While there are many alternatives, Microsoft’s Remote Desktop is a perfectly viable option for accessing other computers, but it has to be properly secured. After recommended security measures are in place, Remote Desktop is a powerful tool for geeks to use and lets you avoid installing third party apps for this type of functionality.
尽管有很多选择,但Microsoft的远程桌面是访问其他计算机的理想选择,但必须适当保护它。 在采取建议的安全措施之后,远程桌面是供极客使用的功能强大的工具,它使您避免安装用于此类功能的第三方应用程序。
This guide and the screenshots that accompany it are made for Windows 8.1 or Windows 10. However, you should be able to follow this guide as long as you’re using one of these editions of Windows:
本指南及其随附的屏幕截图适用于Windows 8.1或Windows10。但是,只要您使用以下Windows版本之一,就应该能够遵循本指南:
- Windows 10 Professional Windows 10专业版
- Windows 8.1 Pro Windows 8.1专业版
- Windows 8.1 Enterprise Windows 8.1企业版
- Windows 8 Enterprise Windows 8企业版
- Windows 8 Pro Windows 8专业版
- Windows 7 Professional Windows 7专业版
- Windows 7 Enterprise Windows 7企业版
- Windows 7 Ultimate Windows 7旗舰版
- Windows Vista Business Windows Vista商业版
- Windows Vista Ultimate Windows Vista Ultimate
- Windows Vista Enterprise Windows Vista企业版
- Windows XP Professional Windows XP专业版
启用远程桌面 (Enabling Remote Desktop)
First, we need to enable Remote Desktop and select which users have remote access to the computer. Hit Windows key + R to bring up a Run prompt, and type “sysdm.cpl.”
首先,我们需要启用远程桌面并选择哪些用户可以远程访问计算机。 按Windows键+ R弹出“运行”提示,然后键入“ sysdm.cpl”。
Another way to get to the same menu is to type “This PC” in your Start menu, right click “This PC” and go to Properties:
进入同一菜单的另一种方法是在“开始”菜单中键入“ This PC”,右键单击“ This PC”,然后转到“ Properties”:
Either way will bring up this menu, where you need to click on the Remote tab:
两种方式都会显示此菜单,您需要在该菜单上单击“远程”选项卡:
Select “Allow remote connections to this computer” and the option below it, “Allow connections only from computers running Remote Desktop with Network Level Authentication.”
选择“允许对此计算机的远程连接”及其下方的选项“仅允许运行带有网络级别身份验证的远程桌面的计算机的连接”。
It’s not a necessity to require Network Level Authentication, but doing so makes your computer more secure by protecting you from Man in the Middle attacks. Systems even as old as Windows XP can connect to hosts with Network Level Authentication, so there’s no reason not to use it.
不需要网络级身份验证,但这可以通过保护您免受中间人攻击而使您的计算机更安全。 甚至与Windows XP一样古老的系统都可以通过网络级身份验证连接到主机,因此没有理由不使用它。
You may get a warning about your power options when you enable Remote Desktop:
启用远程桌面时,您可能会收到有关电源选项的警告:
If so, make sure you click the link to Power Options and configure your computer so it doesn’t fall asleep or hibernate. See our article on managing power settings if you need help.
如果是这样,请确保单击“电源选项”的链接并进行配置,以使计算机不会进入睡眠或Hibernate状态。 如果需要帮助,请参阅我们有关管理电源设置的文章。
Next, click “Select Users.”
接下来,单击“选择用户”。
Any accounts in the Administrators group will already have access. If you need to grant Remote Desktop access to any other users, just click “Add” and type in the usernames.
Administrators组中的任何帐户都将具有访问权限。 如果您需要向其他用户授予远程桌面访问权限,只需单击“添加”并输入用户名。
Click “Check Names” to verify the username is typed correctly and then click OK. Click OK on the System Properties window as well.
单击“检查名称”以验证用户名是否正确键入,然后单击“确定”。 在“系统属性”窗口上也单击“确定”。
保护远程桌面 (Securing Remote Desktop)
Your computer is currently connectable via Remote Desktop (only on your local network if you’re behind a router), but there are some more settings we need to configure in order to achieve maximum security.
您的计算机当前可以通过远程桌面(如果在路由器后面,则只能在本地网络上)进行连接,但是为了实现最大的安全性,我们需要配置一些其他设置。
First, let’s address the obvious one. All of the users that you gave Remote Desktop access need to have strong passwords. There are a lot of bots constantly scanning the internet for vulnerable PCs running Remote Desktop, so don’t underestimate the importance of a strong password. Use more than eight characters (12+ is recommended) with numbers, lowercase and uppercase letters, and special characters.
首先,让我们解决明显的问题。 您授予远程桌面访问权限的所有用户都必须具有强密码。 有许多僵尸程序不断在Internet上扫描运行远程桌面的易受攻击的PC,因此请不要低估高强度密码的重要性。 请使用八个以上的字符(建议使用12+)以及数字,小写和大写字母以及特殊字符。
Go to the Start menu or open a Run prompt (Windows Key + R) and type “secpol.msc” to open the Local Security Policy menu.
转到“开始”菜单或打开“运行”提示(Windows键+ R),然后键入“ secpol.msc”以打开“本地安全策略”菜单。
Once there, expand “Local Policies” and click on “User Rights Assignment.”
在那里,展开“本地策略”,然后单击“用户权限分配”。
Double-click on the “Allow log on through Remote Desktop Services” policy listed on the right.
双击右侧列出的“允许通过远程桌面服务登录”策略。
It’s our recommendation to remove both of the groups already listed in this window, Administrators and Remote Desktop Users. After that, click “Add User or Group” and manually add the users you’d like to grant Remote Desktop access to. This isn’t an essential step, but it gives you more power over which accounts get to use Remote Desktop. If, in the future, you make a new Administrator account for some reason and forget to put a strong password on it, you’re opening your computer up to hackers around the world if you never bothered removing the “Administrators” group from this screen.
我们建议删除该窗口中已经列出的两个组,即“管理员”和“远程桌面用户”。 之后,点击“添加用户或组”,然后手动添加您要授予远程桌面访问权限的用户。 这不是必不可少的步骤,但是它使您可以更强大地控制哪些帐户可以使用远程桌面。 如果以后由于某种原因您注册了新的Administrator帐户却忘记了使用强密码,那么您将向世界各地的黑客开放计算机,如果您从不从该屏幕中删除“ Administrators”组。
Close the Local Security Policy window and open the Local Group Policy Editor by typing “gpedit.msc” into either a Run prompt or the Start menu.
关闭“本地安全策略”窗口,然后在“运行”提示或“开始”菜单中键入“ gpedit.msc”,以打开“本地组策略编辑器”。
When the Local Group Policy Editor opens, expand Computer Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, and then click on Security.
打开“本地组策略编辑器”时,展开“计算机策略”>“管理模板”>“ Windows组件”>“远程桌面服务”>“远程桌面会话主机”,然后单击“安全性”。
Double-click on any settings in this menu to change their values. The ones we recommend changing are:
双击此菜单中的任何设置以更改其值。 我们建议更改的是:
Set client connection encryption level – Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.
设置客户端连接加密级别–将此设置为“高级别”,以便使用128位加密保护您的远程桌面会话。
Require secure RPC communication – Set this to Enabled.
需要安全的RPC通信–将其设置为Enabled。
Require use of specific security layer for remote (RDP) connections – Set this to SSL (TLS 1.0).
要求对远程(RDP)连接使用特定的安全层–将其设置为SSL(TLS 1.0)。
Require user authentication for remote connections by using Network Level Authentication – Set this to Enabled.
使用网络级别身份验证要求用户身份验证以进行远程连接–将其设置为“已启用”。
Once those changes have been made, you can close the Local Group Policy Editor. The last security recommendation we have is to change the default port that Remote Desktop listens on. This is an optional step and is considered a security through obscurity practice, but the fact is that changing the default port number greatly decreases the amount of malicious connection attempts that your computer will receive. Your password and security settings need to make Remote Desktop invulnerable no matter what port it is listening on, but we might as well decrease the amount of connection attempts if we can.
完成这些更改后,您可以关闭“本地组策略编辑器”。 我们具有的最后一个安全建议是更改远程桌面侦听的默认端口。 这是一个可选步骤,通过模糊实践被认为是安全的,但是事实是,更改默认端口号会大大减少计算机将收到的恶意连接尝试次数。 您的密码和安全设置都需要使Remote Desktop变得无懈可击,无论它正在侦听的端口是什么,但是如果可以的话,我们还可以减少连接尝试的次数。
通过隐蔽性实现安全性:更改默认RDP端口 (Security through Obscurity: Changing the Default RDP Port)
By default, Remote Desktop listens on port 3389. Pick a five digit number less than 65535 that you’d like to use for your custom Remote Desktop port number. With that number in mind, open up the Registry Editor by typing “regedit” into a Run prompt or the Start menu.
默认情况下,远程桌面在端口3389上侦听。请选择一个小于65535的五位数,以用作自定义远程桌面端口号。 考虑到这个数字,通过在“运行”提示或“开始”菜单中键入“ regedit”来打开注册表编辑器。
When the Registry Editor opens up, expand HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp > then double-click on “PortNumber” in the window on the right.
注册表编辑器打开后,展开HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Terminal Server> WinStations> RDP-Tcp>,然后双击右侧窗口中的“ PortNumber”。
With the PortNumber registry key open, select “Decimal” on the right side of the window and then type your five digit number under “Value data” on the left.
在打开PortNumber注册表项的情况下,选择窗口右侧的“十进制”,然后在左侧的“值数据”下键入您的五位数。
Click OK and then close the Registry Editor.
单击确定,然后关闭注册表编辑器。
Since we’ve changed the default port that Remote Desktop uses, we’ll need to configure Windows Firewall to accept incoming connections on that port. Go to the Start screen, search for “Windows Firewall” and click on it.
由于我们更改了远程桌面使用的默认端口,因此我们需要配置Windows防火墙以接受该端口上的传入连接。 转到“开始”屏幕,搜索“ Windows防火墙”,然后单击它。
When Windows Firewall opens, click “Advanced Settings” on the left side of the window. Then right-click on “Inbound Rules” and choose “New Rule.”
Windows防火墙打开后,单击窗口左侧的“高级设置”。 然后右键单击“入站规则”,然后选择“新规则”。
The “New Inbound Rule Wizard” will pop up, select Port and click next. On the next screen, make sure TCP is selected and then enter the port number you chose earlier, and then click next. Click next two more times because the default values on the next couple pages will be fine. On the last page, select a name for this new rule, such as “Custom RDP port,” and then click finish.
将弹出“新入站规则向导”,选择端口,然后单击下一步。 在下一个屏幕上,确保选择了TCP,然后输入先前选择的端口号,然后单击“下一步”。 请再单击两次,因为接下来的几个页面上的默认值会很好。 在最后一页上,为此新规则选择一个名称,例如“ Custom RDP port”,然后单击“完成”。
最后步骤 (Last Steps)
Your computer should now be accessible on your local network, just specify either the IP address of the machine or the name of it, followed by a colon and the port number in both cases, like so:
现在,您的计算机应该可以在本地网络上访问了,只需指定计算机的IP地址或其名称,然后在两种情况下都输入冒号和端口号即可,如下所示:
To access your computer from outside your network, you’ll more than likely need to forward the port on your router. After that, your PC should be remotely accessible from any device that has a Remote Desktop client.
要从网络外部访问计算机,您很有可能需要转发路由器上的端口 。 之后,应该可以从具有远程桌面客户端的任何设备上远程访问您的PC。
If you’re wondering how you can keep track of who is logging into your PC (and from where), you can open up Event Viewer to see.
如果您想知道如何跟踪谁(从何处)登录PC,可以打开Event Viewer进行查看。
Once you have Event Viewer opened, expand Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManger and then click Operational.
打开事件查看器后,展开应用程序和服务日志> Microsoft> Windows> TerminalServices-LocalSessionManger,然后单击可操作。
Click on any of the events in the right pane to see login information.
单击右窗格中的任何事件以查看登录信息。
翻译自: https://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
