By: Nihad Hassan
October 5, 2021
How To Protect Windows Remote Desktop Connection
By: Nihad Hassan
October 5, 2021
The ongoing spread of the COVID-19 virus has significantly impacted the work culture around the world. Digital transformation witnessed a boost by several years in just a few months. To remain operational during the long period of lockdown, organizations opted to adopt the work-from-home model.
To gain access to remote resources, employees have to use specialized software to connect with their organization's internal networks. There are many programs to facilitate remote connections; some are pre-built with the installed operating system, while third-party providers develop others. One of the most popular remote connection tools is Microsoft Remote Desktop Protocol (RDP).
RDP is a proprietary remote connection protocol developed by Microsoft. It provides a graphical interface to connect to another computer over a computer network (commonly the Internet). Although Microsoft develops RDP, there are versions to work on major operating systems such as Linux, Unix, macOS, iOS, and Android.
RDP opens a dedicated channel between the connected computers; the connection is encrypted for added security. RDP uses port number 3389 and allows users to share their desktop and gain full access to the tools and applications installed on the remote system.
According to Kaspersky, brute-force attacks against RDP have witnessed a massive boost from March 2020 due to the enormous workforce shift amid the COVID-19 pandemic (see Figure 1). Figure 1 – Growth of RDP attacks – source: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/04/29113731/rdp-stats-all.png
RDP suffers from different vulnerabilities; the main two are:
Employees utilize weak passwords to protect their RDP connection. For example, many organizations still utilize legacy operating systems on their old devices. Users commonly use weak passwords to protect their desktop login. Many employees use the same password for the RDP. Attackers know this fact and try to exploit the RDP connection by executing brute-force and credential stuffing attacks.
RDP commonly utilizes the 3389 port to open remote connections. This fact allows attackers to concentrate their efforts to target this port.
This article will shed light on the best methods to secure Windows Remote Protocol Connection (RDP). However, before we begin our discussion about the RDP, giving general advice about securing remote access is beneficial.
General Steps To Secure Remote Access
- Utilize multi-factor authentication (MFA).
- Utilize strong passwords to protect Remote Desktop Protocol (RDP) credentials. A strong password comprises more than twelve characters with both uppercase and lowercase letters, numbers, and at least one symbol.
- Install security solutions such as anti-malware, anti-virus, and a firewall. Make sure to keep them all up to date.
- Keep your operating system and installed applications up to date.
- Avoid installing programs from pirated websites; software downloaded from such sites could be bundled with malware (e.g., Ransomware).
- Many organizations contain computers that cannot be updated, such as legacy systems that only work on Windows 7. In such a case, isolate the outdated device and never make it accessible online.
- Configure your network and endpoint device settings to log RDP login attempts.
- Cybersecurity End-user training. Make sure your employees are aware of various social engineering attack tactics.
- Monitor suspicious user's activities across the network and make sure to suspend suspicious users' accounts.
Steps To Secure RDP Connection
Securing RDP is similar to other remote connection tools; in addition to what was mentioned already, we should implement the following security measures:
Enable RDP auditing in Windows group policy
- Access Group Policy Management console by going to Run >> type gpedit.msc
- Enable Remote Desktop auditing: We can achieve this by going to Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> Audit Logon (see Figure 2).
Figure 2- Audit RDP login attempts
Use third-party tools to analyze RDP connection log
Tools such as RDPSoft RDS Log Viewer (see Figure 3) can track and correlate each RDP failure and successful logon. This tool comes with many features like export the results to comma-delimited text and geolocates the attacker's IP address. Figure 3 - RDS Log Viewer
Remote Desktop Commander Suite
A Remote Desktop Commander Suite provides comprehensive visibility into your RDP server environment. It comes with rich features that you can check on its website.
Turn off RDP account lockout policy
This may seem strange at first glance. However, it is better to disable the RDP account lockout policy for the following reasons:
- Attackers commonly try to capture the RDP credential instead of trying to brute-force it.
- Attackers may exploit the lookout policy for their favor by launching a Denial-of-service attack against the RDP server.
Use a VPN
Make sure to run your RDP connection over your organization's VPN service. Although RDP protocol encrypts data by default, utilizing a VPN will add a security layer for transmitted data.
And finally, make sure to disable and close the RDP connection port at 3389 if you don't use RDP.
The spread of COVID-19 disease has forced most organizations to adopt a remote-work model. RDP is considered the most prominent solution for facilitating a remote working model. This article introduced various security controls to strengthen your RDP connection to prevent cybercriminals from exploiting it to gain an entry point into your organization's network or computing device.