According to Microsoft's Open Specification, there are two "flavours" of RDP security: a "Standard" and "Enhanced RDP Security". How can I configure Windows Server to use "Enhanced RPD Security", please? How can I determine and configure which "External Security Protocol" is used, please?
I've spent several hours in the system settings and Registry Editor, and I could not find any configuration items which might allow me to configure these RDP host settings, unfortunately.
You can configure enhanced RDP security Option through GPO. It is important to understand, that 'enhanced' is neither a function level nor an option; its a concept, achived by using the correct setting.
The Items you are searchivn for are stored in
Client connection encryption level: Set this to 'High' level, so your Remote Desktop sessions are secured with 128-bit encryption
Require user authentication for remote connections by using Network Level Authentication – Set this to Enabled
Additionally, you will have to use certificate authentication and (this is important) use the RDS Gateway role to encrypt the RDP traffic. TLS encapsulation (like HTTPS/TLS) is a feature of RDS Gateway, not plain session hosts.
To further improve RDP security, Windows does offer the option to lockout RDP login for a certain period of time, after a certain number of incorrect guesses. I would strongly recommend to use that for the collection you'd like to secure.