Updated: Apr 20, 2020
During this COVID-19 period a lot of companies had to do some adaptations and make sure employees can work from home. One way to do this is through Remote desktop but when providing access you cannot overlook security questions and risk that will arise. Through this blog we will discuss how you as company can mitigate your risks.
Remote Desktop Protocol (RDP), the Microsoft Windows component that makes it easy for your employees to connect to work or home computers while they are away, is used by millions. Because RDP is so widely used, it is a common target for man-in-the-middle cyber attacks. That makes remote desktop security risks a top concern for network administrators, security experts, and analysts.
For companies that not only want to meet compliance standards but exceed them, RDP security is a challenge. While RDP is built into Microsoft operating systems, it can also be installed on Apple, Linux, and Android operating systems. Without properly securing it, your RDP can become the gateway where a malware infection or targeted ransomware is deployed, resulting in critical service disruption.
Enhancing RDP Security
While RDP operates on an encrypted channel on servers, there is a vulnerability in the encryption method in earlier versions of RDP, making it a preferred gateway by hackers. Microsoft estimates nearly 1 million devices are currently vulnerable to remote desktop security risks. The company issued a legacy patch for its outdated platforms, including Windows XP, Windows Server 2008, Windows 2003, and Windows 2007. (For these legacy platforms, RDP is known as terminal services.) Windows 8, 10, and newer operating systems aren’t vulnerable in this way.
Patching is an important way to enhance RDP security, but for those enterprises unable to patch right away, Microsoft recommends two actions: enabling Network Level Authentication (NLA) and blocking TCP port 3389.
Windows Vista, Windows 7, and Windows Server 2008 provide NLA by default. To enable NLA, go to Control Panel → System and Security → System. Click Remote Settings → Remote → Remote Desktop. Then select Allow connections only from computers running Remote Desktop with Network Level Authentication.
To block TCP port 3389, go to Control Panel → System and Security → Windows Firewall. Select Advanced Settings. Click Inbound Rules. Select New Rule and choose Port and click Next. Choose TCP and click Specific Local Ports. Enter 3389 and click Next. Click Block Connection and then Next. Select which network the location the rule applies to and then click Next. Create a name or the rule and click Finish.
Together, these actions will help prevent unauthorized access outside the enterprise and decrease remote desktop security risks. But your system could still be vulnerable to attacks within your enterprise.
Defending Against Remote Desktop Security Risks
Best-practice protocol to prevent exposure to RDP security issues starts with creating a policy to handle endpoints and making sure the port isn’t accessible to the internet. A proactive approach can help you focus on preventing initial access by minimizing RDP security risks. Initiatives include:
Limit RDP Users
You can limit who can log in through RDP and who can add or remove a user account from the Remote Desktop Users group. To do so:
Click Start → Programs → Administrative Tools → Local Security Policy.
Under Local Policies → User Rights Assignment, go to “Allow logon through Terminal Services,” or “Allow logon through Remote Desktop Services.”
Remove the Administrators group and leave the Remote Desktop Users group.
Use the System control panel to add users to the Remote Desktop Users group.
Use a Virtual Private Network
When you use a Virtual Private Network (VPN) connection, you add an extra layer of RDP security to your system. The VPN ensures that before a connection can be made to your server, a connection must be made to the secure private network, which is encrypted and hosted outside of your server. When your computer is connected to the VPN, it is assigned a private IP address used to open the remote desktop connection to the server. That means attempts from outside IP addresses to connect will be rejected.
Most firewalls come with built-in VPNs with multi-factor authentication (MFA) and provide a secure way for external users to access internal resources without relying on the internet.
Use a Remote Desktop Gateway
An RDP gateway (in conjunction with a VPN) enhances control by removing all remote user access to your system and replacing it with a point-to-point remote desktop connection. Users go to a login page, enter credentials, and get connected to the network through a firewall. Microsoft has built RDP gateway functionality into its Windows servers, which is where the current risk for legacy computers is found.
Follow a Strong Security Policy
For enhanced remote desktop safety, make sure you enforce a strong security policy throughout your organization. That policy should include:
Passwords –Passwords must be at least eight characters long and include uppercase and lowercase letters, numbers, and characters. They should not resemble any previously used passwords. Your policy should also include a lockout policy – how many attempts to enter a password can be executed before a lockout takes place, and how long the lockout lasts. To initiate a lockout policy:
Go to Start → Programs → Administrative Tools → Local security policy.
Under Account Policies → Account Lockout Policies.
Set values for all three options.
Logging policy – Be sure that all systems record and retain audit-logging information. Ensure logs are reviewed daily to search for errors or suspicious activity and set up appropriate rules for alert generation. If you use an RDP gateway, you will automatically have a log that monitors how and when RDP is used in all devices across your enterprise.
IP access–To better protect your system, you can limit RDP access to only trusted IP addresses, the unique series of numbers that identifies a computer.
Through the Windows Control Panel, go to Windows Firewall, and select the Exceptions tab.
Highlight Remote Desktop, click the Edit button, and then the Change Scope button.
Enter the addresses that you want to grant access to and click OK.
Session duration – Another good practice is to activate timeout sessions and specify disconnect time on remote sessions.
How PURE ICT can help you
- Guidance to provide the best remote connection solution for your company
- VPN purchase, installation and configuration which filters network traffic to protect an organization from external threats.
- IT support for any problem
Contact us at firstname.lastname@example.org or 841-7873.