Introduction
Windows Remote Desktop Protocol (RDP) is a workhorse of remote connectivity, allowing users and administrators to connect to the desktops of far-flung machines and perform tasks as if they were sitting directly in front of them. As global workforces shifted to remote work at the onset of the COVID-19 pandemic, RDP’s use for accessing business systems increased dramatically. Hackers and cybercriminals took notice, and as a result, the move to remote work has seen a corresponding dramatic increase in RDP attacks. Such attacks increased a whopping 768% in 2020 vs. the prior year, according to one report. A staggering 29 billion attempted RDP attacks were detected in 2020.
Because Remote Desktop is available in nearly every version of Windows, it can be a vulnerability when enabled, even if it’s not in use. Once a hacker has gained unauthorized access to a system via RDP, they have all the access afforded to the user account they have compromised, including any administrative privileges.
To reduce your risk, consider the following countermeasures and deploy those which make the most sense for your organization and environment. Some steps may require the involvement of a system administrator. Others (such as using strong passwords and keeping all system security patches up to date) can and should be performed by a regular user. We’ve put the quickest and easiest measures first:
Apply the latest OS patches and updates
Yes, system updates can be a disruptive pain, but we all know we must keep our machines updated. Configure system policies to automatically download and install critical updates or prompt the user when critical updates are available. Installing updates containing security fixes and enhancements is one of the easiest ways to protect your system from intrusion.
Use strong passwords
Easy-to-guess passwords or using the same password for multiple systems is lazy practice and a great way to get hacked. Modern dictionary-based systems can crack a weak password in moments. Due to the plethora of breaches across the Internet, billions of user credentials are available to hackers in online databases. Use strong passwords consisting of upper and lowercase letters, numbers, and symbols, and change passwords regularly.
Use a desktop security program
While this should go without saying, desktop security is a core requirement in the modern age. Most programs go beyond simple virus detection and monitor web browser sessions and network traffic for potential intrusion attempts, including brute-force attacks directed at RDP.
Change the default port used by RDP
Remote Desktop Protocol uses TCP and UDP port 3389 by default, so it follows that hackers will routinely scan this port for hijacking opportunities. If you feel up to the task, you can edit the Windows system registry to change the default RDP port for your system to one of the thousands of unassigned ones. Scanning thousands of ports per machine takes more time and resources than many hackers are willing to commit, so while it’s far from foolproof, using a non-standard port for RDP can reduce your exposure.
Disable Remote Desktop where unneeded
Most Windows systems have multiple user accounts, but not all of those may require remote access capability. Disabling remote access for those users is a worthwhile security measure. Additionally, set the Local Security Policy on the remote machine to lock an account after a finite number of incorrect passwords are sent via RDP – this can foil hackers trying to crack a password using dictionary-based methods.
Restrict access with a firewall
A good firewall between your machine and the Internet can protect against a world of dangers. A range of methods can be used to validate and restrict network traffic, such as the use of a whitelist for known safe IPs, or blocking port 3389 entirely and using a port forwarding rule to take RDP connections on a non-standard port and direct them to the default RDP port on a specific machine. Even sophisticated protections like automatic blacklisting of remote IPs after several connection attempts can be accomplished relatively easily.
Enable Network Level Authentication
A Windows feature typically enabled by default, NLA will not allow any level of connection to the remote machine without proper credentials. It’s most likely that this feature is already in use, but if you see a login screen on the remote desktop via RDP *before* you submit credentials, that would indicate that NLA has been disabled. It is highly recommended that NLA be used on all remote machines.
Use an RDP gateway
Setting up an RDP gateway server for your organization requires effort from your IT department, but it may be well worth it if you have many RDP users. An RDP gateway adds a layer of protection by shielding remote machines behind a single gateway server. Remote target machines can be configured to only allow connections from Gateway, blocking any direct intrusion attempts.
Use multi-factor authentication
Once your organization invests in setting up an RDP gateway, it can be configured to send an SMS or a mobile app MFA challenge for each login attempt. This adds a robust second layer of security as connections will be denied for any user who does not successfully complete the MFA challenge.
Tunnel RDP via IPSec or SSH
A network tunnel is an encrypted connection between two points on a network. A typical example of this is the Virtual Private Network (VPN). An encrypted tunnel essentially creates a second layer of security that wraps the connection from the moment RDP is initiated. Tunnels can be a bit complex, but the added security is substantial.
Conclusion
Risk is inherent with any device or service connected to the public Internet. Measures like the above can help reduce exposure but are no guarantee. Deploying a selection of these measures can increase your remote computing environment’s security, but safe practices and vigilance are ongoing requirements.
