Your 10-Point Checklist to Securing RDS for UK Compliance

A 10-Step Checklist on How to Secure Your RDS for UK Compliance

RDS allows your users to access a desktop or application hosted on a server in a data centre or the cloud. When you’re choosing an RDS provider, you should pick one with all the necessary support in place to keep your business secure and compliant at all times.

This checklist highlights the RDS security best practices to protect your sensitive data and comply with regulatory requirements in the UK.

1. Configure MFA, RD Gateway & Access Controls

The RD gateway is a role service that allows your remote users to connect to RDS resources. When your service provider is configuring the gateway, make sure it filters all incoming traffic, so only authorised users can connect.

One effective way to achieve this is by implementing a firewall and setting up access controls, including multi-factor authentication (MFA) and IP-based restrictions.

According to Microsoft’s research, the simple action of enabling MFA can prevent 99.9% of attacks on your accounts.

Key access control measures include:

• Enforce Multi-Factor Authentication
• Deploy RD Gateway to tunnel RDP sessions securely over HTTPS (TCP 443), avoiding direct exposure on port 3389
• Apply Network-Level Access Control Lists (ACLs) to limit access by IP address, geography, or user group

These steps help you meet the Cyber Essentials Plus control requirements.

2. Implement Network & DNS Design

Network segmentation refers to dividing a network into smaller, isolated segments to limit the spread of any unwanted activity. Poor network design can compromise your session data, putting your business at risk.

In RDS, this technique allows you to isolate RDS servers and resources from the rest of your network. This is possible with the help of virtual LANs (VLANs) or robust firewalls, which can be used to restrict access to your business’ RDS.

Important DNS hygiene measures include:

• Enable DNSSEC to protect against spoofed DNS responses and man-in-the-middle attacks
• Set up redundant DNS resolvers to maintain availability and reduce single points of failure
• Log DNS queries centrally for traceability and forensic investigations

3. Patch Management & Avoiding RDP Vulnerabilities

The most sophisticated defences can fall apart without regular patching. This is the most common compliance failure and the easiest way to exploit RDS environments.

For example, BlueKeep (CVE-2019-0708) is a wormable remote code that threatens unpatched RDS resources across the UK’s public IT infrastructure. It can execute code without user input.

Patch management best practices include:

• Using Windows Server Update Services (WSUS) or Intune to automate patch deployment
• Subscribing to Microsoft Security Advisories and patching critical RDS components weekly
• Disabling unused protocols and services (e.g. SMBv1) to reduce attack surface

4. Harden RDS Roles & Minimise Exposure

Take a closer look at your business’s default features and role settings that can silently weaken your entire remote desktop services’ security. Ensure you:

• Remove unused roles (e.g., RemoteFX, Fax Services)
• Limit session timeout durations
• Audit and restrict logon permissions per host

5. Supported Windows Versions & RDS Compatibility Checks

An unsupported system not only puts your RDS environments at risk but also fails compliance audits. Ensure your RDS service provider has infrastructure that meets the minimum supported version for various key components, including:

• RDS Session Host
• RD Broker
• Licensing Server

6. Monitoring, Logging & Audit Practices for Compliance Traceability

Your business should consider implementing a robust logging and monitoring solution to comply with relevant UK industry regulations and standards.

Compliance logging best practices include:

• Enable user session logging on all RDS hosts
• Store logs in immutable storage (e.g. WORM, write-once backup)
• Integrate with a SIEM platform like Microsoft Sentinel for real-time alerts and audit readiness

These practices support ISO 27001: A.12.4, the UK Cyber Resilience Bill, and GDPR Article 30 (Records of Processing Activities).

7. Protect Data with Encryption Standards

Your primary focus should be to protect your RDS data, which is possible by implementing encryption in transit and at rest.

When data is in transit, you can use Transport Layer Security (TLS) or Secure Socket Layer (SSL) to encrypt data. When data is at rest, rely on disk encryption technology to encrypt data stored on RDS servers and client devices.

• Enforce TLS 1.2 or 1.3 for all RDP traffic via GPO or SSL certificates
• Enable Credential Guard on Windows 10/11 Pro endpoints to protect against pass-the-hash
• Require Network Level Authentication (NLA) on all RDS hosts to prevent unauthenticated access

These configurations are essential for complying with GDPR Article 32 (data protection in transit).