Security challenged when logging in from the road
RDP are three letters that create significant debate among network administrators, security experts and analysts. Remote desktop protocol (RDP) provides a graphical interface when used to connect to another computer over a network connection for remote administration. It is often used for working remotely and providing IT support.
Yet while RDP provides convenience and efficiency to many organizations, it also has many security implications. The challenge is that it’s too useful to give up, but is it too dangerous to keep. Before you can evaluate the solutions for securing this type of remote access, you need to understand what RDP is and why it has become a popular target for cyber criminals.
The History of RDP
Microsoft created RDP more than 20 years ago and it has been widely adopted for its simple graphical interface and ease of use when connecting to other computers. The protocol is built into the majority of Windows operating systems as a server, and the client required for access is available on most operating systems, including Windows, macOS, UNIX, and Linux. As a result, RDP provides the ability for a user to remote into another computer via a known port from anywhere, with hardly any setup on the user side.
Third-party software that allows a user to remote into another computer has since been introduced, including Log- MeIn, TeamViewer, and join.me. While this software offers more features than a regular RDP client, the use of RDP — which is built into existing systems and free — has not declined. RDP continues to be easy and cost-effective for organizations.
The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) released an announcement in September 2018 about cyber criminals increasingly exploiting RDP and ongoing attacks against devices with the port open to the Internet. IC3 encouraged organizations to evaluate their use of RDP and the controls in place to secure it.
As noted above, RDP is not a new service. So how is it still being so heavily exploited after its initial release?
As with any piece of software, bugs arise sooner or later. A critical security exploit allowing a man-in-the-middle- style attack was discovered in RDP version 5.2. In 2012, another critical vulnerability was discovered to allow a Windows computer to be compromised by unauthenticated clients. Version 6.1, found in Windows Server 2008, revealed a critical exploit that harvested user credentials. More recently, an exploit discovered in March 2018 allowed remote code execution attack and another credential- harvesting scenario.
Hackers are well aware of the extensive use of RDP within organizations. They are now targeting RDP as a method to proliferate their attacks. The evolution of ransomware is a prime example. Ransomware has proven to be a very lucrative form of cyber attack, and hackers have begun to target RDP to spread this form of malware within organizations.
Similarly, capturing and selling RDP credentials on the dark web has also proven to be a money-making scheme for hackers. RDP credentials sell on dark markets for about $3 a piece, on average. One set of credentials allows you complete control via RDP, and some dark web sites have thousands of compromised credentials for sale.
Human error has also contributed to the exploitation of RDP. Overworked, stressed, or novice network administrators often think that they need to respond quickly to users seeking an easy and efficient method of remote access. Since RDP is built into operating systems, consider the implications of exposing RDP to the public Internet. RDP became a backup solution and an afterthought once third-party software became the norm. It was essentially out of sight, out of mind.
The risk associated with RDP sessions is inarguable at this point, but RDP usage hasn’t declined. On the contrary, it has increased rapidly as more organizations use remote locations, rely on cloud computing, and decrease the use of physical hardware with emerging technologies such as virtualization.
A query on Shodan.io, a search engine used to scan specific types of computers that populate the entire Internet, shows just how extensively RDP is used. This screen capture, taken in January 2019, is a real-time view of how many computers have the default RDP port (port 3389) active and open for attack on the Internet
How to Secure RDP
RDP will be used until Microsoft disables the RDP client-server feature in all past, current, and future iterations of the Windows operating system. The macOS operating system also uses Microsoft’s branded RDP client. And with the release of Microsoft’s new HTML5 version of the RDP client, it is now entirely browser- based. This form of remote access is too convenient to discontinue fully. So what do we do?
Fortunately, you can secure RDP through layered controls. While this list is not exhaustive, it provides some basic guidelines for securing RDP in your organization:
• Disable any RDP connection to the open Internet. If nothing else, this will reduce the risk of hackers scanning your network and limit your susceptibility to brute force attacks;
• Change the default listening port from 3389;
• Update and apply patches regularly;
•Enable complex passwords and a conservative account lockout policy. Consider customizing a more stringent policy for RDP;
• Configure multi-factor authentication (MFA);
• Limit and reduce access via RDP and consider disabling all administrative access via RDP;
• Enable logging and monitoring capabilities to alert personnel of suspicious activity;
• Ensure self-signed certificates are in place;
• Enable the following on workstations and servers that use RDP: Network Level Authentication, TLS 1.2 and FIPS compliance.
While it might be difficult to stop using RDP, it’s crucial to take steps to secure it.
Lisa Traina is a partner at Traina & Associates, a CapinCrouse company. She was selected to Practice Advisor’s Most Powerful Women in Accounting list in 2012. Her email is [email protected]. Allison Davis, CPA, CISSP, CISA, is senior manager at Traina & Associates. Her email is [email protected]