Research for this article relied heavily on the fascinating report from Sophos Labs. A link to their article is found below.
Remote Desktop Protocol, commonly referred to as RDP, is a way for users to access Windows devices remotely as if they were locally sitting in front of a computer screen. This protocol is heavily relied on and widely deployed. The problem with RDP is its susceptibility to abuse and that it can be a launchpad for an infection or hacking within your network. The recent issue has to do with a piece of malware known as BlueKeep (CVE- 2019-0708). As administrators race to patch for that vulnerability, there is an even greater vulnerability that exists within the use of RDP.
Throughout this article, I aim to break down the major issues that exist while using RDP to access a device remotely.
Issue #1 - Open to The World
There are a surprisingly high number of RDP connections open to the public that typically sit behind a firewall. Once the firewall policy is written to allow traffic to pass through, the overall use of the firewall is pointless.
Port Scanning is the process of scanning IP addresses to see which ports are open. This technique is very old and will likely continue until the end of time. There is a legitimate need for the process of port scanning, which is why it is technically possible. However, as with all things that are useful, they can be used against you. Once the ports are open, attackers can then attempt to gain access.
You must be aware that your networks are constantly being scanned for open ports from people and computers all over the world. Take into consideration the evidence obtained from Sophos. Through their research, Sophos uncovered that some of the scanned devices were found to be open in under two minutes, just right after being put online! You cannot lace a server with an open RDP on the internet for even a minute to test. The only way to secure your RDP connections is to close the hole in your firewall, and if it is needed, to use a front-end device, which will be discuss later.
Issue #2 - Reliance on Passwords
Once an RDP port is detected to be opened, criminals can then attempt to brute force their way into the computer by guessing the passwords. This means that the entire security of the network is reliant on the security of the passwords attached. Often times, the Administrator passwords can also be guessed.
The process to brute force your way into a network using passwords is quite simple. Software bought off the shelf or downloaded for free can be used to quickly attempt logins using common usernames and passwords. Many IT departments still use common passwords for end users with a little flare such as Welcome1, Password1!, etc. We have even found through our own research that most administrative passwords commonly contain a derivative of the company name which can narrow down the guessing.
By combining weak password policies with open RDP connections, you risk a quick and simple attack on your network.
Issue #3 - Launchpad for Attack
Once you have a connection that is found to be open and access is gained through a brute force password attack, the attacker now has free rein over that device and anything connected to it. If your RDP connected device is on your DMZ, everything on your DMZ can be attacked. Or if the RDP device is on your internal network, all of those devices are exposed.
An RDP connected device is used as a launchpad for attacks against your network. This is how ransomware like Wannacry can spread. These worm-type malware strains spread laterally throughout a network, quickly escalating and more often than not, leading to closures of a business. It can actually start with a simple open port on a firewall! Not all attacks on your network are sophisticated. Sometimes, they are the result of misconfigurations.
Solutions - Access Portals/VPNS
If RDP access is needed to provide services and access to your employees or supplies, you need to remove the connection directly from the internet immediately.
You should replace this with a front-end system such as an SSL VPN or Access Portal. These services will give you a clienteles VPN experience. We can connect an MFA solution to the clienteles VPN to provide a necessary additional layer of security. Once the user logs in, they then can launch internal applications, including RDP. Working to ultimately to provide a secure solution for your organization and eliminate the major issues associated with RDP.