By Jake Fellows, Associate Product Manager, Liquid Web
Windows servers are typically managed via the Remote Desktop Protocol (RDP). RDP is convenient and simple to set up, and Windows has native support on both the client and the server. RDP clients are also available for other operating systems, including Linux, macOS, and mobile operating systems, allowing administrators to connect from any machine.
But RDP has a significant drawback: It’s a prime target for hackers.
In late 2018, the FBI issued a warning that RDP was a vector for a large number of attacks, resulting in ransomware infections and data thefts from many businesses, including healthcare businesses.
In 2019, researchers discovered several critical vulnerabilities in RDP that impacted older versions of Windows. The BlueKeep vulnerability is a remote code execution vulnerability that allowed an unauthenticated user to connect to the RDP server and execute arbitrary code via malicious requests. Additional security vulnerabilities were discovered later in the year.
Businesses use RDP because it is the most convenient way to provide remote desktop services for Windows servers and desktops, but it’s a relatively old protocol that was not initially designed with modern security best practices in mind.
However, RDP can be made more secure with a few configuration changes and best practices.
Avoid Guessable Passwords
Windows servers are often compromised with dictionary attacks against RDP. Attackers know hundreds of thousands of the most commonly used passwords, and it’s trivial to script a bot that can make repeated login attempts until it discovers the correct credentials.
It isn’t just the usual suspects such as “123456” or “pa55word” that should be avoided. Any simple password you can think of is likely already in a dictionary culled from leaked password databases. It is also important to ensure that you don’t reuse passwords that you use elsewhere on the web.
If you are the only administrator who manages the server, be sure to generate a long and random password that attackers can’t guess. If other people access the server over RDP, consider using the built-in Password Policy system to implement policies that enforce minimum complexity and length requirements.
Update RDP Clients and Servers
Attacks against RDP frequently exploit vulnerabilities in outdated server and client software. Older versions of RDP also lacked the cryptographic protections of more modern versions. As we have already mentioned, it is not uncommon for serious vulnerabilities to be discovered in older versions of RDP.
When the BlueKeep vulnerability was discovered, Microsoft quickly released a patch that, if installed, would close the security hole. But clients and servers only benefit from that protection if they are regularly updated.
Windows Server can automatically update RDP via Microsoft Updates, but server administrators should verify that they are running the most recent version. Automatic updates can be turned off and many server administrators don’t like to risk the disruption that an automatic update might cause. It’s always worth checking to make sure your servers are running patched and secure versions of RDP.
Don’t forget to update third-party RDP clients, too.
Connect Over RD Gateway or a VPN
Using RDP over the internet without an SSL tunnel is dangerous. RDP encrypts traffic flowing between the client and the server, but it may be vulnerable to certain types of attack; plus, the RDP port is exposed to brute-force attacks and denial of service attacks. Because of the potential security risk of exposing an RDP server to the open internet, it’s a good idea to put it behind a gateway that provides better security.
An RD Gateway allows clients to create an SSL-protected tunnel before connecting to the RDP server. The RDP server only accepts connections from the gateway. It is not exposed to the open internet, limiting the attack surface and preventing attackers from directly targeting the server.
Connecting over a VPN is a reasonable alternative to an RD Gateway, but it is less secure and may introduce unacceptable latencies.
Restrict Connections Using the Windows Firewall
If you know which IPs will connect to your RDP server, you can use the firewall to restrict access so that IPs outside of that scope will be rejected. This can be achieved by adding IP addresses to the RDP section of the firewall’s inbound rules.
Change the Default RDP Port
The default RDP port is port 3389, and that’s where most brute-force attacks are directed. Changing the port is a straightforward way to reduce the number of bot attacks against your server.
To change the RDP port, adjust the following registry key to the new port number:
Changing the port is not a substitute for implementing the other security tips we’ve mentioned in this article. While it may be enough to confuse unsophisticated bots and inexperienced hackers, more knowledgeable and sophisticated attackers will have little trouble finding the new port, so changing the port is not sufficient to adequately protect RDP from attack.
It is possible to implement even stricter security strategies to protect your RDP server from attacks, including the addition of two-factor authentication. However, following the tips we have outlined here will be enough to keep your server safe from the vast majority of attacks.
Jake Fellows is an Associate Product Manager for Liquid Web’s Managed Hosting products and services. He has over ten years of experience involving several fields of the technology industry, including hosting, healthcare, and IT system architecture.