By Giorgio Bonuccelli

July 11, 2022

  0

What is an RDP Attack and How Do You Defend Against Them?

Remote Desktop Protocol (RDP) is Microsoft’s proprietary communications protocol that allows devices running any operating system (OS) to connect remotely. IT administrators can use RDP to remotely diagnose employees’ issues while giving them access to corporate resources. Although proprietary, some RDP specifications are open, and anyone can use them to extend the protocol’s functionality and meet organizational requirements if needed.

Over the past few years, RDP attacks—breaches that exploit the RDP’s vulnerabilities to attack systems—have increased significantly, with threat actors exploiting exposed ports to install ransomware on networks in many organizations. This isn’t surprising, given the massive rise in remote and hybrid workplaces. We’ll learn more about RDP attacks, RDP use cases, and how organizations can mitigate exposures.

Breakdown of an RDP Compromise

Now more than ever, the struggle for control of remote connections is centered in one place: transmission control protocol (TCP) port 3389. This is the default port for all the RDP connections that provide network access for remote users over an encrypted channel. To understand how to protect the organization from RDP attacks, it is essential to figure out how such an attack can unfold.

Suppose your organization is distributed with hundreds or even thousands of devices connected to an enterprise network. A typical RDP attack can compromise the enterprise’s network through the following phases:

1. Initial intrusion. At this stage, attackers begin to figure out how to penetrate the network by scanning port 3389. If any of the active devices connected to the network has its RDP port open, it serves as an entry point to the network. Given that most active devices would be subject to large volumes of RDP connections, any threat actor can brute-force a way into the network through this port without being flagged by a security tool.

2. Internal reconnaissance. After the initial compromise, an attacker can start to scan the entire network with the device’s own subnet to escalate the penetration. For example, the attacker could initiate Windows Management Instrumentation (WMI) connections to multiple endpoints over Distributed Computing Environment (DCE) / Remote Procedure Calls (RPC) and start to trigger attacks.

3. Command and control. The attacker uses the compromised device to send commands to other endpoints and networks. For example, using administrative authentication cookies, they could use the compromised machine to create new RDP connections to non-standard ports.

4. Lateral movement. At this stage, an attacker moves deeper into the enterprise’s network by obtaining increased privileges to retrieve sensitive data and other high-value resources. For example, they could leverage Windows administrative tools such as WMI, PsExec, and svcctl and move laterally within the network while evading detection from the organization’s security stack.

Use Cases for RDP

There are three primary use cases for RDP:

• Remote troubleshooting. IT administrators can leverage the protocol to diagnose and resolve problems that employees are facing with their devices and applications.
• Remote desktop access. Organizations can leverage RDP to deliver applications and files to their employees, who can access such resources from any location.
• Remote administration. IT administrators can leverage the protocol to make configuration changes on the network servers.

How to Mitigate Your Exposure and Safeguard from an RDP Attack

Unless adequately secured, RDP can easily become a gateway for cybercriminals that want to establish a foothold in the enterprise network, escalate privileges, and steal confidential data. Even though Microsoft has repeatedly upgraded the protocol, RDP still has weaknesses. Let’s explore some measures that IT teams can take to mitigate exposure to RDP attacks:

• Implement role-based access control (RBAC) restrictions. Workers should only access the resources necessary to get their jobs done. IT administrators can enforce access controls based on multiple factors, including responsibility, authority, and job competency.
• Enable network-level authentication (NLA) for RDP at all times. Like any system, users should always authenticate themselves before starting a remote desktop session. As such, you should only allow connections from endpoints running RDP with NLA over transport layer security (TLS) protocol.
• Restrict access to the RDP port. You should limit access to port 3389 to a specific host or a group of trusted internet protocol (IP) addresses and allow connections to specific devices. This means the server shouldn’t allow any connection from an IP address that is not whitelisted.
• Monitor RDP utilization. You should scrutinize how the RDP is utilized constantly and flag any abnormal behavior. For example, if you realize that there is a failed login attempt from a particular endpoint, you should immediately flag it out.
• Enable automatic Microsoft updates. Enabling updates and upgrades ensures you have the latest versions of the RDP for both client and server software. You should also prioritize patching of RDP vulnerabilities for known public exploits.
• Implement account lockout policies. When implemented in an RDP, account lockout policies make it difficult for potential hackers to compromise legitimate accounts and can help prevent credential stuffing, brute-force attacks, and credential theft. In addition, they help secure users’ accounts and data.
• Make strong passwords and multi-factor authentication (MFA) mandatory. Always require users to leverage strong usernames and passwords for RDP access. You should also enforce MFA, especially for administrative accounts that access corporate systems via RDP.

Learn about RDP Software and Cybersecurity

Due to the increasing need for remote and hybrid workplaces, many RDP software vendors have emerged to offer various solutions that meet a modern workforce’s requirements. RDP software allows IT teams to connect to multiple heterogeneous endpoints and access the resources while enabling users to access enterprise resources. Let’s explore some of the foundational cybersecurity features that these solutions possess.

• Identity and access management (IAM) features. RDP solutions only allow authorized users to access enterprise resources by implementing network access control, MFA, and single sign-on (SSO) mechanisms.
• Encrypted communications. RDP solutions can encrypt the channel via protocols such as TLS to prevent chances of unauthorized access.
• Compliance standards. The RDP software must adhere to regulatory standards such as the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS).
• Reliable update cycle. RDP solutions must have a predictable patching cycle to remove known vulnerabilities and bugs.

Parallels RAS Enhances RDP and Safeguards You from RDP Attacks

Remote workers expect seamless access to enterprise resources no matter where they are located and which devices they are using. Organizations also need to ensure that their distributed workforce connects to enterprise networks as securely as possible, whether in on-premises or cloud-based setups. Parallels RAS is a turnkey virtual desktop infrastructure (VDI) solution that organizations can leverage to deliver virtual workloads with native-like work experiences on any endpoint or platform.

The platform is secure by default because it doesn’t expose port 3389 to external networks. With Parallels RAS, IT administrators can easily prevent distributed denial-of-service (DDoS) attacks whenever they occur via a gateway protection setting: the Enable RDP DOS Attack Filter option. Parallels RAS also extends remote desktop services (RDS) capabilities because its communication protocol is built atop Microsoft’s RDP.

For example, while RDS offers limited web access to digital workspaces, Parallels RAS provides full-featured clientless HTML5 browser access. It also offers various RDP clients that users can leverage to access published applications and desktops on any platform, including Windows, Linux, macOS, Google Chrome, Android, and iOS.

Most importantly, Parallels RAS reinforces data security while meeting compliance regulations with extra protection layers, such as MFA, advanced filtering, kiosk mode, and clipboard restriction.

Try out Parallels RAS today to discover its potential in safeguarding RDP attacks!

Download the Trial