It may be time to rethink RDP

RDP, Microsoft’s widely used remote access tool, continues to be a prime target of malicious cyber criminals.

Some of the threats garnering the biggest headlines since 2016 have been RDP-related: ransomware such as CrySiS, CryptON and Samsam, not to mention all the stolen RDP credentials for sale on the cheap through the Dark Web Exchange.

For too long, traditional remote access deployments such as RDP, rdesktop and FreeRDP have given cyber criminals carte blanche to break into improperly secured RDP servers. The problem is only getting worse as hackers broaden their reach through highly advanced automated attacks.

The FBI and Department of Homeland Security noted last fall that RDP has been the most targeted attack vector over the past three years. Attackers are successfully exploiting several RDP vulnerabilities: weak passwords, outdated versions using flawed encryption mechanisms, unrestricted access to TCP 3389 (the default RDP port), and unlimited login attempts to user accounts.

The reason RDP can be so insecure is that RDP servers are the targets of persistent automated scans that crawl the internet to seek out default RDP ports (usually Port 3389, but even changing to a non-standard port doesn’t eliminate the risk). From there, hackers can quickly launch devastating brute force and/or dictionary attacks cracking usernames and passwords, especially targeting admins who have elevated levels of privilege.

The security challenge is that once hackers break in, they can take over the entire machine. Now they are inside your network with a platform to attack from. That allows attackers to move laterally and install malware, ransomware, steal data including additional credentials, and launch attacks to other systems and users in the organization.

They do all this without requiring input from the user (as is needed for phishing attacks), making RDP attacks much harder to detect. Meanwhile, more and more holes open across your attack surface.

RDP client sessions have proven to be relatively easy to compromise, while misconfigurations of RDP servers are also common. In fact, more than two dozen vulnerabilities were exposed earlier this year, this time targeting not only Microsoft RDP, but also two of the most popular open-source remote desktop administration solutions: rdesktop and FreeRDP.

The FBI and DHS recommendations state that organizations can protect their resources against these attacks by taking 11 steps to closely regulate, monitor and control how users are accessing their RDP clients. 11 steps – it sounds like a Hitchcock horror movie, and it is.

Those 11 steps will require yet another steep investment in people, technologies and time to implement, and make remote access for your end users even more challenging. For instance, the recommendations state, “Where possible, critical devices should not have RDP enabled.” Just blocking this type of access may not be possible for the organization. Even if these measures are enacted, the RDP security nightmare doesn’t go away because it still relies on traditional approaches to IT security.

To answer these security concerns, new technologies are emerging: proxied RDP and clientless RDP. These new approaches to remote desktop access make deployment of virtual desktops and applications much easier and significantly more secure than publishing an RDP client server directly to the internet.

These technologies proxy RDP so that RDP is no longer directly exposed to the internet. All connections must go through a browser-based RDP proxy, which is typically SSL-encrypted and uses port 443. Users must go through a robust authentication process that uses multiple factors of authentication instead of just using username and password (as is typical of most traditional RDP deployments).

Security policies for proxied RDP can also take into consideration the user’s context and method of access. And instead of seeing the entire desktop (which is still possible), requesting users gain access only to specific applications for which they have approval – based on the stringent security policies your organization has set for each individual application.

Clientless RDP takes advantage of these advances as well. However, an additional benefit of clientless RDP is that you don’t need an RDP client at all. This may be particularly useful for employees, partners or contractors who need to access specific resources but are not able to load a client on their endpoint machine. This offers a distinct advantage for organizations that do not own the endpoints – for instance, when granting remote access to autonomous business partners who have their own machines.

A traditional RDP client also doesn’t natively allow for two-factor authentication, but a properly proxied RDP solution does. This creates more secure access and provides yet another layer of security within both proxied and clientless RDP that is often missing from the traditional RDP client.

These security challenges aren’t unique to RDP. Citrix, VMware Horizon view, and other VDI infrastructures have similar challenges as well.

However, by providing browser-based remote access through a centralized solution that includes RDP- style access, you can gain much greater control over access to your infrastructure and secure some of the most common ways it can be breached. This new approach also provides a detailed history of who accessed RDP, from where, with details about their devices, and the ability to drill down to much more valuable insights from there. That enables organizations to more easily identify trends and individual events to improve their security posture across the board.

These principles are part of certain Zero Trust solutions and are definitely worth considering when looking to strengthen and simplify your overall access infrastructure. They certainly make it worth reconsidering how you deploy remote access for your users. Proxied or clientless RDP are excellent alternatives, particularly if they are part of your overall access control solution.