In 2020, attacks against Windows Remote Desktop Protocol (RDP) grew by 768%, according to ESET. But this shouldn’t come as a surprise, given the massive increase in people working remotely during the pandemic.
With enterprises resorting to making RDP services publicly available, hackers have taken notice. Some DDoS attacks are leveraging RDP servers to amplify their effect, and malware like Trickbot is employing scanners to identify vulnerable open RDP ports.
When it comes to remote access, RDP is functionally rich and very useful. It’s not inherently dangerous, but given its complexity, ubiquity, and position within the operating system, RDP has a large attack surface. If publicly exposed, vulnerabilities that emerge may be exploitable by hackers to cause serious damage to an enterprise.
RDP needs to be well protected, and direct access should never be provided to an RDP server. Instead, access should be guarded behind a separate service with limited privileges to prevent malicious actors from gaining admin-level access.
The problem with public RDP
By its own nature, an RDP service must run with enough privileges to operate a machine as another user, including the administrator. If a cybercriminal takes advantage of a vulnerability in the service and can execute arbitrary code, their code will inherit those privileges.
Like any sufficiently complex software, RDP has suffered from vulnerabilities. Probably the best-known vulnerabilities to date appeared in 2019. Better known as BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181 and CVE-2019-1182), they enabled an attacker to cause and exploit heap corruption to bypass the authorization layer and execute code on the server.
Patches were quickly made available. But while applying patches addresses specific issues, the primary concern for enterprise IT should be protecting against the unknown. As new vulnerabilities emerge, patches are not always immediately available or immediately feasible to apply. The system must be designed to mitigate future vulnerabilities by design.
Defensive RDP design
When designing an RDP deployment, make sure to adhere to the following two principles that limit the extent to which an unknown vulnerability can be exploited:
- Defense-in-depth: Security should rely on multiple independent layers of protective services, not a single point of failure.
- Principle of least privilege: Services and users should be given only the privileges that are strictly needed. If possible, tasks should be divided among multiple services so that the scope of privileged services is reduced.
Authorization should be performed independently by other services, not by the RDP server alone. Access to RDP services should only be possible after authentication and authorization has already been performed. Typically, this means RDP should be deployed behind a secure gateway that serves as the only means of accessing the RDP service. Once a user has authenticated, the gateway should provide access only to those assets that the user needs. Likewise, privileges granted to the gateway and other publicly accessible services should be strictly limited so a successful attack cannot directly result in gaining admin privileges.
Organizations sometimes deploy a VPN to overcome this challenge, and while that may be an acceptable short-term fix to secure RDP, there are significant long-term drawbacks. Providing general access to the private network using a VPN opens more of the network than is strictly required, violating the principle of least privilege.
VPNs also have a reputation for being cumbersome to manage and scale. Given that many currently remote employees will remain remote even once COVID-19 restrictions have been fully lifted, this kind of administrative complexity is unlikely to be sustainable.
With RDP behind a secure, dedicated gateway, the network firewall can be configured so that outside access is possible only through the gateway. Likewise, all machines on the network that enable RDP should be locked down so that they can only be accessed via the gateway, ensuring that unauthorized access to one machine does not imply access to all others on the network.
In our new, remote-work world, RDP will undoubtedly continue to play a key role in enabling remote access to enterprise machines, both virtual and physically. And through a few, relatively simple measures — consistent patching, isolating RDP behind a secure gateway and following the principle of least privilege — organizations can provide remote access without fear of providing new vulnerabilities for hackers to exploit.