What Is Ailing RDP Security And How to Use It Safely

The Windows Remote Desktop Protocol (RDP) is one of the most popular targets exploited by threat actors for both on-premises and cloud attacks. It is also the foundation for many remote access solutions within Microsoft Windows environments.  Although RDP can be a gaping security hole, properly configuring and managing it enables its users to meet business requirements safely.

RDP was introduced in Windows XP by Microsoft in 1996.  As virtual private networks (VPN) emerged, RDP remained popular because it was built into Windows and provided complete control over the device to which the remote user connected.  As shown in Figure 1, a user at home can connect via RDP to an office desktop or server and use it just as they would if sitting at its keyboard.

In this example, the user connects to her office desktop using an unencrypted RDP connection.  She did have to authenticate, but weak authentication of RDP is a weakness often exploited by threat actors.

RDP is not always used alone.  Figure 2 shows how RDP is often the foundation of other remote access solutions.  RDP is used for these solutions because it is in all Windows systems, it is mature, and it just works.

See more: What Is a Secure Web Gateway? Definition, Benefits, and Best Practices

How Wide Is the RDP Attack Landscape

CISOMag reports that “…the year 2020 saw the biggest increase in RDP attacks.”  Brute force attacks against weak authentication increased from 200,000 a day in January 2020 to 1.4 million a day in April 2020, and the trend continues.  In addition, Kaspersky reportedOpens a new window that as the number of RDP endpoints increased by 41% (per Shodan), the interest by threat actors has also increased; RDP attacks increased between 2019 and 2020 by 242% (up to 3.3 billion) in 2020. This increase in remote workers might decrease as COVID-19 is controlled, but organizations should not expect to go back entirely to the pre-COVID work-in-the-office state.

One of the most significant risks is the ability of a threat actor to pivot from a compromised RDP connection to other on-premises or cloud resources. Threat actors compromising RDP connections are hard to detect because they are authenticated as authorized users.

Figure 3 is an example of how this might work.  The attacker cannot directly access the uncompromised systems.  Consequently,  she uses a compromised RDP connection to access the uncompromised systems.  This can be done easily if the compromised RDP account has elevated privileges.  

Depending on the privileges of the compromised RDP/system account, the threat actor can install tools to use the target system as a base for long-term malicious activities on the victim network.

Key Vulnerabilities in RDP

Threat actors do not have to look far to find RDP vulnerabilities. Organizations often implement remote access without sufficient risk analysis or attention to a relevant security framework.  The most prevalent vulnerabilities are weak authentication and misconfiguration of RDP and the network.

Weak authentication

Passwords are only moderately safe under the best conditions, but they are often the only thing standing between a threat actor and a target RDP connection.  Worse, users tend to use weak passwords for RDP access not effectively managed by administrators and security teams. According to a McAfee Opens a new window blog, some of the most commonly used RDP passwords were: 

• [no password]
• 123456
• P@ssw0rd
• 123
• Password1
• 1234
• password
• 1
• 12345
• Password123
• admin
• test
• test123
• Welcome1
• scan

Misconfiguration

Misconfiguration covers both the implementation of RDP and the network in which it is used.  The first configuration mistake is the unrestricted permission to access RDP remotely.  

RDP uses port 3389.  When business requirements dictate remote access for business operation or system support, organizations often permit access to this port via the internet by simply configuring perimeter firewalls to allow it.

When combined with weak authentication, allowing any entity to attempt access to an RDP-enabled device provides threat actors with the opportunity to compromise a system at any time from anywhere.  This is one reason that brute force attacks against RDP passwords are common.

It is possible to segregate what is accessed remotely with RDP onto highly controlled network segments.  However, this is often not done.  Instead, organizations enable RDP on systems across production network segments.  This is true for both on-premises and cloud resources.

See more: OpenVPN vs. WireGuard: Which Open Source VPN Tool Suits Enterprises the Best?

How To Safely Use RDP

The first question during an RDP use assessment is whether RDP is needed for business operation.  If not, internet access to systems via port 3389 should be blocked.  Further, admins should use group policy to ensure RDP is disabled on all systems.

If RDP is needed, management must clearly define who may use RDP, when, and for what.  Since solutions like IPSec or SSL VPN are safer for remote access to applications and data, there must be clearly defined reasons for over-the-internet RDP access to resources.

As with any remote access solution, organizations should use a secure medium, like VPN, to enable access to RDP-enabled devices.  

Multi-factor authentication for all RDP user accounts is needed to protect against brute force attacks and threat actor use of stolen credentials.  Although setting strong password policies and requiring strong passwords can help, passwords alone are never enough to protect anything higher than moderately classified assets.

In addition to strong authentication,  organizations should enforce the least privilege when enabling an RDP connection.  For example, no business user should have admin access, and support teams should only have access to deal with problems.  No one should be provided with the ability to install applications via an RDP connection unless necessary to maintain business operation.

Pivoting is not easy for a threat actor if the network is appropriately configured.  Regardless of whether RDP is used, allowing user devices or servers to arbitrarily access any other devices not needed to perform business tasks is never a good idea.  Moving to a zero-trust network model helps prevent this.  Because of today’s threat TTP (tools, techniques, and procedures), all organizations should have already moved to zero-trust or be planning for the move.

Simple third-party solutions like OpenVPN Access ServerOpens a new window use certificates and multifactor authentication to create a VPN connection to RDP resources.  This helps strengthen authentication and protects remote sessions.

Organizations with a significant number of RDP access needs should consider the Remote Desktop Gateway.  The gateway is a Windows server role that enables granular filtering of RDP access.  Other solutions like Cisco’s DuoOpens a new window integrate with the gateway to provide additional filtering capabilities.  Fine-grained filtering that allows some level of adaptive authentication helps support a zero-trust approach to RDP use.

See more: The Changing Face of Security: From Network to Cloud

Final Thoughts

RDP is often used with or without management approval.  However, other solutions exist that make remote access for general business tasks more secure.  Only a minimal number of users should be approved for RDP use.

When RDP access is allowed, security must closely monitor where it is turned on and how it is accessed.  No user should be able to turn on RDP and access it over the internet outside of clearly defined policy requirements and supporting implementation procedures.  Monitoring is needed in case an employee or a threat actor bypasses controls to enable RDP, and clearly defined sanctions should exist for employee policy violations. 

What do you think of the various ways suggested by the author to safely use RDP? Let us know your thoughts in the comments below or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!