Remote Desktop Protocol (RDP) is a protocol that allows users to access and control computers remotely. While it offers user-friendly flexibility, it also introduces significant security risks to your organization's attack surface. Many attackers use RDP to gain access into a network and exfiltrate stolen data.

To better protect yourself, the Centre for Cybersecurity Belgium (CCB) compiled a list of recommendations and step-by-step tutorials. 

Want to learn more about RDP?

Register to our webinar on 20 November 10-10:30 AM CEST

Register here

Risks

The Remote Desktop Protocol (RDP) is one of the most famous protocols as it is present by default on Windows machines and can also be found on Apple devices. RDP is not secure by design, which is why it can introduce security threats unless your organization hardens its configuration for safer use.

The layered defense approach

It is recommended to apply different measures to mitigate risks. 

A best practice is to combine multiple technical measures with user education and proactive monitoring of suspicious activity.

  • Ransomware Attack:
    RDP is often targeted by ransomware actors as an entry point to deploy ransomware on systems and encrypt valuable data. Various ransomware actors also use RDP to exfiltrate stolen data, right before deploying their ransomware.
  • Port Exposure and Network Visibility:
    RDP typically uses port 3389, which, if left open to the internet, exposes your network to potential attacks.
  • Vulnerabilities and Exploits:
    RDP software and the underlying operating system may have vulnerabilities that can be exploited by attackers to gain access or execute malicious code.
  • Man-in-the-Middle (MitM) Attacks:
    Unsecured RDP sessions may be susceptible to interception, allowing attackers to eavesdrop on communication between the client and server.
  • Brute Force Attacks:
    Attackers may attempt to gain unauthorized access by systematically trying different username and password combinations.
  • Credential Theft:
    Attackers may employ phishing or other tactics to steal RDP credentials, enabling unauthorized access.
  • Lateral Movement and Network Exploitation:
    Once inside a network, attackers may use compromised RDP sessions to move laterally, escalate privileges, and target critical systems.
Image
server.jpg

Recommended mitigations

If you decide to keep using RDP, the Centre for Cybersecurity Belgium recommends you implement the following mitigation measures:

  • Enable Network Level Authentication (NLA):
    Ensure that Network Level Authentication is enabled on your RDP server. NLA requires authentication to occur before a remote session is established, adding an extra layer of security by validating the user's credentials before allowing access.
    Read here for more information on NLA and remote desktop configuration.  
  • Restrict RDP Access:
    Limit RDP access to specific IP addresses or specific users. You can also opt for a Virtual Private Network (VPN) or a zero-trust network access solution to create a secure tunnel for RDP traffic. This helps reduce exposure to the internet and ensures that only authorized users can connect remotely.
    This video shows you how to restrict RDP to specific IP addresses. Read here about how to restrict RDP to certain users.
  • Use Strong Authentication Methods:
    Implement strong authentication methods, such as multi-factor authentication (MFA, sometimes referred to as 2FA), to enhance user verification. MFA adds an additional layer of security by requiring users to provide multiple forms of identification, reducing the risk of unauthorized access. Make sure to implement MFA on privileged accounts such as administrator accounts! Privileged accounts are highly sought after by threat actors.
  • Implement Account Lockout Policies:
    Configure account lockout policies to prevent brute force attacks. This limits the number of unsuccessful login attempts, reducing the risk of unauthorized access through repeated login attempts.
    You can find step-by-step tutorials on Youtube for individual workstations and group policies
  • Use Encryption:
    Ensure that RDP sessions are encrypted to protect data during transit. Use protocols like Transport Layer Security (TLS) or set up a VPN to create a secure communication channel between the client and server, preventing interception and eavesdropping.
  • Change Default Ports:
    Consider changing the default RDP port (TCP 3389) to a non-standard port. While this won't provide foolproof security, it can help deter automated attacks that target default ports. Watch this video to learn how to change a default port and modify the associated firewall rule. However, note that this measure alone is not sufficient and should be part of a broader security strategy.
  • Regularly Update and Patch Systems:
    Keep both the operating system and RDP software up-to-date with the latest security patches. Regularly check for updates and apply them promptly to address known vulnerabilities and protect against potential exploits.
  • Audit and Monitor RDP Sessions:
    Enable logging for RDP sessions and regularly review logs for any suspicious activities. Set up alerts for multiple failed login attempts or other anomalous behavior. Monitoring and auditing are crucial for detecting and responding to potential security incidents.
  • Employ Endpoint Protection:
    Install and maintain robust endpoint protection solutions on both the client and server sides. This includes antivirus software, firewalls, and intrusion detection/prevention systems to detect and prevent malicious activities.
  • Regular Security Training for Users:
    Educate users on RDP security best practices, including the importance of strong passwords, avoiding public networks for RDP sessions, and reporting any suspicious activities promptly.
  • Regular Security Audits:
    Conduct regular security audits to identify and address potential vulnerabilities in your RDP infrastructure. This proactive approach helps ensure that security measures remain effective over time. You may also refer to a series of explanation videos and queries for investigation prepared by Sophos: https://news.sophos.com/en-us/2024/03/20/remote-desktop-protocol-the-series/

Alternatives

RDP is far from the only way to connect remotely to a machine. There are plenty of alternatives for remote access to consider: 

  • SSH (Secure Shell):
    Use Case: Secure command-line access and file transfers.
    Security Features: Strong encryption, public-key authentication, and the ability to tunnel other protocols securely.
    Notable Implementations: OpenSSH (open-source), PuTTY (Windows), WinSCP (Windows, for file transfers).
  • VPN (Virtual Private Network):
    Use Case: Securely connect remote users to a private network.
    Security Features: Encrypted tunnel for all network traffic, often includes authentication and authorization mechanisms.
    Notable Implementations: OpenVPN, Cisco AnyConnect, Microsoft VPN.
  • VNC (Virtual Network Computing):
    Use Case: Remote desktop access and control.
    Security Features: Encrypted versions (such as VNC over SSH), password authentication, and support for multi-factor authentication.
    Notable Implementations: TightVNC, RealVNC, TigerVNC.
  • TeamViewer:
    Use Case: Remote desktop access with cross-platform support.
    Security Features: End-to-end encryption, two-factor authentication, and session recording.
    Note: While TeamViewer is user-friendly, ensure proper configuration and account security practices.
  • AnyDesk:
    Use Case: Lightweight and fast remote desktop access.
    Security Features: TLS encryption, two-factor authentication, and session recording.
    Note: Similar to TeamViewer, be mindful of security configurations.
  • Splashtop:
    Use Case: Remote desktop access for individuals and businesses.
    Security Features: TLS and 256-bit AES encryption, device authentication, and two-factor authentication.
    Note: Provides both personal and business solutions.
  • Guacamole:
    Use Case: Web-based remote desktop gateway.
    Security Features: Support for SSL/TLS, multi-factor authentication, and LDAP integration.
    Note: Guacamole enables access via a web browser without requiring client software.
  • Radmin (Remote Administrator):
    Use Case: Remote control and support.
    Security Features: 256-bit AES encryption, Windows authentication, and IP address filtering.
    Note: Focused on fast and secure remote access.

When implementing any alternative remote access solution, it's crucial to follow security best practices.

The Centre for Cybersecurity Belgium strives to provide accurate and useful information as best as possible using existing public and free online resources. While we do our best to maintain articles, it could happen that some links might be broken or information is no longer up to date. The chosen articles and videos are only referred to for the purpose of guiding users. Each organization must adapt the given advice to their own environment and needs.