Last Updated on 8 June 2023 by admin
Table of Contents
Since the coronavirus pandemic began, companies have been forced into configuring working environments with remote access to support employees working from home. But, are they doing this safely?
A recent spike in the number of exposed remote desktop protocol – RDP – services suggests this is one approach businesses are taking. However, the risks associated with exposing these services to the internet are almost endless if misconfigured or out of date.
What is Remote Desktop Protocol (RDP)?
Remote Desktop Protocol (RDP) allows users to establish a remote computing session (similar to a local session) with a computer running the Windows operating system.
The RDP connection between a remote computer and a user’s computer are encrypted at rest and while in transit. If an RDP connection is intercepted, it cannot be decrypted and remote desktop access will not be established again.
The Remote Desktop Protocol uses TCP port 3389 by default. You can also use different ports if you set up port redirection.
An efficient RDP provides secure remote access and will make the whole experience seamless.
Attacks against RDP and how to mitigate
A recent post by Shodan – a search engine for internet-exposed devices – showed that in the past month alone RDP devices have risen over 41%. While this provides remote access for employees to their work machines from home, RDP has numerous critical flaws, new and old. Two in more recent memory are BlueKeep and the family of issues known as DejaBlue.
The clear spike in RDP use brings the total number of services on Shodan to over 4.3 million globally.
A common tactic in protecting an RDP service is to simply not run it on the default registered port of 3389.
Shodan revealed that port 3388 also showed a sharp increase of over 36% over the past month. This method of obscuring a service has been proven to provide no security.
Attackers are likely to perform full port scans for vulnerable services and â€˜hiding a service in this way will provide zero security. No Sysadmin should be relying on security through obscurity in 2020.
What makes RDP such a risk in today’s business computing? Throughout 2019, Microsoft issued multiple security patches for critical vulnerabilities in its RDP implementation.
The first of these was dubbed BlueKeep – CVE-2019-0708 – which was first reported in May of 2019 thanks to the UK’s National Cyber Security Centre. BlueKeep works by sending a specially crafted packet while unauthenticated to RDP services resulting in remote code execution. It was found to affect Windows versions 2000 through to Windows 7.
To make BlueKeep worse, it can be weaponized in order to self-propagate, infecting multiple target systems in a single attack. Microsoft likened it to the infamous WannaCry attack which caused the NHS to almost come to a standstill and stated that up to 1 million devices may be vulnerable. Such an attack now would be nothing less than devastating, resulting in the unnecessary loss of life.
Similar to WannaCry, patches were released by Microsoft and even backpatched older versions of their OS which had reached end of life. Even now, Shodan reports that 8% of the current RDP services still remain vulnerable to BlueKeep, which could be an estimated 336,000 devices.
Is it safe to assume that versions after Windows 7 are not vulnerable to remote code execution vulnerabilities?
Well after the disclosure of BlueKeep, Microsoft’s own security teams delved deeper into the underlying issues and uncovered a plethora of new issues under the umbrella term DejaBlue.
The disclosure of these can be seen in the graph of port 3389 usages where many RDP services came offline in late 2019. These new vulnerabilities notably contained two more remote code execution flaws – CVE-2019-1181 and CVE-2019-1182 – but not only on old versions but also up to and including Windows 10.
So, what can be done to mitigate the risks associated with RDP? Well, first and foremost patch every service exposed to the internet and have a regular patching program implemented. This protects the service against any known vulnerabilities, but those unknown such as those developed or bought by Advanced Persistent Threat – APT – crews may still be able to exploit the service.
Even more simply, do not have RDP exposed in the first place. RDP has a track record of remote code execution – RCE – vulnerabilities being found and is not a secure service. An alternative, which many companies are already using, is to use a virtual private network – VPN.
In the past month, Shodan reported an increase in VPN servers of 33% mostly due to coronavirus. When using a VPN, the RDP service can only be exposed locally to those connected via the VPN service.
Alternatively, remote desktop gateway – RDG – is a way to use RDP over HTTPS and implement the access control principles, allowing for more fine-grained controls over full access VPNs.
The last thing that any business needs in this testing time are to fall victim to a ransomware attack due to vulnerable RDP services. Ensuring that working environments with remote access are secure and frequently reviewed should be at the forefront of any security approach in the coming months.
Is Remote desktop protocol secure?
The most important step in ensuring security on your network is to always use strong passwords and keep them secret. Use a password manager and ensure these are not stored in the cloud.
If you are running a server that supports remote connections, enable two-factor authentication (2FA) to prevent brute-force attacks. Use a hardware token and generate long, strong passwords to maintain security. It is also good practice to disable direct access to remote connections that are not required.
Disabling access to RDP services that are not required will also reduce vulnerabilities. Any unnecessary services may raise the risk of exposing your remote connections through a misconfigured or outdated server.
Use RDP encryption and enable port redirection to further strengthen your security. You can also enable RDP compression and deny connections from internal IP addresses.
Finally, take advantage of the vulnerability assessment tools available to ensure your remote connections are secure.