Author’s note: With so many people working from home due to the COVID-19 pandemic, PortSys offers a more secure remote access approach with Total Access Control (TAC). TAC is also quick to deploy for customers. This is the second installment on the security challenges of the most commonly used remote access solutions – VPNs and RDP – and how TAC addresses those issues to strengthen your security. Last week’s post, Business Continuity: Are You Flying Blind on VPNs?, addressed VPN remote access issues.
By Tim Boivin
RDP is very popular in the enterprise because it allows users to get access to their own desktops and virtual desktops remotely. Administrators, who have high levels of permission, also use RDP to manage the enterprise infrastructure, local and cloud.
But RDP was never designed with business continuity in mind at the scale of which we are seeing today. Even before the Coronavirus forced organizations to quickly flip the switch on remote access for tens of millions of users, RDP vulnerabilities were some of the most commonly exploited by hackers. This has become even more pronounced over the past month as more employees work from home (WFH).
According to Shodan creator John Matherly:
The challenge that organizations face is that in order to provide access through RDP, they must create holes in their infrastructure to open access to the outside world. Some try to mask it by using a non-standard port, but hackers still find RDP openings – most only protected by username and password – on the Internet with vulnerability scanning tools. And today, hackers are using your own credentials to attack you (gained through phishing, brute force or dictionary attacks or even purchased on the Dark Web).
Total Access Control (TAC) from PortSys makes deployment of virtual desktops and applications much easier and significantly more secure than the traditional method of publishing your RDP server directly to the internet. TAC’s robust reverse-proxy, three-dimensional approach to security limits access to only verified users and prevents lateral breakouts across your infrastructure from an RDP session.
Why is that important? Historically, RDP deployments provide too many easy opportunities for these bad actors to:
TAC’s reverse proxy security layer sits between the user and the RDP server so these “tricks” can’t be used to break out of an RDP session. Instead of always seeing the entire desktop (which is still available if needed), organizations can publish access to just a single RDP application. Only users that have passed TAC’s stringent security checks gain access, and only to that specific application resource. The user is locked in to only the resource they were approved to access with no chance to break out.
More on TAC’s superior approach to providing access to employees who work from home (WFH) later. But first, here’s why your RDP solution is so risky, especially today as you rapidly scale to provide remote access for WFH users.
Recent RDP Risks
With the Coronavirus pandemic, the attacks have become even more insidious. Hackers are resorting to Coronavirus-themed phishing and hacking campaigns, fraud, and disinformation attacks. They are even launching campaigns targeting medical and research organizations working on COVID-19 treatment and potential vaccines.
But RDP has been a favorite target of hackers for a long time, even before the pandemic. Many organizations may think that their default RDP security methods are good enough. But they aren’t when most RDP deployments don’t even incorporate fundamental security features such as 2-Factor Authentication or brute force protection.
RDP extends a full local desktop to the Internet, just as if a WFH user is in the office. But there is no real way to verify that a user is who they say they are. With compromised credentials being one of the most prevalent attack methods, organizations are increasingly at risk.
Without 2-Factor Authentication, it is too easy to gain compromised credentials and gain access to your infrastructure. Even with 2-factor authentication, you don’t have the ability to limit what the user might get access to with a traditional RDP environment. Once a hacker gains access to your network – using valid user or even administrator credentials – they can start spreading their reach even further, to cause even more serious damage across your entire enterprise infrastructure.
And the worst part is you would be none the wiser, since the hacker looks like an authorized remote user.
Those kinds of gaping security holes have helped RDP-related threats garner the biggest headlines since 2016: ransomware such as CrySiS, CryptON and Samsam, not to mention all the stolen RDP credentials sold on the cheap through the Dark Web.
Just last month, The Hacker News reported that Trickbot, a banking Trojan originally used for the WannaCry and Petya ransomware attacks in 2017, can now target Windows systems running RDP to leverage compromised machines exposed to the internet.
Earlier this year, five flaws in Microsoft RDP were identified – including the ability for hackers to spoof a certificate for secure Web sessions or signing codes, and allowing attackers to gain access without having to provide a log-in. With those specific vulnerabilities, hackers could remotely execute code on targeted servers before Microsoft RDP Gateway could try to authenticate them.
“An attacker could then install programs; view, change, or delete data; or create new user accounts with full user rights,” the Microsoft Security Response Center warned.
The other exploits the Center announced included allowing an attacker to use Web requests to obtain legitimate user log-in credentials; a denial of service vulnerability in RDP Gateway, and a flaw in the Windows Remote Desktop Client across all supported versions of Windows. The last one allows a malicious remote RDP server to execute code remotely on the client machine.
Sure, several remedial actions may help limit access to RDP resources and reduce your attack surface, if you keep up with patching your RDP servers promptly. But a hacker logging in with your own compromised valid user credentials – stolen through phishing, dictionary or brute force attacks – can still cause damage without even exploiting any vulnerabilities.
The list goes on. In June 2019, an aggressive brute force campaign targeted 1.5 million RDP servers with a botnet called GoldBrute. That came on the heels of another exploit, Bluekeep, which had just become public knowledge a month before – although it has been sold to hackers on the Dark Web since September 2018.
Bluekeep, a “wormable” vulnerability that allows an unauthenticated remote attacker to execute remote code on any machine running RDP, allows hackers once they are inside your firewall to scan across your infrastructure for other vulnerable resources they can attack.
Hackers Can’t Attack What They Can’t See
How big is the problem? There are millions of attractive internet-facing assets with actively listening RDP services today, according to scans conducted by Shodan and Binary Edge. The Cybersecurity and Infrastructure Security Agency (CISA) warns that the risks associated with RDP present severe consequences, “particularly if the compromise becomes public and sensitive information is exposed.” CISA says these impacts may include:
This has been proven true especially when it comes to ransomware, where RDP continues to be the most targeted attack vector over the past year. And that attack vector grows exponentially broader with WFH employees who now use their personal devices to access your enterprise resources.
Those personal devices are much more likely to not be up to date on patches, updates, certificates and other security solutions that enterprises usually control on corporate devices. And they can be further compromised if other family members, including children, use that WFH device, visit unsecure websites, or use software programs that have porous or negligible security.
The remote access dilemma really boils down to this: even with compromised credentials, hackers can’t attack what they can’t see. That’s why more organizations are turning to TAC in today’s WFH world.
It’s important to note that these challenges aren’t unique to RDP. Citrix, VMware Horizon View, and other Virtual Desktop Infrastructure (VDI) technologies all pose similar security dilemmas.
But as these vulnerabilities demonstrate, popular RDP solutions give hackers far too many opportunities to break out of an open desktop on a remote session, gain unauthorized access to commands, and then move laterally across the enterprise.
Making RDP Secure
In a world where credentials-based attacks are the most common entrée for hackers, Total Access Control (TAC) makes deployment of virtual desktops and applications much easier and significantly more secure than the traditional method of publishing the RDP server directly to the internet.
First, TAC’s reverse proxy gateway shuts down visibility into RDP (as well as VPNs) within your infrastructure to the outside world. While hackers are scanning for RDP ports, TAC sits on a port that scanners are not searching for. You can close your RDP port to the outside world permanently, removing this as an attack vector. TAC still allows the use of RDP, but only to authenticated users in the correct security state.
Before a user can get access to RDP, they must be fully authenticated and authorized. TAC allows you to insert whatever enhanced authentication and validation methods you want to deploy to protect RDP (as well as any other resource). TAC makes multiple factors of authentication and verification available, such as Multi-Factor Authentication, device validation, GeoIP intelligence, certificate validation and much more. Using multiple factors of authentication delivers a much higher level of assurance that users are who they claim to be – instead of just relying on user credentials that hackers today can easily compromise.
Security policies not only confirm that users are who they claim to be, but also examine whether the machines or methods of communication being used remotely as endpoints can be trusted. TAC can help you to quickly confirm whether a WFH user’s mobile device, laptop or home computer should get access to corporate resources or not.
As access requirements shift around in the WFH world, you can use the parameters surrounding that context of access to allow, deny or limit access with TAC. For instance, you can prevent users on untrusted devices from saving files, using the clipboard, or even printing to protect your enterprise resources; or you could require a verified, managed corporate device with admin credentials and multifactor authentication before allowing access to an RDP desktop.
RDP for Any User or Partner Device
TAC’s browser-based secure remote access is important for another reason: traditionally, RDP has only worked on Windows devices. TAC allows your organization to securely deliver RDP to any authenticated tablet, mobile phone, PC, Mac or Chromebook device, without needing to install an RDP client on your end user’s machine.
This is a much more cost-effective and secure approach to remote access – especially in today’s rapidly escalating WFH world – instead of having to purchase, manage and update hundreds or even thousands of corporate devices.
TAC also provides greater security for your business partners who access your infrastructure as well. Contractors and other partner organizations, whose employees most likely are now working from home as well, may have different security policies than yours. With TAC’s HTML5 capabilities, you can still deliver the same rich – and secure – experience to those third parties through a browser…without requiring an RDP client on their endpoints.
Full Reporting of All RDP Activity
There is one more important advantage to TAC – for the first time, you can see detailed alerting and auditing of RDP sessions to identify trends and individual events so you can more effectively manage your security posture, across both local and cloud resources.
TAC provides you with a detailed history of who accessed RDP, from where, with details about their devices, and the ability to drill down to gain much more valuable insights from there. For instance, in the brute force attack we discussed earlier, TAC would alert you to repeated log-in attempts made by the hacker – something RDP doesn’t provide – so you can stop the attack.
At the end of the day, TAC’s advanced three-dimensional approach to secure remote access takes away the complexity and risk of your existing RDP environment. That allows you to supercharge your ability to rapidly scale remote access for your end users in today’s accelerating WFH world. And TAC does it all much more securely and makes it easier for your end users.
Tim Boivin is the Marketing Director of PortSys. He can be reached at email@example.com.