Protecting Windows Remote Desktop Protocol (RDP) from attack
The pandemic forced many employees into remote work, and cybercriminals are looking to exploit the situation by directly attacking remote desktop services as they become publicly available. Microsoft’s Remote Desktop Protocol (RDP) has become a prime target. According to a study released by the cybersecurity firm ESET, attacks against RDP have increased a stunning 768 percent over the course of 2020. Malware packages like Trickbot now include RDP scanners to search for open RDP ports, and distributed denial-of-service (DDoS) attacks have begun using RDP as a way to magnify their impact.
This is not to say that RDP or Windows are inherently bad. RDP is an extremely useful, complex, and functionally rich protocol for remote access. The open source project I work on, Apache Guacamole, leverages RDP internally as one of its supported protocols.
However, this richness combined with the position of the RDP service within the operating system creates a larger attack surface that increases both the risk of exploits and their potential severity. Not only should the service be carefully protected, but access to it should be provided through a different, external service that operates with a limited set of privileges that makes admin or any user status unattainable.
But why not deploy RDP publicly?
The main problem with deploying an RDP service for direct public access is the nature of that service: it must run with sufficient privileges to operate a machine as other users, including the administrator. If a malicious actor exploits a vulnerability that allows execution of arbitrary code, that code inherits those privileges.
Multiple vulnerabilities disclosed in 2019 such as CVE-2019-0708, CVE-2019-1181 and CVE-2019-1182 (popularly known as "BlueKeep" and "DejaBlue") can be exploited to execute arbitrary code on an unpatched Windows server operating a public RDP service, even before authentication takes place. A successful exploit could deploy malware, initiate a ransomware attack, or move laterally across the network to attack other computers.
Keeping systems patched is critical, but insufficient.
Under no circumstances should a system ever remain unpatched. Hackers search for older, unpatched versions of software with known vulnerabilities because they know they can mount successful attacks on them.
That said, the key word here is "known". The primary concern for deploying remote access is unknown vulnerabilities, and when a new vulnerability emerges, it is the design of the system itself that must provide protection.
Proper Design: Defense in Depth and the Principle of Least Privilege
When exploiting a security vulnerability, a hacker attempts to perform an action that the security model of the software should otherwise deny. As a defense, IT must define boundaries that can be enforced independently through 1) layers of protective services ("defense in depth") and 2) limiting privileges to only what is absolutely required for the service to operate (the "Principle of Least Privilege").
Authentication and authorization should occur as a precondition of connecting with RDP, not simply as a part of it. This means that RDP must be deployed behind a dedicated remote desktop gateway that is the only means of access. The gateway should provide access strictly to the remote desktops that the current user is allowed to access, with a limited set of privileges so that a successful attack cannot immediately result in gaining admin access.
While deploying a virtual private network (VPN) is a popular solution to this challenge, doing so may open up a greater portion of the private network than is needed for the desired level of access. Additionally, VPNs can be cumbersome to configure and use. With the number of employees working remotely likely to remain high even after the pandemic has passed, VPN may not be a viable long-term solution for securing remote access for an entire company.
Once the gateway is in place, the firewall of the network should be locked down to allow access only to the gateway, and the firewalls of the various computers on the network should be locked down to allow access only from the gateway. This isolates each remote desktop at the network level, ensuring that compromising one computer will not immediately mean that all computers on the network are exposed.
RDP is a useful, powerful protocol, but it needs to be deployed carefully so that it doesn’t also become useful to malicious actors. Keeping RDP services patched, following best practices, and placing RDP services behind a secure gateway will go a long way toward securing remote access.
Mike Jumper is the original developer of Apache Guacamole, an open source remote desktop access gateway. He is CEO and co-founder of Glyptodon, which provides a commercial build of Apache Guacamole with enterprise support.