An Overview of RDP Security Layer: How Effective Is It?

Remote desktop protocol (RDP) is a secure network protocol developed by Microsoft that facilitates remote access. The protocol provides three kinds of secure communications for remote desktop connections: RDP security layer, negotiate and secure sockets layer (SSL).

While the RDP security layer uses native encryption mechanisms to secure connections between clients and the server, the negotiate method selects the most secure layer supported by the client. SSL, in contrast, uses the transport layer security version 1.0 (TLS 1.0) to authenticate the server if the client has a valid certificate and supports TLS 1.0.

RDP Vulnerabilities Are a Hot Target for Cybercrimes

RDP became a popular option for organizations that needed to move employees from on-premises to hybrid working environments urgently in the wake of the coronavirus pandemic. According to Business Fortune Insights, the global remote desktop software market size was US $1.53 billion in 2019. The company projects this market share to grow at a compound annual growth rate (CAGR) of 15.1% to reach US $4.69 billion by 2027.

The popularity of RDP caused it to become a target for cybercriminals. Before the pandemic, most employees worked from their offices and used resources that IT administrators monitored closely. The shift to remote working meant enterprises had to allow employees to use their preferred devices under a bring your own device (BYOD) framework to access sensitive corporate resources via RDP.

This shift led to many mistakes and more RDP exposures. According to Kaspersky, worldwide RDP attacks surged from 93.1 million in February 2020 to 277.4 million by March 2020, representing a staggering 197% increase. While this trend went up and down throughout 2020, another significant surge came at the onset of winter lockdowns.

By February 2021, RDP attacks had skyrocketed to 377.5 million, according to Kaspersky. This underscores a massive shift from 91.3 million reported by the same company at the beginning of 2020. According to Maria Namestnikova—a security expert at Kaspersky—hastily implemented and configured remote desktop services (RDS) have played a significant role in driving RDP attacks in many enterprises.

Types of RDP Vulnerabilities

RDP has plenty of known vulnerabilities. Below are a few of them.

Man-in-the-middle attacks

Even though RDP encrypts data between the client and the server in default mode, it does not provide an authentication mechanism to verify the identity of the terminal server. Malicious actors can launch man-in-the-middle attacks to intercept the connection between the client and the server, compromising the communication in the process.

Encryption attacks

RDP supports two forms of encryptions: standard (also called native) and enhanced encryption. With standard encryption, most of the RDP connection sequences (handshakes) occur via a weak encryption mechanism. Malicious actors can decrypt connections at this stage in a reasonable time frame and disclose the enterprise’s sensitive resources.

Denial-of-service attacks

RDP provides two types of authentications: network-level authentication (NLA) and non-NLA. Servers that support NLA but do not have it configured are vulnerable to denial-of-service (DOS) attacks because clients must authenticate themselves before the server can create a session. Hackers can use this vulnerability to create repeated connections to the server, preventing legitimate users from accessing the service.

Keylogging attacks

With keylogging attacks, hackers create sophisticated malware that tracks all the keys users press on their keyboards while accessing RDS. Unlike other malware, these applications do not pose a severe threat to the RDS infrastructure. However, keyloggers can pose a serious threat to users, especially when hackers intercept sensitive passwords and account numbers.

EternalBlue attacks

EternalBlue attacks allow hackers to execute arbitrary codes remotely, giving them access to the network. These attacks exploit a vulnerability in the Windows OS server message block (SMB) protocol, allowing malicious actors to compromise the entire network and connected devices.

RDP Security and Encryption Levels

There are three types of security layers for RDP communications: negotiate, RDP security layer, and SSL. By default, RDS sessions use the negotiate method, where the client and remote desktop session host (RDSH) server agree on the most secure protocol the client supports. For example, if the client supports TLS 1.0, then the RDS infrastructure uses it. Otherwise, the RDS infrastructure uses the RDP security layer.

The SSL method is by far the most robust approach for securing RDS sessions. The SSL method uses the TLS 1.0 protocol to verify the identity of the RDSH server and encrypts all the connections between the client and the server. In contrast, the RDP security layer uses the native remote desktop protocol encryption mechanism to secure connections between the client and the RDSH server. Because the RDP security layer does not authenticate the RDSH server, it is prone to attacks.

When it comes to encryption, RDP supports four levels:

Federal information processing standards (FIPS) compliant. This level uses the FIPS 140-1 validated encryption methods to encrypt the data between the client and the RDSH server. Clients must support this level of encryption to connect.
High. It uses the 128-bit encryption system to encrypt data between clients and RDSH servers and vice versa. Clients must support this level of encryption to connect.
Client compatible. This is the default mode and uses the client’s maximum key strength to encrypt data between the client and the server.
Low. It uses the 56-bit encryption system to encrypt the data between the client and the server. However, this level does not encrypt data between the RDSH server and the client.

RDP Security Best Practices

Because of the ongoing RDP risks, companies providing remote access must adopt RDP best practices to secure their IT infrastructure. Let us explore some of them.

Always use the SSL option. TLS 1.0 provides more robust security than the RDP security layer. As such, you should always ensure you configure it when using RDS.
Require multi-factor authentication (MFA). MFA is a robust approach for preventing brute-force attacks and keylogging attacks. When used, MFA creates a layered defense that makes it more difficult for hackers to access the RDS infrastructure.
Enforce strong password policies. Always make strong passwords mandatory for users that access RDS infrastructure.
Enable automatic updates on the OSs. Updating the OS to the latest versions for both the client and the RDSH server eliminates known RDP vulnerabilities.
Always use secure connections. By default, RDS runs on port 3389. Running RDS on this port opens up the infrastructure to man-in-the-middle attacks. You can secure the RDS infrastructure by deploying an SSL-secured connection.

Parallels RAS Provides a Wide Range of Features to Secure Remote Access

Virtual desktop infrastructure (VDI) has emerged as a top choice for organizations that want to provide flexible working environments. However, VDI can make business sense only if it guarantees the security of corporate resources. Parallels® has spent over two decades researching and refining its premier VDI product: Parallels® Remote Application Server (RAS).

Parallels RAS has plenty of enterprise-grade features that can secure virtual applications and desktops, such as:

MFA. Parallels RAS allows users to authenticate to virtual workspaces via two successive steps. Enterprises can use various identity and access management (IAM) solutions such as FortiAuthenticator, Google Authenticator and RADIUS.
Advanced filtering. IT administrators can apply granular filtering rules to restrict access to the farm based on IP addresses, gateways, and MAC addresses.
Data segregation. Parallels RAS supports multi-tenant architectures, ensuring that each tenant’s data gets isolated and remains invisible to other clients.
Smart card authentication. Enterprises can leverage the Parallels RAS easy-to-use smart card authentication feature to allow users to access published resources.
Kiosk mode. IT administrators can easily transform thin and zero clients running obsolete OSs such as Windows 7 or Windows 8 into secure endpoints without replacing their underlying operating systems.
Robust encryption protocols. Parallels RAS supports FIPS 140-2 and SSL, allowing users to access VDI with the highest encryption standards. It also complies with various data protection regulations such as the health insurance portability and accountability act (HIPAA) and general data protection regulations (GDPRs).

Take security to the next level by downloading your free, 30-day Parallels RAS trial today!