RDP servers used for Remote Desktop connections are among the top targets for cybercriminals. What aspects to take into consideration for secure remote access? RDP ( Remote Desktop Protocol ) is one of the most used protocols to access and control server and desktop systems remotely. Microsoft developed a proprietary networking protocol that allows users to remotely control a computer as if sitting in front of it using a dedicated client application.
The client that Microsoft offers by default in all Windows installations is called Remote Desktop Connection: using it, you can connect with the server component of the Remote Desktop. RDP and Remote Desktops are widely used in corporate environments because they allow specialized personnel to remotely access server machines, workstations, and customers’ and colleagues’ computers to solve problems or provide technical assistance.
Remote Desktop Is The Number One Target Of Many Cyber Attacks
Unfortunately, over time there have been many problems with implementing RDP on both the server and client side. Without monthly Microsoft patches, a properly secured Remote Desktop server could be remotely attackable. It is not for nothing that most national security agencies rate RDP as the number one cause of ransomware attacks. We also discuss it in the article on the origin of cyber attacks.
An experiment conducted by Palo Alto Network – Unit 42 highlighted how an unprotected Remote Desktop server, publicly exposed on the Internet, is hacked 80% of the time in just 24 hours. On average, honeypots set up by researchers are attacked within 11 hours of their activation. On the other hand, a simple search with the Shodan engine highlights which and how many systems using RDP appear on the network (type Remote Desktop in the Shodan box).
Remote Desktop And Security
In general, to use Remote Desktop safely, you should avoid exposing the communication port used by the RDP server (by default TCP/UDP 3389) on the WAN: the connection to the Remote Desktop server should be protected by a firewall, which can only be done after connecting to a local or secure VPN server with two-factor authentication (2FA) or multi-factor authentication (MFA).
Microsoft talks about MFA on Remote Desktop in a recent article. Thus, more than using the correct credentials (username and password) is needed to connect to the Remote Desktop server. Therefore, to use Remote Desktop securely, access to the system should be allowed on the firewall side only to clients connecting from one or more specific IP addresses.
In this case, clients offering remote support must always “go out” on the Internet with the same public IP address ( static IP ). Alternatively, you can access the Remote Desktop server via VPN: by configuring a VPN server within your infrastructure (you can do it with a dedicated system or simply on your router or NAS…), you prevent the ports used by Remote Desktop from being publicly displayed.
We have already talked about hardening Remote Desktop sessions and the importance of protecting servers and workstations from cyber attacks: defending systems that play the role of RDP servers is not only essential to prevent the data they contain from falling into the hands of criminals but it is essential because these machines can typically be exploited to activate the so-called lateral movements or to attack other devices and local and remote accounts.
To set up remote access via Remote Desktop, press Windows+R Then type system.CPL,5. Selecting the Allow remote connections from this computer option and checking the Allow connections only from computers running Remote Desktop with Network Level Authentication box enables the RDP server on TCP/UDP port 3389. By default, administrator accounts are entitled to access the Remote Desktop server.
By pressing Windows+R, typing gpedit.menschen going to the Computer configuration rule, Windows settings, Security settings, Local policies, Assignment of user rights and double-clicking on Deny access via Remote Desktop Services; it is possible to add a list of users who are not entitled to connect if necessary at a distance. In the example, the Remote Desktop client is being used to connect to a remote machine running the RDP server. Be aware of the local IP we specified (in the example 192.168.1.2): to connect with this system remotely, we first established a connection with the remote VPN server.
What we have reproduced in the image is the message that appears to a user not authorized by policy to connect with the RDP server. The following PowerShell script allows you to extract from the event log the list of successful Remote Desktop connections with the date and time of each one: In the image, a successfully established Remote Desktop session. With the command used to be typed in the terminal window or a PowerShell window, Windows also returns the list of users connected via RDP using the Remote Desktop functionality.