Today, it is very common for businesses to use RDP as a method to access servers, collaborate with other employees and remotely access documents stored and backed up in their office. Given its wide range of functionality across a business, this network-based service can also be misused by cybercriminals to launch attacks. A recent statistics from Coveware has highlighted that RDP is the most dominant attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 2019.
To add more woes to it, the year 2019 saw the discovery of the dangerous BlueKeep vulnerability impacting Microsoft’s Remote Desktop Protocol implementation. Despite the security updates being issued by Microsoft, the vulnerability was widely exploited in a cyber-espionage campaign to mine cryptocurrencies.
Threats against RDP services
Actions to be taken
Enhancing RDP security: Patching is an important way to enhance RDP security. An improperly secured RDP can open doors for malware infection or targeted ransomware attacks, resulting in critical service disruption.
Limiting the access: Use firewalls to restrict access to remote desktop listening ports - default is TCP 3389. Additionally, using an RDP gateway is also highly recommended for restricting RDP access to desktops and servers.
Using strong passwords: Strong passwords on any accounts with access to Remote Desktop should be considered as a necessary step before enabling Remote Desktop.
Enabling restricted admin mode: In a situation where there are multiple administrator accounts on a computer, it is very necessary to limit the remote access to those accounts that need it. This prevents the attacks due to the escalation of privileges.
Enabling Network Level Authentication (NLA): To reduce the amount of initially required server resources, and thereby mitigating against denial of service attacks, Network Level Authentication (NLA) can be used. NLA can also help to protect against MiTM attacks, where credentials are intercepted.