RDP security: use NLA (Network Level Authentication) for pre-authentication, restrict to VPN access only (don't expose port 3389 to internet), strong passwords + MFA, just-in-time access.
Internet-exposed RDP is the #1 ransomware entry point. Millions of RDP servers brute-forced daily. Immediate action: move RDP behind VPN. NLA requires Windows authentication before establishing RDP session. Bluekeeper (CVE-2019-0708) — critical unauthenticated RDP RCE. Patch and restrict access.