How to Secure RDP (Remote Desktop Protocol)

Remote desktop protocol (RDP) is a proprietary Microsoft protocol that has been packaged with Windows products for the last two decades. It allows users to connect to their desktop computer that is, for example, on an enterprise network and use the device remotely. It allows users to access networks without the use of a VPN and means that data or apps do not have to move beyond the desktop’s server. 

However, the access that RDP gives to users can also be used by attackers to infiltrate networks. The large increase in workers using remote desktop protocol during the Covid-19 lockdowns and ongoing WFH provided hackers with even more vulnerable endpoints to try and compromise. In 2020, security researchers at ESET found over 29 billion attempted attacks on RDP, an increase of 768%. The UK’s National Cyber Security Centre stated that remote desktop protocol remained the “most common attack vector used by threat actors to gain access to networks.”

Access to RDP endpoints is also one of the most popular forms of hacking material, with thousands of access points for sale at any one time on dark web marketplaces. If an attacker wants to target a specific organization, they can simply buy RDP access that has already been compromised. 

Since it’s such a critical tool for businesses yet also potentially gives complete network access to attackers if compromised, enterprise security teams need to figure out how to secure RDP for their networks.

How to Secure RDP: Attack Vectors

Before we examine how to secure RDP, it’s important to understand how attackers gain access to it in the first place. 

1. Access

The first step in any RDP attack is to gain access to a trusted endpoint. As every network user is a target, attackers have multiple options, as they usually only need a single username and password to get past the authentication process. With RDP attacks, the main routes for attackers to breach authentication are:

• Brute Force: If an attacker has a username, they will make multiple login attempts with different passwords, such as dictionary attacks or lists of commonly used passwords.
• Phishing: A user is sent an email, supposedly from the administrator, asking them to log in and perform an action, such as changing a password. However, the link is to a proxy controlled by the attacker, which reveals the user’s login details.
• Social Engineering: This preys on a user’s social tendencies to trick them into handing over their password. An example is gaining access to a colleague’s email account and emailing the victim to ask for their login details so they can cover an emergency. The trusted relationship and sense of urgency can lead users to respond quickly without thinking about security best practices.

2. Reconnaissance

Once the attacker has bypassed authentication and gained access to the network, they will perform reconnaissance to find the account's privileges and to see how they can escalate the attack. 

3. Preparation

As seen in attacks such as that on SolarWinds, some attackers are comfortable observing traffic and systems for months before executing anything else. One of the major issues for admins researching how to secure RDP is that intrusion detection is much more difficult, as an RDP network will naturally receive large numbers of connections from disparate locations and users. 

4. Launching Attack

The reasons an attacker wants network access vary but come down to three things: data exfiltration, deploying malware or attack escalation. Once the attacker has done their recon and preparation, they will leverage that remote desktop protocol access to perform one of those three.

How to Secure RDP: Defenses

Fortunately for any team looking at how to secure RDP for their organization, there are several countermeasures they can deploy. 

Multi-Factor Authentication (MFA)

Since the primary access avenue for attackers is authentication, this should be a primary focus for prevention. Authentication that only requires a username and password basically provides no protection at all, and attackers actively search for systems that rely on this type of authentication. To mitigate this vulnerability, any organization looking at how to secure RDP should deploy, at the very least, multi-factor authentication. MFA challenges users to provide something they own (OTP, device, security key) or something they are (face scan, fingerprint) in addition to or instead of something they know (password, PIN). 

Fully Passwordless MFA

Traditional MFA adds a margin of security to RDP deployments, but it is susceptible to various bypass techniques. To fully secure RDP with MFA, you need to completely remove shared secrets from the authentication process. This makes it impossible for attackers to guess or steal authentication factors and much harder to spoof identity. Specifically, passwordless authentication based on FIDO standards resists phishing, MitM attacks and hacking attempts as it does not use insecure factors such as SMS or OTPs.  Moreover, since it’s based on public-key cryptography, there are no server-side shared secrets to steal to elevate a successful breach.

Role-Based Access Control (RBAC)

This grants users access to data on a complete need-to-know basis and theoretically prevents one authentication breach from handing an attacker broad network access. However, there can be significant challenges in enforcing and monitoring the access control as user roles and needs shift, requiring constant assigning and revocation of privileges.

Patch Management

There are multiple versions of RDP dating back over the past two decades, with several major flaws found among them. To secure RDP, organizations must keep their versions patched and updated as attackers can easily locate systems that still employ vulnerable versions. 

Microsegmentation

Like RBAC, microsegmentation aims to put clear divisions between unconnected data assets and repositories to limit the damage done by a breach. Although this can lead to siloing of knowledge within an organization, this can be overcome by tools such as data virtualization.

Ensuring Correct Port Configuration

Even though RDP defaults to TCP 3389 and UDP 3389, custom configurations can lead to non-authorized ports being left open. Therefore, monitoring and tightening security on port usage is essential to securing remote desktop protocol networks.

HYPR Can Help

Remote desktop protocol is packaged with Microsoft systems, and its use has grown significantly over the past three years, allowing users complete access to their office desktops from remote locations. Unfortunately, it is also the primary attack vector for attackers looking to gain network access by taking advantage of authentication issues. Systems that only require a username and password are the most vulnerable, as it allows attackers to use brute force, phishing and engineering to gain RDP access.

If you’re investigating how to secure RDP for your organization, your number one defense step should be deploying strong authentication systems. The most secure RDP with MFA systems remove passwords and all shared secrets completely from their RDP authentication.

HYPR’s True Passwordless™ MFA platform allows your workers to securely log into remote access systems, including RDP, with a friction-free user experience. To find out how HYPR can be a solution for securing remote desktop protocol for your workforce and protecting your enterprise assets, get in touch with our team.