RDP: It’s Putting You and Your Clients at Risk

July 20, 2018

Here are four high-level options for making your environment, and the environments you manage, more secure.

Originally released with Windows NT 4.0’s Terminal Services, the Remote Desktop Protocol (RDP) has been a staple in every IT pro’s arsenal of tools. Its ability to allow IT to be on any system and perform tasks as if they were local made it an instant hit.

But, in recent years, with the increase in cyberattacks, the many ways in which an attacker can take advantage of built-in tools and protocols have made this protocol even more popular with the wrong crowd. Its ability to give an attacker direct access to a system, when mixed with insecure passwords and default settings, is a recipe for disaster. Attackers can disable endpoint protection, establish a foothold in the organization and more. Once this happens, no endpoint security solution can save you.

Those of you using publicly accessible RDP sessions to connect to clients are leaving their networks completely vulnerable to attack. A simple automated IP address port sweep will let attackers know when an RDP session is exposed and ready to be compromised. Tyler Moffitt, Senior Threat Analyst at Webroot, states, “It’s a simple case of not if, but when. If your RDP connection is publicly available to connect to, you will be targeted. The most successful way criminals will infect you with ransomware is through the unsecured RDP attack vector.”

In a recent report focused on the state of security of banks by security assessment company Positive Technologies, it was reported that half of all banks were found to have left remote access and control interfaces (which includes RDP) accessible from the Internet! While none of your clients may be banks, this shocking stat should raise concerns that even organizations we all would agree are targets for cyberattacks aren’t as secure as we think they are.

And, once the bad guys get in, RDP is even more useful.

In the most common of cyberattack methods, the kill chain includes the need for lateral movement–the jumping from endpoint to endpoint in an attempt for the attacker to eventually gain access to a system containing valuable data. The combination of easy system access via RDP and either compromised elevated credentials or insecure commonly used passwords makes lateral movement an easy task.

In addition, some attackers leverage RDP even when remote logon isn’t permitted. Using an elevated account with log on locally permissions, remote access to the \windows\system32 folder of a target endpoint is first used to replace the Sticky Keys application (sethc.exe) with cmd.exe. An RDP session is established, even if the compromised account the attacker has isn’t allowed to logon via RDP. Then a key is pressed repeatedly, invoking cmd.exe instead of Sticky Keys, giving the attacker elevated access to the command prompt on the target system. This is just one example. There are plenty more techniques and exploits that criminals have access to that enable them to leverage the RDP attack vector.

So, what should you do about RDP to protect not only your clients, but your business, as well?

Here are four high-level options, each one making your environment, and the environments you manage, more secure:

1. Limit access: Consider changing the default port of TCP 3383, using virtual networking/VLANs/etc. to limit access to critical systems via RDP.

2. Focus on the logon: Consider using multi-factor authentication as a way of thwarting any use of a remote session. Additionally, solutions that monitor logon activity can provide IT with additional visibility around inappropriate and unusual logon attempts. At the very least, designate a maximum number of logon attempts before lockout, so brute force tools can’t be leveraged.

3. Protect endpoints: Solutions designed to detect network anomalies, such as an RDP session attempt from another workstation (which probably never happens normally) can be used to both respond to (by killing the session) and notify IT of the attempt.

4. Use a paid encrypted solution: When RDP came out, we had little more than pcAnywhere and a few other products for remote sessions. Fast forward more than 20 years, and there are tons of alternative ways you can provide remote access. For critical systems where elevated accounts are used, consider Privileged Session Management–these solutions provide not only their own remote desktop session, but also obfuscate the account name and password used to access a system (keeping the elevated credentials protected, as well). For endpoints used by regular users, consider using a secure third-party remote session solution–such as VNC, TeamViewer, LogMeIn or ScreenConnect–to allow IT to continue to support its users with encrypted connections.

RDP: Ready to Ditch the Protocol?

With security threats at an all-time high, and so many other (and, quite frankly, better) remote desktop options out there, it’s time for MSPs to recognize the risk that comes with RDP. At minimum, look for ways to better secure the access to, and use of, RDP. And, if you can, leverage today’s advanced technologies to go beyond basic remote sessions and take control of your–and your clients’–security posture.

To learn more about Webroot, and its entire suite of security solutions, click here.

This guest blog is part of a Channel Futures sponsorship.