Understanding the security risks of Remote Desktop Protocol over the internet

• RDP, if not properly configured and secured, can act as a gateway within an organization for cybercriminals to access sensitive internal resources.
• Attackers can also exploit vulnerable RDP services to perform remote code execution and seize control over targeted gateways.

Today, it is very common for businesses to use RDP as a method to access servers, collaborate with other employees and remotely access documents stored and backed up in their office. Given its wide range of functionality across a business, this network-based service can also be misused by cybercriminals to launch attacks. A recent statistics from Coveware has highlighted that RDP is the most dominant attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 2019.

To add more woes to it, the year 2019 saw the discovery of the dangerous BlueKeep vulnerability impacting Microsoft’s Remote Desktop Protocol implementation. Despite the security updates being issued by Microsoft, the vulnerability was widely exploited in a cyber-espionage campaign to mine cryptocurrencies.

Threats against RDP services

• RDP, if not properly configured and secured, can act as a gateway within an organization for cybercriminals to access sensitive internal resources.
• Attackers can also exploit vulnerable RDP services to perform remote code execution and seize control over targeted gateways.
• Furthermore, cybercriminals have developed a wide array of tools to continuously look for remote access points on the internet. Because RDP is so widely used, it is a common target for MiTM attacks.
• Following the release of PoC for BlueKeep, Microsoft has estimated that nearly 1 million devices using earlier versions of Windows are currently open to cyberattacks due to vulnerable RDP services.

Actions to be taken

Enhancing RDP security: Patching is an important way to enhance RDP security. An improperly secured RDP can open doors for malware infection or targeted ransomware attacks, resulting in critical service disruption.

Limiting the access: Use firewalls to restrict access to remote desktop listening ports - default is TCP 3389. Additionally, using an RDP gateway is also highly recommended for restricting RDP access to desktops and servers.

Using strong passwords: Strong passwords on any accounts with access to Remote Desktop should be considered as a necessary step before enabling Remote Desktop.

Enabling restricted admin mode: In a situation where there are multiple administrator accounts on a computer, it is very necessary to limit the remote access to those accounts that need it. This prevents the attacks due to the escalation of privileges.

Enabling Network Level Authentication (NLA): To reduce the amount of initially required server resources, and thereby mitigating against denial of service attacks, Network Level Authentication (NLA) can be used. NLA can also help to protect against MiTM attacks, where credentials are intercepted.