Everything you need to know about Remote Desktop Protocol (RDP) security vulnerabilities including how your business can stay secure while using them.
The proliferation of the hybrid working environment since the COVID-19 pandemic means that ever more employees need to access their company networks from another device via remote desktop session.
One of the main protocols used to support remote desktop sessions is called remote desktop protocol (RDP). These days, RDP is included with most Windows operating systems and can be installed on Apple, Linux, and Android operating systems as well.
As more organizations come to rely on RDP to allow their employees to work from home, they often unknowingly expose themselves to numerous cybersecurity risks that come with remote work. For example, RDPs are a common target for man-in-the-middle (MITM) cyberattacks, and can be vehicles to deploy malware or targeted ransomware campaigns.
Although RDP misuse has been around for many years, it’s gaining popularity among cybercriminals – particularly those focused on targeted ransomware. Without proper RDP security, RDP could become the gateway for an attack that results in potentially critical service disruptions.
Establishing a comprehensive remote access policy that addresses RDP security vulnerabilities is an important step toward protecting yourself from cyberattacks. Before you create a remote access policy, however, you’ll first need a more solid understanding of RDP security vulnerabilities and how you can prevent them from being exploited.
In this article we’ll examine some of the most common RDP security vulnerabilities, and provide you with guidance on how to protect your organization from them as part of your overall business security plan.
RDP Security Vulnerabilities
A vulnerability is a gap or an error in the way a piece of software is constructed, allowing attackers to gain unauthorized access to your network or systems. Microsoft estimates that nearly 1 million devices are currently vulnerable to RDP security risks. Some of those risks are easily avoidable.
Weak User Sign-In Credentials
Perhaps the top vulnerability of RDP systems, weak user sign-in credentials are an easy way for attackers to gain access to your network to deploy malicious software that steals or damages your sensitive data.
Most desktop computers are protected by a password – but users can make this password whatever they want. Many times the same password for a company desktop computer is the same password used for RDP remote logins. Typically companies don’t manage these passwords to assure their strength, which leaves these remote connections open to brute force or credential stuffing attacks.
Unrestricted Port Access
Most RDP connections take place at port 3389. In networking, a port is a logical, software-based location that’s designated for certain types of connections to help computers keep track of separate processes. Cyber attackers can assume that port 3389 is the RDP port in use and then target it to carry out attacks.
Patched Vulnerabilities
Some of the most severe RDP security vulnerabilities have already been patched, but can still cause damage if left unchecked. For example, take “BlueKeep,” a vulnerability that allows attackers to execute any code they want on a computer via specially crafted request to the right port (usually 3389).
BlueKeep was deemed a critical vulnerability by Microsoft because it can be exploited over a network connection without authentication, and it’s been officially classified as CVE-2019-0708 by the National Institute of Standards and Technology’s (NIST) National Vulnerability Database.
This particular vulnerability is wormable, meaning that it can spread to all the computers within a network without any action from users. Microsoft issued a patch to correct it in 2019, and your system administrators must install this patch.
Like other programs or protocols, RDP has several other vulnerabilities that can be eliminated by always using the latest version of the protocol. As Microsoft did, vendors will typically patch vulnerabilities in each new version of software they release.
How to Reduce RDP Security Risks
Businesses can take various steps to reduce RDP security risks for each of the vulnerabilities we discussed. It’s likely that some of the following recommendations will have some overlap; you may even find that implementing security controls to address one area of concern will help other areas as well.
You should begin by asking: Is externally accessible RDP really necessary for your organization? If the answer is yes, the next question is how to better secure RDP if you rely upon it.
Then, create a remote access policy that will spell out how secure remote access should work, how remote workers should respect cybersecurity, and what a secure connection is. Limit remote user access to only what’s needed.
When you draft your remote access policy, consider documenting at least some of the following initiatives in addition to your regular cybersecurity hygiene practices.
Addressing Weak Sign-In Credentials
Usernames and passwords are vulnerable to unauthorized use, so it’s important to address weak sign-in credentials for both. Here are some things you can do to prevent cyber attackers from exploiting RDP security vulnerabilities thanks to weak sign-in credentials.
Use Unconventional Account Naming Conventions
You should consider using an account naming convention that doesn’t reveal organizational or personal information about your employees. The most commonly used conventions (and the most vulnerable) are typically in firstname.lastname or similar formats. Such credentials make it easy for cybercriminals to guess usernames, email addresses, and even passwords.
Employ Single Sign-On (SSO)
Many organizations already use single sign-on (SSO) to manage their user logins for a variety of applications. SSO is an authentication scheme that allows users to log in with a single ID and password to any of several related, yet independent, software systems.
Using SSO will give your organization an easier way to enforce strong password usage, and will also implement even more secure measures like multi-factor authentication. It’s even possible to move RDP remote access behind SSO to prevent the user login vulnerability described above.
Enforce a Strong Password Policy
Another acronym for RDP is “Really Dumb Passwords.” This is fitting, given that bad passwords are the top vulnerability of RDP systems. If your employees are using weak or duplicated passwords, hackers can scan the internet for any systems that accept RDP connections and launch a brute force attack to gain their credentials.
Ultimately, using complex passwords will make RDP attacks harder to succeed. At the least, require employees to reset their desktop and RDP passwords regularly to something stronger.
Enable Multi-Factor Authentication (MFA)
Adding an additional layer of protection, multi-factor authentication (MFA) requires users to provide a security token (such as a code received by notification or a biometric verification) to login. Ultimately, the more layers of verification an attacker must penetrate to access an account, the less likely he or she is to gain unauthorized access to your computing devices.
Lockout Users and Block Timeout IPs
A high number of login attempts usually indicates a brute force attack. To prevent these types of attacks, limit the number of login attempts per user, and log both failed and successful login attempts to track any unusual behavior. Similarly, you should block any IPs that timeout during sessions, as this is an indication that something suspicious might be occurring.
Restrict RDP Users and Privileges
By enabling restricted admin mode, you’re essentially instructing the RDP server not to store credentials of the users who log in. You can also restrict the users who can login using RDP, although remember that all administrators can use RDP by default. Ultimately, remote access should be limited to only the accounts that absolutely require it.
Also try to minimize the number of local administrator accounts, as they provide an attack vector for attackers who gain access to your systems. If credentials are cracked off-line, the more accounts you have means the more likelihood of a successful hack. You should aim for a maximum of one appropriately secured local administrator account.
It’s also important to assure that the local administrator accounts are unique. If they match those assigned to their counterparts on other systems within the server’s internal network, a hacker could potentially re-use those credentials to move laterally, putting more of your systems and data at risk.
Limit domain administrator account access, reduce the amount of administrative accounts throughout your organization, and avoid accessing your RDP server or other externally exposed systems via these accounts to avoid making these credentials accessible. In general, it’s always a good idea to employ the principle of least privilege for cybersecurity.
Protecting Yourself Against Port-Based Attacks
Foremost, you should never allow RDP connections over the open internet. Hackers use tools that continuously scan the internet for open RDP ports like port 3389, and even with a strict password policy and multi-factor authentication you’re vulnerable to cyber attacks if your RDP is open to the internet.
Use a Virtual Private Network (VPN)
Using a virtual private network (VPN) will allow remote users to access their corporate network securely without exposing their computer to the entire internet. A VPN connection is mutually encrypted, and provides authentication for both client and server while creating a secure tunnel to the corporate network.
Regardless of whether you use a VPN, also consider placing your RDP servers within a DMZ or other restricted area of your network to limit the scope of a successful cyber attack to your RDP server alone.
Enable Network-Level Authentication (NLA)
Using network-level authentication (NLA) can ultimately reduce the amount of initially required server resources and mitigate against cyberattacks. With NLA, strong authentication takes place before establishing the remote desktop connection, and uses the Credential Security Support Provider (CredSSP) either through TLS or Kerberos.
Lock Down Port 3389
A secure tunnel will ensure that any requests that do not pass through the tunnel will be blocked. Secure tunneling software can help you stop attackers from sending requests that reach port 3389.
Configure a Firewall to Restrict Access
Manually configure a corporate firewall to prevent traffic from entering port 3389 unless it’s coming from allowlisted IP address ranges, or your employee’s devices.
This method does require a lot of manual effort, and you’re still vulnerable to attack if hackers are able to hijack an allowlisted IP address or if your employee devices are compromised. It can also be difficult to identify and allow all your employees’ devices in advance, which can result in regular IT requests from blocked employees and can degrade productivity for those employees.
Consider Encryption
Most standard RDP supports four levels of encryption: Low, Client Compatible, High, and FIPS Compliant; and can be configured on the Remote Desktop server. Using encryption is a more secure method to assure the safe transmission of sensitive information, and can prevent cybercriminals from using your data for nefarious purposes should it end up in the wrong hands.
Use an RDP Gateway
The most recent versions of Windows Server provide an RDP gateway server that includes one external interface to many internal RDP endpoints. Microsoft also provides detailed instructions for configuring a remote desktop gateway server for Windows Server.
Ultimately, using an RDP gateway will simplify RDP management for security vulnerabilities. It consists of logging, TLS certificates, authentication to the end device without actually exposing it to the internet, authorization to internal host and user relations, and more.
Find Tools to Help
If your organization relies on RDP for day-to-day business operations and you aren’t actively monitoring and remediating RDP security vulnerabilities, it’s time to get started. For many organizations, however, it can be difficult to know where to begin.
You should start by finding a software solution that can make the worst parts of governance, risk management, and compliance (GRC) less burdensome for you and your team.
Integrate ZenGRC into Your Business Security Plan
Cybersecurity is perhaps the most important aspect of a well-rounded risk management program today, but organizations are often overwhelmed by the sheer complexity and wealth of information that inevitably comes with the risk management process.
Add the inevitable risks that come with hybrid working environments and the rise in cyber attacks, and cyber risk management starts to seem insurmountable. Fortunately, there are governance, risk management, and compliance solutions available to help.
ZenGRC from Reciprocity simplifies cybersecurity risk and compliance with complete views of control environments and easy access to information for risk management, enabling your organization to meet cybersecurity requirements across a variety of frameworks.
The easy-to-use dashboard provides an integrated view of your data and compliance requirements, alerting you to gaps and helping you to fill them. ZenGRC also stays up to date in real-time with changing compliance regulations so you don’t have to. With ZenGRC, you always know where your cybersecurity stands.
Zen’s team of cybersecurity professionals are always looking out for your organization and its assets to make sure you get the best protection against security vulnerabilities and cyberattacks.
Contact our team for a free demo today and get started on the path toward worry-free risk management, the Zen way.