Increase security for remote desktop machine - use 2FA and/or limit to LAN connection only?

I'm looking at setting up Windows remote desktop on a W10 Pro machine.

I'd like to increase the security on the connection and wonder if any of the following are possible:

  • A password, different from the username used to login when physically using the machine. This way it could use a random generated string which I could input once from the dial out computer.

  • 2 factor authentication.

  • Limit all incoming connections to machines on the same LAN only.

There will be 3 computers that will connect to the host, mostly Macs.

Is any/all of these possible and are there some other things I should be looking at?


The article Securing Remote Desktop (RDP) for System Administrators lists these tips:

  • Use strong passwords
  • Update your software
  • Restrict access using firewalls
  • Enable Network Level Authentication (enabled by default for Windows 10)
  • Limit users who can log in using Remote Desktop (default is all Administrators)
  • Set an account lockout policy (lock an account after a number of incorrect guesses)
  • Change the listening port for Remote Desktop (default is TCP 3389)
  • Do not use other products like VNC or PCAnywhere

For your question about two-factor authentication, I don't believe this exists on Windows 10 Pro, only on Windows Server.

The article The 5 Best Alternatives To Google Authenticator lists six products which have a free plan (but also paid ones) : Google Authenticator, Authy, Duo, HDE OTP, Authenticator Plus, Sound Login Authenticator. I have never used such products, so do not know how useful these are for you.


Based on the current info, my recommendations are:

  • By setting up a SSH tunnel, you get an extra layer of authentication, where you can use another username/password or public key authentication to login. You can also enable obfuscation, with a completely different password, like you wanted. That way you also make it harder for someone monitoring the traffic to even see that it's SSH - and to connect, they both need that password and whatever SSH login you set up. Add to that, that it's tunneling RDP traffic, which is also encrypted.

    On the Windows machine you can install Bitvise SSH Server and on the Macs, you can add obfuscation support to the built-in OpenSSH with some pathes by ZingLau.
  • 2FA might be possible, but it won't be easy or free. The built-in smart card logon requires a Windows Active Directory domain, but there are 3rd party solutions for stand-alone computers. EIDAuthenticate support RDP and is available in a free open source version, but only for Home editions (yet, they are thinking about a "home use program", so contacting them might speed up that thinking). But in your case it might not be enough, since it's only for Windows, and you connects from a Mac.
  • Limiting incoming connections to LAN, can easily be done in Windows Firewall.
  • General things like strong passwords and updating all computers shall be done of course. I also recommend having separate user and administrator accounts, and only allow the (unprivileged) user accounts to log on via RDP, so the administrator account has to log on locally.
  • The next thing I would look at, would be the security on the clients that connects, because if they are compromised, all the other things you have set up doesn't help much. But I'm talking about general security principles, so I won't go into details with that.

This scenario is possible with WebADM from RCDevs which is even free up to 40 users.

  1. A password, different from the username used to login when physically using the machine.

Yes, WebADM is using LDAP, ActiveDirectory... So you can use different username/password.

  1. Two factor authentication.

Yes, you can use TOTP, HOTP with Hardware/Software Token, email and sms.

  1. Limit all incoming connections to machines on the same LAN only.

Yes, you can define Client Policy.

  1. There will be 3 computers that will connect to the host, mostly Macs.

Yes, you can install Credential Provider Plugin for Windows or OSX with offline authentification.