Prerequisites

• Remote desktop must be enabled in the target PC
• Target PC must be turned-on and stay awake
  • See how to turn on PC remotely over internet
  • To prevent PC from sleeping, change power plan settings in control panel

Enable remote desktop to the target PC Allow access to the target PC (the PC you want to connect remotely)

• Press “Windows + i” (Windows settings will open) > System > Remote desktop
• Enable Remote Desktop: On
• Power & sleep
  • Sleep: Never
  • Screen: as you wish (‘n’ minutes / ‘n’ hours / Never)
• User who can access remotely
  • By default the account you used during setup can access remotely
  • If you want to use another user fro remote access or need to allow access for another user:
    • Click “Select users that can remotely access this PC”
    • Click “Add..” > Enter user name > Click “Check names” > Ok

Setup static private IP for PC

• PC gets an IP address from the connected router (router has DHCP server)
  • This IP address is automatically obtained from the router
  • The IP is actually leased, means router can revoke and assign a different IP at some point
• We need to set a statuc private IP (static private IP must be within the range of routes’s DHCP server IP range)
• Set static private IP for the PC
  • Press “Windows + i” (Windows settings will open) > Click “Network & Internet”
  • Status > Advanced network settings > Change adapter options
  • Double click on the ethernet you are currently using (you might have multiple ethernet adapter)
  • Click “Details” > take note of the following IPs (will be used to set static IP)
    • IPv4 Address: 192.168.x.y
      • Allocated IP (allocated by router)
      • We are gonna set the same IP as static IP
    • IPv4 Default Gateway: 192.168.x.1
      • ‘x’ can be zero or any number (x = 50 for my Asus RT-AX88U router)
      • This is the admin panel IP of the router (for Asus router, admin panel can also be accessed with http://router.asus.com/Main_Login.asp)
    • IPv4 Subnet Mask: 255.255.255.0
    • IPv4 DNS Server: 192.168.x.1
  • Close
  • Click “Properties” > Double click on “Internet protocol version 4 (TCP/IPv4)”
  • Select followings
    • Use the following IP address
      • Ip address: use the information copied in the previous step
      • Subnet mask: use the information copied in the previous step
      • Default gateway: use the information copied in the previous step
    • Use the following DNS addresses
      • Preferred DNS server: use the information copied in the previous step
      • Alternate DNS server: keep it empty
  • Ok > Ok > Close

Recommended security settings

Disable remote desktop from public network in Windows Firewall (we will use port forwarding feature of router)

• Open controlle panel > search “firewall” > Click “Windows Defender Firewall”
• Click “Allow an app or feature through Windows Defender Firewall” (might take some time to show up)
• Click “Change settings” > Scroll below to “Remote Desktop”
• Uncheck “Public” > OK

Local security policy setting:

• Press “Windows key + R” (run window will open)
• Write: secpol.msc > Ok
• Local Policies > User Rignts Assignment
• Double click on “Allow login through Remote Desktop Services”
• Remove “Administrators” and “Remote desktop users”
• Click “Add user or group”
• Enter your Microsoft account email (i.e. xxx@outlook.com) > Check names > Ok
• Apply > Ok

Local group policy setting:

• Press “Windows key + R” (run window will open)
• Write: gpedit.msc > Ok
• Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
• Double click “Set client connection encryption level”
  • Enabled
  • Encryption level: High Level
  • Ok
• Double click “Require secure RPC communication” > Enabled > Ok
• Double click “Require use of specific security layer for remote (RDP) connections” > Enabled > Ok
  • Enable
  • Security Layer: SSL
  • Ok
• Double click “Require user authentication for remote connections by using Network Level Authentication” > Enabled > Ok

Obscuring RDP port

Check current RDP port

#
# PowerShell 7
#
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber"

Set custom RDP port

$portvalue = 3330
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue
New-NetFirewallRule -DisplayName 'RDPCustomPort-TCPInbound' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort $portvalue
New-NetFirewallRule -DisplayName 'RDPCustomPort-UDPInbound' -Profile 'Public' -Direction Inbound -Action Allow -Protocol UDP -LocalPort $portvalue

Now, restart PC and then check the port again

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber"

Setup dynamic DNS in the router

• Login to router admin panel (for my Asus RT-AX88U router => http://router.asus.com/Main_Login.asp)
• WAN > DDNS > Enable
  • Server: “www.asus.com”
  • Hostname: “xxx” (choose and check whether it is available, in my case it’s “xxx.asuscomm.com”)
  • HTTPS / SSL: use lets encrypt (if available)
  • Apply
• Test DDNS:
  • Go to https://whatismyipaddress.com/
  • Open cmd and ping: ping xxx.asuscomm.com
  • Check that both are matched

Setup port forwarding in the router

• Login to router admin panel (for my Asus RT-AX88U router => http://router.asus.com/Main_Login.asp)
• WAN > port forwarding
• Enable port forwarding
• Add profile
  • Service name: give profile a name
  • Protocol: TCP
  • External port: custom RDP port (since 3389 is known port, you may use custom port i.e. 3330 to obscure)
  • Internal port: custom RDP port that you setup to obscure RDP port (i.e. 3330)
  • Internal IP address: the private IP of PC that we set in the previous section

Connect to PC using RDP client

From MacBook Pro

• Install Microsoft Remote Desktop
• Open Microsoft Remote Desktop > Press “Command + ,” (Preferences will open)
• User Accounts > Click “+” (bottom left)
  • Username: Micrososft account email (i.e. xyz@live.com) for which Remote Desktop is enabled (previous step mentioned above)
  • Password: Micrososft account password
  • Friendly name: give it a name i.e. MSAccountForPC
  • Add
  • Close preferences
• Click “+” > Add PC
  • PC name: DDNS_url:port i.e. “xxx.asuscomm.com:3389”
  • User account: select previously created user account i.e. MSAccountForPC
  • Friendly name: give it a name i.e. MyWorkStationPC
  • Change other settings if needed i.e. Display, Devices & Audio etc.
  • Add
• Now double click on the PC object > Continue