enterprise security

SecurityTrails Blog · Jun 07 · by Gianni Perez & German Hoeffner

RDP: Risks and Prevention Tips for Your Attack Surface

Reading time: 6 minutes
Listen to this article

The Remote Desktop Protocol (RDP) belongs to a subset of ITU-T protocol standards purposely designed to provide reliable transport of visual, input, control, and component-sharing data and capabilities from one remote computer system to another.

Its asymmetric nature, provisioned from early primitives that relied on multipoint domain specifications and multicast services, is essentially a client-server model adaptation that uses a layered approach to negotiate, manage, encrypt, and transport session-specific information via virtual rendering. On the server side, where most of the resource-intensive administration and processing takes place, RDP licensing parameters are also observed. Meanwhile, bandwidth reduction using persistent bitmap caches and data compression mechanisms affords the protocol a dynamic scaffold from which to deliver a rich user experience.

When Microsoft introduced RDP in 1998 as part of Windows NT Server 4.0 (Terminal Server Edition), the innovation was around having thin clients that would just display what would be computed on another machine–these days, RDP, simply referred to as Remote Desktop, is primarily used to access remote devices for both convenience and administrative reasons.

The risk of exposing Remote Desktop

Despite all the architectural rigor and enhanced security controls underpinning RDP (in all its different adaptations), the protocol is still limited by our inability to foster a secure remote access ecosystem.

For instance, misconfiguration errors that unintentionally expose remote desktop applications to the internet at large comprise an important attack vector; normally, this would entail a port such as TCP 3389 (in the case of Windows) being directly accessible to threat actors, who could potentially leverage the use of brute force techniques, or even correlated data from prominent social media sites, to harvest vulnerable accounts.

On closer analysis, let’s take the case of “Luciano”: a former NextBitt employee whose LinkedIn profile has become a target in a recent OSINT campaign against the firm, leading attackers through a second round of actionable intelligence by using his first and last name as a prospective username. Primed with this information, the recon phase can now proceed—having correlated his username with that of a remote desktop user.

The risk of exposing Remote Desktop

The risk of exposing Remote Desktop

RDP’s widespread popularity, somewhat perpetuated by a growing remote workforce, have also highlighted the exploitation of a handful of security vulnerabilities, including the protocol’s own propensity to amplify reflective DDoS attacks under certain conditions. For example, in 2019, a small collection of “wormable” bugs (one particularly known as BlueKeep—officially classified as CVE-2019-0708) found in the Windows kernel affected RDP at the server level; meaning, once a system was compromised, the chance of additional RCE (Remote Code Execution) events extending to adjacent systems increased significantly.

According to Sophos, the average time between target acquisition—the moment an endpoint is scanned and identified as having some form of RDP exposed—and the first wave of brute force login attempts is about 3 hours, with some evidence suggesting that the timeline can move close to as little as under 2 minutes; moreover, these discovered endpoints will now start experiencing an escalating number of attacks as more malicious infrastructure joins the scanning efforts.

In short, unrestricted port access, unpatched software vulnerabilities, DDoS amplification attacks via (misconfigured) port exposures, and poor credential hygiene (including that of high-privilege accounts); these are the most notorious security risks associated with the use of RDP.

How to stay secure

To effectively secure RDP, and remote access in general, a few recommendations are in order.

Avoid public access at any cost

First and foremost, if external (internet-facing) connectivity to remote desktop services isn’t an absolute business requirement, do what is necessary to shut down access while establishing a continuous monitoring effort to prevent exposure in the first place–in this light, understand the significance of Attack Surface Intelligence (ASI), in all its implications, and use it to get an accurate representation of your digital footprint before threat actors do.

Implement multi-factor authentication

If the business case for remote access succeeds, the use of a VPN or remote desktop gateway solution that supports multi-factor authentication would provide sufficient coverage should any user credentials be compromised. With this in mind, strictly enforcing password complexity and account lockout policies may enhance these protections, including the concepts of least privilege and just-in-time to limit RDP services to authorized users only, as well as log reviews to help pinpoint any anomalous activity.

Enable Network Level Authentication

Building a successful remote access strategy could also entail the provisioning of Network Level Authentication. This consists of relaying authentication to a client-side interface prior to establishing a remote session so that malicious users are prevented from exhausting valuable server resources—this would effectively alleviate brute-forcing, for example, and even certain denial-of-service scenarios, to name just two advantages.

Keep your systems updated

As mentioned, exploits like BlueKeep may allow unauthenticated attackers to connect to remote systems via RDP using specially crafted requests. Incidentally, security researchers also emphasize the need to keep a close eye on the client application side of RDP, particularly when it comes to patching, or the lack thereof, as some client software is prone to vulnerabilities similar to those found on the server side of the protocol.

Using virtual desktops

Finally, if your users require access to remote desktops, and not servers, consider the use of virtual desktops to provide your employees with the optimal user experience without the security burden and complexities imposed by the legacy remote desktop services environment. Coupled with technologies like single sign-on, this cloud-native platform offers excellent isolation and segmentation features that may prevent further techniques, like lateral movement, in case of a breach.

Detecting RDPs with Attack Surface Intelligence

Short of a Zero Trust initiative, there will always be caveats with some of, if not all, the above best practices.

And that’s where Attack Surface Intelligence comes in.

Our ASI platform includes our increasingly popular Risk Rules, which can help you discover every single one of your public-facing assets and analyze them for any security vulnerabilities and/or misconfigurations while alerting you when a risk has been found. In the case of RDP-exposed infrastructure, the interface would look as follows:

Detecting RDPs with Attack Surface Intelligence

Information such as affected host(s), priority, a screenshot of the RDP server, and a download button will be available for you to work with. For example, by clicking on the “View Screenshot” link, you’ll be presented with a visual of not only the login screen, but also with any prior users associated with the server.

Risk rules example

In summary

There is doubt whether RDP will continue to be the primary driver fueling the remote desktop revolution into the future. But until now, thanks to its low overhead, flexibility, and a series of well-engineered security features, the protocol has markedly met both the troubleshooting and administrative demands of an entire generation of users across every organizational echelon. This popularity, however, has consistently pitted the protocol with a series of misconfiguration flaws, making it a common target for cybercriminals; with attacks on the upsurge.

Take action today by limiting your attack surface only to those endpoints over which you have complete and clear visibility, and let ASI guide you in assessing areas of inadvertent RDP exposure before they become the proverbial low-hanging fruit.

Gianni Perez Blog Author

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.

German Hoeffner Blog Author

German is our current Head of Marketing. With a strong IT security background, he has been working hard every day to make the internet a better and safer place by providing IT security professionals with threat intelligence data.