can set the RDP encryption level. Follow these steps:
▪First, open the group policy editor,
▪Then navigate to this path - Computer configuration, Administrative template, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Security,
▪Set client connection encryption level, Enabled, and in the end, High Level.
9. Some users have found that certain Hi-DPI mouses (gaming mouse for example) can cause the RDP server/App to slow down ( in older RDP servers) due to the high data traffic they constantly generate. If you are using an older RDP server and encounter such issues try switching the mouse to a more standard mouse since most users find that this fixes the slowness they encountered.
IMPORTANT:
Microsoft requires RDP end user licenses to be purchased and installed before you can use the RDS feature. Two types of RDP user licenses are currently offered by Microsoft; Device based and User based. We recommend that the RDP End User Licenses (CALs) be acquired since they offer greater flexibility than the Device (CALs) licenses.
Once you have activated the Microsoft end user RDP license in your RDS server you must link these RDP licenses to the Filopto Remote Workstation License for the users to be able to access Filopto. See License & Services Manager / Register / Activate Filopto
|
