Interested in learning about remote desktop security?
With the COVID pandemic, most businesses had to transition to virtual work unprepared.
And this became a prime opportunity for attackers to launch RDP (Remote Desktop Protocol) attacks on public-facing servers with unpatched vulnerabilities.
Don’t worry. It’s never too late to work towards ensuring remote desktop security.
In this article, we’ll cover everything about remote desktop security and its risks. We’ll also highlight seven excellent tips to help you set up a secure remote connection.
This article contains:
(click on the links to jump to a specific topic)
- What Is The Remote Desktop Protocol?
- What Are Remote Desktop Security Risks?
- How To Boost Your Remote Desktop Security?
Let’s get started.
What is the remote desktop protocol?
Developed by Microsoft, the Remote Desktop Protocol (RDP) is one of the main protocols used for conducting remote desktop sessions.
What’s a remote desktop session?
A remote desktop session takes place when you connect your device to another device at a different location. For example, when remote workers connect their personal computers to office devices on the corporate network.
RDP holds a major significance when it comes to businesses who have embraced remote working. Many companies rely on RDP to allow their employees to access office devices from their homes for remote work.
RDP acts as a graphical interface for a user when connected to another remote computer over a network. You can control the computer remotely in almost the same way you handle your own physical computer.
That’s why it’s important to minimize RDP risks to ensure remote desktop security.
And while RDP is pre-installed in most versions of Windows operating systems, it’s also available for Linux, Unix, macOS, iOS, Android devices.
What are the common remote desktop protocol vulnerabilities?
Let’s take a look at the two most common RDP vulnerabilities and how you can overcome them:
1. Weak user sign-in credentials
Most desktop computers are protected by a password that the user sets.
However, the problem occurs when the same password is used for RDP remote logins.
How?
Organizations do not manage these passwords to ensure their strength, leaving these remote connections open to cyberattacks like MITM attack (Man In The Middle).
How to overcome this RDP vulnerability
Using Single Sign-On (SSO) — an authentication technique that enables a user to log in to multiple software using a single ID and password.
Since this eliminates the hassle of remembering several passwords, organizations can use SSO to enforce strong password usage. They can also adopt more secure measures like two-factor or Multi-Factor Authentication (MFA).
You can also move RDP remote access behind SSO to shore up the user login vulnerability described above.
Additionally, you can make it a rule for your employees to set a strong password and advise them to change it periodically.
2. Unrestricted port access
By default, an RDP connection takes place at TCP port 3389 of the host device.
Since this is common knowledge, cybercriminals can assume that this port is in use and target it to carry out attacks.
How to overcome this RDP vulnerability
You can use a VPN connection that creates a secure tunnel for the requests to take place.
This helps block requests that weren’t sent through the tunnel and prevents attackers from sending requests directly to port 3389.
You can also configure a corporate firewall so that no traffic to port 3389 can come through — except from a list of allowed IP address ranges.
What are remote desktop security risks?
Here are the two popular remote desktop security risks:
1. Brute force attacks
A brute force attack occurs when an attacker enters many passwords or passphrases to guess a combination correctly.
The attacker systematically tries all possible passwords until they find the correct combination.
Once logged in as the admin, attackers try to determine the server’s details — like what it’s used for, by whom, and when it’s being used.
Being in control of the server can allow attackers to perform malicious activities like:
- Disabling security software.
- Clearing log files that contain their digital footprint in the system.
- Disabling scheduled computer backups.
- Downloading and installing malicious programs onto the server.
- Erasing or overwriting previous backups.
- Unauthorized transferring of data from the server.
They can also install coin-mining programs to generate cryptocurrency or install ransomware for extorting money from the organization.
2. Mass remote desktop protocol attacks
RDP attacks have been on a slow but steady rise and are subject to governmental advisories by several intelligence organizations.
In 2019, the floodgates opened when CVE-2019-0708 or “BlueKeep” was discovered — a security vulnerability in RDP that affected many Windows systems.
What’s BlueKeep?
The BlueKeep RDP vulnerability allows attackers to run arbitrary program code on the attacked computers.
Although individual attackers can be a widespread threat, BlueKeep vulnerability is “wormable.” This means that such attacks can automatically spread across networks without any intervention by users, making it a severe security risk.
Moreover, it was also classified as Critical, highest severity level, by Microsoft in their published guidance for customers.
How to boost your remote desktop security?
Now that you’re aware of remote desktop security risks, let’s take a look at a few effective measures to minimize them:
1. Limit RDP users
Everyone who has ‘Administrator’ level access can log in to Microsoft Remote Desktop by default.
However, chances are there are very few users on your network who actually need these privileges to do their job.
So, if your computer has multiple Administrator accounts, you should limit remote access only to those accounts that genuinely require it.
And for departments that manage many machines remotely, like the remote support team, you can remove the local Administrator account from RDP access and add a technical group instead.
Here’s how you can do that in Windows:
- Click Start, navigate through Programs > Administrative Tools and open Local Security Policy.
- In Local Policies > User Rights Assignment, go to “Allow log on through Terminal Services” or “Allow log on through Remote Desktop Services.”
- You can remove the Administrators group and leave the Remote Desktop Users group.
Additionally, if you want to add a remote user to the Remote Desktop Users group, use the system Control Panel.
This will restrict the RDP access to the users that require it and minimize the risk of an RDP attack. You can also activate timeout sessions and specify disconnect time to ensure secure remote access.
2. Use a virtual private network
Using a Virtual Private Network (VPN) connection adds an extra layer of RDP security to the system.
The VPN ensures that before a connection can be made to your server, it’s established upon a secure private network — which is encrypted and hosted outside of your server.
How?
When a device is connected to the VPN, it is assigned a private IP address to make the remote desktop connection to the server. This means that any connection attempts apart from the set IP addresses will be rejected.
Usually, firewalls come with built-in VPNs that support Multi-Factor Authentication and provide a secure way for external users to access internal resources.
3. Implement a security policy
For enhanced remote desktop safety, you should enforce a strong security policy throughout your organization to protect your privacy online.
An effective security policy can include tips like:
A. Use strong passwords
Having strong passwords is the simplest and most effective way to avoid becoming a victim of a Remote Desktop Protocol brute force attack.
Your password should be unique, long, and complex. The password sequence should also contain numbers, symbols, and upper and lower-case letters.
Additionally, you can change your account name to something other than the default ‘Administrator.’ This can make it twice as difficult for cybercriminals, as they have to guess your username as well as your password.
B. Use two-factor authentication
Two-factor authentication is an authentication method used to verify a user’s identity by checking against two or more pieces of evidence.
How does this help?
A second form of identification decreases an attacker’s chance of gaining access to corporate devices or other sensitive data.
RDP Gateways can be configured to integrate with third-party remote access software like SolarWinds MSP. You can also enable two-factor certificate-based smartcards.
C. Perform regular software updates
You should always ensure that you’re running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates.
If you’re using Remote Desktop clients on other platforms, you should ensure that they’re still supported and are on the latest versions. Older versions may not support a high encryption level and have other remote access security flaws.
4. Patching
Patching is the most common method to ensure RDP security.
What’s patching?
A patch is a set of changes made to a computer program or its supporting data designed to update, fix, or improve it. They’re often written to improve the functionality, usability, or performance of a program.
This includes fixing security vulnerabilities and other bugs, with such patches usually being called bug fixes.
However, if you’re unable to patch right away, you can enable Network Level Authentication (NLA) or block RDP port 3389.
5. Use a remote desktop gateway
Remote Desktop Protocol gateways provide a way to tightly restrict access to remote desktop ports while supporting remote connections through a single server (gateway).
What’s Remote Desktop Gateway?
A Remote Desktop Gateway is a windows server (2008R2) that is typically located over a private or corporate network.
It acts as the gateway for RDP connections from an external network to access a Remote Desktop server (Terminal Server).
While using an RD Gateway server, all Remote Desktop Services on your desktop and other devices should be configured to allow access only from the RD Gateway.
This server listens for Remote Desktop requests over TCP port 443 (for HTTP) and connects the host computer to the Remote Desktop service on the remote device.
6. Audit trail
Organizations that use native RDP need a better audit trail.
As RDP has no centralized, tamper-proof logging and reporting, it can be difficult to know how many remote desktop sessions took place, who conducted them, and for how long.
These audit logs can be reviewed daily to search for errors or suspicious activity and set up appropriate rules for alert generation.
Moreover, the RDP gateway automatically provides a log that monitors how and when RDP is used in all your devices across the organization.
7. Enforce account lockout
Brute force attacks require numerous login attempts.
You can use this as an advantage and slow down the attacks by setting up a simple policy that locks users out after a certain number of attempts for a specified amount of time.
Three-minute lockouts for three invalid attempts are a good place to start if you’re not sure of an acceptable attempt threshold.
Here’s how you can enable this is Windows 10:
- In the Start Menu, type Administrative Tools and open the program listed under ‘Best Match.’
- Open Local Security Policy and browse to Account Policies > Account Lockout Policy.
- Select the policy you wish to edit and set a new value.
- Click OK to implement the changes.
Wrapping up
Remote Desktop Protocol is one of the main protocols used to connect to a device remotely. However, RDP has its own risks.
But that shouldn’t stop you from using remote connections for your organization.
All you need to do is enforce a security policy, monitor your network regularly, and you’ll be working towards risk mitigation.
Use the tips we mentioned in this article to create an effective security strategy to prevent such situations. Once done, your remote workforce will be better equipped to protect your network against the growing threat of RDP attacks.
