RDP is one of the most frequently targeted threat vectors today, most recently illustrated by the GoldBrute brute force campaign against 1.5 million servers last month. That was preceded by the National Security Agency strongly urging Windows RDP administrators and users to download Microsoft’s patch for the BlueKeep vulnerability, after researchers detected a massive increase in scanning activity with the potential to affect nearly 1 million unpatched devices.
A much more comprehensive approach to access control for RDP is needed, and that’s why many companies worldwide now rely on the Zero Trust approach of Total Access Control (TAC). TAC changes the game for RDP access to your infrastructure, both local and cloud.
Let’s take a deep dive into why you should consider Zero Trust Access with TAC.
Any Open Port Causes a Storm
First, it’s important to understand why BlueKeep, GoldBrute, WannaCry and other attacks on RDP such as CrySIS, CryptON and SamSam succeed. Simply put, while RDP has been around for two decades, it is a relative dinosaur when it comes to protecting remote access. It falls woefully short when it comes to protecting the Byzantine attack surfaces of the modern enterprise, especially with the mission-critical role RDP plays today in providing access to the cloud.
Hackers fully know the shortcomings of the technology, so they scan for open RDP ports to take over machines or intercept sessions. They use phishing, brute force and dictionary attacks to acquire user names and passwords and then easily gain access. Once inside your infrastructure, whether local or cloud, these bad actors can pivot to launch malware, ransomware, steal data and even denial of service attacks that lock up users’ Active Directory accounts.
Firewalls alone don’t prevent hackers from successfully scanning for RDP holes across the enterprise and in the cloud. Moving RDP to a nonstandard port – instead of the usual Port 3389 – also doesn’t work against these automated scans, which keep probing until they find an open port where they can cause a storm of trouble. Once they penetrate your infrastructure, those threats increase exponentially as they move laterally to other applications within your infrastructure, both local and cloud.
Microsoft provides very little support to secure RDP, since it views the remote access protocol as more of an administrative utility that enterprise organizations are responsible for protecting. RDP’s native protocol lags far behind in incorporating the advanced security features – such as two-factor authentication, device validation or geolocation – needed today to prevent attacks.
It’s no wonder the FBI and Department of Homeland Security warn businesses that RDP ports are one of the most prominent targets of hackers. The RDP doors are left wide open to today’s hackers.
Total Access Control – a better approach to protecting RDP
So how is Total Access Control from PortSys different? Our Zero Trust Access solution has been designed from Day One with the modern hybrid enterprise in mind.
TAC is a reverse proxy solution that sits between the user and the resources they wish to access. It uses robust security controls based on a user’s context of access to determine who should get access to what within your organization. These controls adhere to the organization’s own security policies before determining whether to permit access to your proprietary resources. And, TAC can do this for all your corporate resources, whether they are local or cloud-based.
TAC’s evaluation of a user’s context of access incorporates multiple factors that go beyond user name and password. TAC examines the device type, operating system, device security status, jailbreak or root status, whether antivirus is current, and more. TAC also leverages additional granular security policies to evaluate a user’s device, location, IP address, network connection and whether it is trusted or untrusted.
Here’s how TAC protects RDP in today’s modern hybrid enterprise:
RDP ports are no longer visible to the outside world
Hackers can’t attack what they can’t see. TAC proxies your RDP connection so it is no longer made public, which means automated scans won’t find any RDP ports when protected by TAC. The ports are no longer made available to the outside world so hackers can’t attack them.
Robust authentication and validation with context of access,
multi-factor authentication and more
The reverse proxy design of TAC allows organizations to insert whatever enhanced authentication and validation methods an organization wants to deploy to protect RDP (as well as any other resource). Users go through a robust authentication process, which can include multiple factors of authentication like Active Directory credentials, device validation, 2-factor authentication, certificate validation and more. The user then gains access to only the resources they qualify for under their current circumstances.
Should a user’s context of access change during a session, TAC constantly re-evaluates that user’s session based on rules set by your organization – and if the user no longer qualifies for that resource, their session is ended.
Another advantage TAC brings to the table is the ability to alter permissions based on geolocation. TAC not only validates credentials or whether the employee is using an authorized corporate workstation, but also whether that workstation is within the company’s normal geographic zone of operations. If it’s not, it can be blocked or limited in functionality.
Dynamic RDP profiles restrict specific functions within a session
There are several subtle levels of access that TAC extends through RDP. For instance, TAC can implement RDP policy that can block the clipboard or drag-and-drop features – significant potential security holes in RDP that enable hackers to drag proprietary resources from within an organization’s infrastructure to a server outside the firewall. These RDP profiles can be dynamically allocated and adjusted based on the user and the current context of access.
Block breakouts from an RDP session
Historically, RDP deployments provide too many easy opportunities for bad actors to break into improperly secured RDP servers, break out of an open RDP desktop on the remote session, gain unauthorized access to commands, and then wreak havoc across the enterprise.
With TAC, there is a security layer built between the user and the RDP server so these “tricks” can’t be used to break out of an RDP session.
Also, instead of always seeing the entire desktop, organizations can publish access to just a single RDP application. Only users that have passed the stringent security checks will get access and only to that specific application resource. Without access to the desktop or to the underlying network, organizations are more secure.
Clientless RDP access from any device
It is important to note that TAC will support your existing direct RDP client, as one would expect. But it also offers the often more convenient option of delivering the same rich RDP experience through a browser on any device.
TAC provides clientless RDP to any device universally through all operating systems – Windows, MAC OS, Linux, iOS and Android. This can make access to resources through RDP significantly easier for users as well as for organizations, especially where you don’t have control over the endpoint.
Easier and more secure, with a centralized audit trail
RDP security shouldn’t be a beast of burden on users or admins. TAC takes away the complexity of most of today’s IT environments and seamlessly replaces it with a simple, easy to use solution that centralizes access, provides single sign-on and offers multiple levels of security, many that are invisible to end users. This simplifies the user experience, significantly increases security and empowers organizations.
And TAC’s unified architecture ensures, for the first time, that every feature and function of RDP security is controlled by a single platform, enabling better audit and reporting capabilities your organization can use to constantly improve its security profile. This centralized audit and reporting capability also extends to all resources published through TAC.
Transform Your RDP with TAC
RDP doesn’t have to be a threat to the security of your infrastructure. The safeguards that Total Access Control provides can quickly transform your organization’s ability to deliver simpler, stronger and unified security across the hybrid enterprise today – for RDP and all applications, local and cloud.
Take a different TAC, today.
Want to see first-hand how TAC is different?
Michael Oldham
hbspt.forms.create({
portalId: "5261017",
formId: "eb0c1857-dbba-4d61-9fd5-609c89ec0757",
sfdcCampaignId: "7011L000000GtcGQAS"
});