By Jake Fellows, Associate Product Manager, Liquid Web
IT security personnel can manage Windows servers via the Remote Desktop Protocol (RDP). RDP is convenient and straightforward to set up, and Windows has native support on both the client and the server. RDP clients are also available for other operating systems, including Linux, macOS, and mobile operating systems, allowing administrators to connect from any machine.
But RDP has a significant drawback: It’s a prime target for hackers.
A Warning Issued
In late 2018, the FBI issued a warning that RDP was a vector for a large number of attacks, resulting in ransomware infections and data theft from many businesses, including healthcare businesses.
In 2019, researchers discovered several critical vulnerabilities in RDP that impacted older versions of Windows. For example, the BlueKeep vulnerability is a remote code execution vulnerability that allowed an unauthenticated user to connect to the RDP server and execute arbitrary code via malicious requests. Additional security vulnerabilities were discovered later in the year.
Businesses use RDP because it is the most convenient way to provide remote desktop services for Windows servers and desktops. Still, it’s a relatively old protocol that needs to use modern security best practices.
The Center for Internet Security (CIS) also mentioned that we need to protect against the most dangerous cyber threats to our way of life by the offense informing the defense. Reports indicate that RDP usage has jumped 41% due to COVID-19. This means that not only are businesses vulnerable, but anyone utilizing RDP has created more opportunities for attacks.
However, Remote Desktop Protocol can be made more secure with a few configuration changes and implementation of RDP best practices.
Determine RDP Use
The first step in implementing Remote Desktop Best Practices is understanding how users will access them within your organization. Next, perform audits, review the firewall policies, and scan internet-exposed address ranges and other services your team uses to highlight compromised systems.
Avoid Guessable Passwords
Windows servers are often compromised with dictionary attacks against RDP. Attackers know hundreds of thousands of the most commonly used passwords, and it’s trivial to script a bot that can make repeated login attempts until it discovers the correct credentials.
It isn’t just the usual suspects such as “123456” or “pa55word” that should be avoided. Any simple password you can think of is likely already in a dictionary culled from leaked password databases. It is also essential to ensure that you don’t reuse passwords that you use elsewhere on the web.
If you are the only administrator who manages the server, generate a long and random password that attackers can’t guess. If other people access the server over RDP, consider using the built-in Password Policy system to implement policies that enforce minimum complexity and length requirements.
Update RDP Clients and Servers
Attacks against RDP frequently exploit vulnerabilities in outdated server and client software. Older versions of RDP also lacked the cryptographic protections of more modern versions. As we have already mentioned, it is not uncommon for serious vulnerabilities to be discovered in older versions of RDP.
When the BlueKeep vulnerability was still on everyone’s minds, Microsoft quickly released a patch that, if installed, would close the security hole. But clients and servers only benefit from that protection if they are regularly updated.
Windows Server can automatically update RDP via Microsoft Updates, but server administrators should verify that they are running the most recent version. Administrators can turn automatic updates off, and many server administrators don’t like to risk the disruption that an automatic update might cause. However, it’s always worth checking to make sure your servers are running patched and secure versions of RDP.
Don’t forget to update third-party RDP clients, too.
Disconnect Idle RDP Sessions
Leaving RDP sessions connected is convenient, but it’s also a security risk. RDP sessions left running are prime targets for an attacker who manages to compromise the server or network.
It’s also vital to properly log off RDP sessions when you are finished using them. Simply closing the RDP window doesn’t end the session – it remains active on the server until it times out or is manually disconnected.
If you are managing RDP sessions for other users, be sure to properly terminate any RDP sessions to stay compliant with Remote Desktop Best Practices.
Connect Over RD Gateway or a VPN
Using RDP over the internet without an SSL tunnel is dangerous. RDP encrypts traffic flowing between the client and the server, but it may be vulnerable to certain types of attack; plus, the RDP port is exposed to brute-force attacks and denial of service attacks. Because of the potential security risk of exposing an RDP server to the open internet, it’s good to put it behind a gateway that provides better security.
An RD Gateway allows clients to create an SSL-protected tunnel before connecting to the RDP server. The RDP server only accepts connections from the gateway. As a result, it is not exposed to the open internet, limiting the attack surface and preventing attackers from directly targeting the server.
Connecting over a VPN is a reasonable alternative to an RD Gateway, but it is less secure and may introduce unacceptable latencies.
Restrict Connections Using the Windows Firewall
If you know which IPs will connect to your RDP server, you can use the firewall to restrict access so that the firewall will reject IPs outside of that scope. Administrators can achieve this by adding IP addresses to the RDP section of the firewall’s inbound rules. While potentially time-consuming to set up, this can be a very effective security measure.
Change the Default RDP Port
The default RDP port is port 3389, where most brute-force attacks are directed. So changing the port is a straightforward way to reduce the number of bot attacks against your server.
To change the RDP port, adjust the following registry key to the new port number:
Changing the port is not a substitute for implementing the other security tips mentioned in this article. While it may be enough to confuse unsophisticated bots and inexperienced hackers, more knowledgeable and sophisticated attackers will have little trouble finding the new port, so changing the port is insufficient to adequately protect RDP from attack.
Remember – RDP Best Practices Are Necessary
RDP is a popular and convenient tool, but it is also insecure. Attackers are constantly looking for RDP servers to target, and when they find one, they will try to brute-force their way in or exploit vulnerabilities.
It is possible to implement even stricter security strategies to protect your RDP server from attacks, including the addition of two-factor authentication. However, following the tips we have outlined here will be enough to keep your server safe from most attacks.
Jake Fellows is an Associate Product Manager for Liquid Web’s Managed Hosting products and services. He has over ten years of experience involving several fields of the technology industry, including hosting, healthcare, and IT system architecture.
Updated by Ping! Zine Staff on June 23, 2022.