The remote desktop protocol enables remote users to have the same desktop experience as using a local computer. It includes features such as remote sound, a clipboard, printers, and file transfers with high-resolution graphics. The graphics can be scaled down to accommodate low bandwidth.
Microsoft introduced Windows Terminal Server in 1998 as an add-on to the Windows NT Server 4.0 Operating System. This allowed people to remotely access their desktops over a network using TCP/IP. This feature has been included in every release of the Windows OS since then and became very popular when Windows XP was released in October 2001. However, RDP has also had some security concerns during this period.
Due to the expanded use of remote working, cloud computing, and distributed environments in the “new normal,” RDP is being used for purposes beyond its intended use. This misuse of RDP contributes to the prevalence of ransomware and other cyberattacks, as shown by various reports on security breaches.
How RDP Works
The Remote Desktop Protocol uses only one TCP/IP port to establish a connection (usually 3389) and is based on the T.128 application sharing protocol. Although the technical details of packet and frame construction are not important, it’s worth noting that all traffic is encrypted, point-to-point, and includes all the data necessary to allow for efficient processing and transmission of a complete remote user experience. Additionally, it includes mechanisms for fault tolerance, authentication, and support for multiple monitors.
The device can connect to remote desktop gateways on-premises through WiFi and cellular networks using TCP/IP without needing HDMI, USB, or other cables. This operation uses Remote Desktop Protocol (RDP) network communications through the Internet.
Additional authentication and abstraction controls should be implemented in the RD Gateway or RD Web Access Server according to Policy Rules. The biggest risk is exposing Remote Desktop Protocol (RDP) on the Internet through port 3389 and letting it go directly through firewalls to access an internal network target.
This is a frequent practice that should be avoided at all costs. Suppose you use Citrix Server or Microsoft Windows Terminal Services and Remote Desktop (RD) Gateway or RD Web Access, which pose similar risks. In that case, you might already be using RDP without realizing it.
Common RDP Use Cases
RDP (Remote Desktop Protocol) enables companies of any size to access servers, collaborate with colleagues, and remotely access desktops to complete tasks as if they were physically present in the office.
The most common use cases for RDP include the following:
- Setting up a bastion host with applications in an environment that looks like local resources.
- Enabling a virtual desktop interface (VDI) in cloud environments using a common office environment (COE) for employees or contractors.
- Offering a graphical user experience to remote servers, no matter where they are located, for maintenance, setup, and troubleshooting purposes.
Grant technical support and user desktop access to remote help desks, call centers, and service desks. This will enable employees, contractors, vendors, or auditors to have a comparable user experience as if they were working from the office.
In a world where a remote job is becoming increasingly common, all the mentioned use cases are important and valid. However, certain use cases carry higher risks than others.
Addressing RDP Security Risks
The remote desktop protocol is effective in ideal environments with environmental controls. However, securing RDP to prevent unauthorized access and other security risks demands high IT security expertise beyond the default RDP settings.
The default settings for RDP only offer basic encryption and security and shouldn’t be solely relied on, as it poses an unacceptable risk to most organizations. So, what measures should be taken to secure RDP for internal and external operations?
The primary security measure for RDP is never to leave it accessible on the Internet, regardless of the level of endpoint and systems hardening. The danger of such exposure is too significant, and RDP should only be employed within a local area network (LAN).
RDP hosts have a listening port that can receive inbound connections. Even highly secure installations can be identified as a Windows Operating System and its version. Attackers can then use this information to conduct social engineering, exploit security vulnerabilities, use stolen credentials from the dark web, or use weak password management to gain unauthorized access through RDP.
There are better ideas than enabling RDP on devices with a public TCP/IP address, including mobile devices like laptops used by employees at home or for remote work. Therefore, organizations prefer VPN or modern remote access solutions to connect to external resources, even in the DMZ or cloud, to avoid such security risks.
Starting with the default configuration would be a good point:
- By default, only local or domain administrators are allowed access when RDP is enabled on Windows Hosts. This means that standard users are prevented from accessing it, but it poses a risk as only administrators can authenticate via RDP. This goes against the security best practice of least privilege. Only standard user accounts should have RDP access, and administrators should not have access. Access should follow a just-in-time model, meaning it should only be provided for the shortest time needed to complete a task. Session activity must also be closely monitored for appropriateness. A privileged access management (PAM) solution is the most effective way to enforce the controls for least privilege, just-in-time access, and session monitoring.
- If you don’t follow the recommendation to use access lists, it will be easy for a hacker to guess the administrator account and gain access to the resource. This is especially likely if the administrator’s username is set to the default “administrator.” In other words, a breach is very likely if default accounts need to be properly secured. We suggest renaming the administrator account for the local machine or domain to a unique and non-guessable name. Also, it’s best to use RDP as an administrator only when necessary and not for daily remote access.
- Enabling Network Level Authentication provides the strongest available authentication method for RDP communications. Certificates are sent in clear text to a remote host or domain controller if it is not enabled.
- The ‘High’ encryption level is the strongest encryption available for RDP network communication. Without it, negotiation of the maximum key strength supported by the target will be done instead of using the maximum key strength set by group policy options.
- RDP Servers have a feature called clipboard redirection that enables the cut/copy and paste of content from remote systems to the connecting device and vice versa. This feature can be misused for data extraction or pasting system information such as passwords.
- Printer redirection is a feature offered by RDP Servers for remote access sessions. It connects the network and Line Terminal Printer (LTP) printers from local devices and domain controllers to the remote asset. While this allows for printing important information, it also presents a risk of introducing malicious printer drivers. It is recommended to configure RDP without redirection for network and LTP printers.
- Windows Servers can allow multiple RDP sessions per user account. However, if a user becomes unintentionally disconnected, their session will be lost, and a new session will not reconnect to the previous one. This could result in the loss of productivity or information. Access can be restricted by limiting administrators to only one session. This restriction can also help manage malicious RDP, as only one session can occur at a time, making tracking easier.
Organizations need to configure all these settings in the Group Policy Options and apply them via Active Directory to implement them. Resources must be specifically set up if they are not part of the domain. However, even in both scenarios, if one host is misconfigured, it can pose a significant risk. Unfortunately, this is a common occurrence.
We must remain vigilant and take necessary precautions to ensure the security of the RDP configuration. In addition, there are potential threats that require ongoing monitoring and management:
- The vulnerabilities that have been present in various versions of RDP, such as BlueKeep and DejaBlue, can allow remote code execution and privilege escalation. It’s important for IT administrators in environments that use RDP to stay informed of security updates and apply them promptly. Failure to do so could leave the system vulnerable to attack, even with other security measures.
- It is necessary to control and manage the RDP clients allowed in your environment to prevent vulnerabilities from being propagated back to an RDP host server. Many third-party products support acting as an RDP client, and operating systems like macOS and Linux have native RDP clients based on open-source and proprietary code. Suppose a vulnerability is discovered in any of these clients. In that case, it can become an attack vector for end-user access, emphasizing the importance of controlling and limiting RDP client usage through application control.
- To use the RDP protocol in your environment, you are required to get a license from Microsoft. It is essential to note that using third-party or open-source versions of RDP without proper licensing may violate your agreement with Microsoft. To avoid issues, ensure that any third-party solutions you deploy that use RDP are properly licensed with Microsoft.
Alternatives to RDP
For many organizations, the risks associated with RDP security are not justifiable. Any non-compliance, whether internal or external, while using RDP is unacceptable. Such organizations need a remote access solution that is not reliant on the native operating system. This limits the options for modern Microsoft Windows devices and other operating systems that support RDP as a client or server:
- VNC software allows you to control another computer’s desktop using the remote frame buffer protocol. It competes with RDP and has the advantage of being platform-independent. Several different VNC server and client implementations are available, making finding one that suits your preferences straightforward. VNC has similar security and hardening issues as RDP, such as weak encryption, clear text transmissions, and limitations for hardening authentication. Some paid proprietary solutions have been developed to address these problems, but they are not different from other proprietary options.
- Secure Shell (SSH) is now available natively on Microsoft Windows, allowing the remote execution of almost all functions via the command line. This feature was added in 2018. SSH provides a secure approach to logging in remotely to a Windows host and running commands and scripts, even without graphics. Like RDP, SSH hardening requires configuring account access, encryption, and access control lists. It is recommended to use SSH only internally and avoid exposing it directly to the Internet.
- Third-party solutions for remote access technology are designed differently than RDP, VNC, and SSH. Instead of opening a TCP/IP port on a host, these solutions use agent-based technology to reach out to a manager or gateway and wait for an inbound connection request. These implementations are well-suited for the Internet because they provide reduced exposure, and authentication occurs at the remote access manager rather than the target. Furthermore, network traffic is secured by routing through the manager and gateway instead of using point-to-point communication that firewalls may block.
You can find enterprise solutions from specific vendors that provide better remote access than RDP, although they are not free. These solutions implement proprietary protocols created by the vendors.
Some third-party secure remote access solutions have advanced features such as screen recording, multiscreen sharing, safe mode booting, and remote registry access that do not require a full session. However, managing accounts can be difficult because each solution needs to grant authentication privileges based on a directory service or local role-based access model for each potential target.
Regardless of whether users and assets are grouped in Active Directory, LDAP, or Azure AD, administrators must set up access control to determine who has access to what and when. This is necessary to avoid the risks associated with uncontrolled access, which could be disastrous for the business.
Replace RDP or Secure It?
Although Remote Desktop Protocol can be a suitable solution for remote access in some cases, there are many risks involved in ensuring that the configuration is correct, limiting internet exposure, and keeping security updates up to date.
Cybercriminals use automated tools to search for weaknesses in remote access systems, such as exposed RDP or other vulnerabilities. One non-compliant asset, either inside or outside the organization, could put the entire organization at risk. Even if a VPN is used to limit outside access, it could worsen the problem.
As a result, numerous organizations are opting to stop using RDP and switch to a more secure remote access solution that offers advanced security features for the intended purposes. By doing so, most of the potential risks can be minimized.
We recommend locating where Remote Desktop Protocol (RDP) is exposed and evaluating the associated risk. After assessing the risk, make your own decisions. Suppose you find risky exposures and cannot immediately implement an alternative solution. In that case, it is advisable to follow the security guidelines and precautions discussed in this blog to reduce the impact of an attack and protect your company.