How can I configure Remote Desktop access from a specific laptop to my workstation within the LAN (no AD) with the highest possible security?

Question

Remote Desktop access disabled is 100% safe.

Is there a foolproof method to exclusively enable Remote Desktop access from a designated laptop to a workstation within my LAN? I understand that achieving absolute safety is challenging, but I aim to establish a configuration that allows access only from this specific device while prioritizing security to the fullest extent possible.

I aim to attain a security level that would prevent Remote Desktop access even in the case of another connection on the LAN with the same IP and MAC addresses of the exclusive laptop + the correct Username and Password.

Maybe authentication with pre-installed self-signed certificates approach?

• I just have a LAN with 2 workstations, 3 laptops & and some mobile devices. No AD, etc. I want Workstation-1 to accept RDP connection exclusively from Laptop-1 (without considering its IP and MAC addresses) deny all others even before the stage of asking Username and Password.

--

I found that link (not sure if it's relevant for my case):

Setup RDP to DC from jumphost/PAW only - with IPSec

It "focus on the configuration of secure RDP (Remote Desktop Protocol) access for a jumphost/PAW (Privileged Access Workstation) to a DC (Domain Controller), such that the jumphost/PAW is the only computer which the DC will accept ingoing RDP connections from."

Answer 1

Remote Desktop itself doesn't have built-in mechanisms for this, and the best security would be achieved through external means (i.e. not involving the RDP authentication process – not just because it has had security issues before).

IPsec packet encryption would be the closest thing for a Windows-native solution; you can configure it via wf.msc (in the same console that lets you configure basic IP-based firewall rules, which I suppose doesn't fit your criteria).

IPsec supports certificate authentication, though on Windows a self-signed certificate won't do – you'll need to create your own CA and then sign machine certificates with that, e.g. using "xca" or OpenVPN's "Easy-RSA" tools. The client machine certificate could be protected from extraction using the TPM that your laptop probably has.

(Note that you're not looking to set up an IPsec VPN – neither IKEv2 VPN nor L2TP/IPsec VPN – you're looking to set up host-to-host "transport mode" protection.)

The other option would be a third-party peer-to-peer VPN (WireGuard, OpenVPN, etc) together with IP-based rules to limit connections to only the virtual VPN interface (the Windows Firewall "public/private" profiles might make this easy).

OpenVPN uses certificates with a CA and comes with tools creating them. WireGuard does not use X.509 certificates (and therefore cannot make use of Windows' built-in TPM support), but it does use EdDSA keypairs in a similar way as SSH keys or self-signed certificates, and on Windows it tries to prevent anything except the WireGuard GUI from reading the stored configurations.