What is Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is arguably the most prolific remote access tool in use today. As its name indicates, RDP defines how server and client components communicate in order to provide a graphical interface from one computer to another “remote” computer. Microsoft includes RDP functionality with most versions of its Windows operating system making it very popular and relatively easy to use.
There are three basic issues with RDP which have made it one of the most popular targets for threat actors, commonly referred to as hackers, seeking to gain illicit access to computer systems today.
RDP is everywhere
As an included component of virtually every computer running a version of Microsoft Windows, RDP is a known gateway into those systems. Regardless of any safeguards that may have been implemented, attackers know that RDP provides a doorway into most Windows computers, as long as they can defeat or bypass those safeguards. The simple fact is there are many such doors out there for hackers to knock on and the sheer number of opportunities drives them to seek them out and try to open them.
Default security is not very secure
RDP is relatively simple to enable with almost no additional configuration or skillset required. If it is not already running on a system, it can normally be turned on with just a few clicks. If a system has RDP enabled and is reachable from the public Internet, it becomes a target almost immediately. A system with RDP services running is always “listening” for a virtual knock on the door and there are many automated systems that basically knock on every door they can, hoping to find a response. In the “out-of-the-box” configuration, that response is basically a log-in screen where a username and password can be entered. With the correct username and password combination, a remote user will have the same level of access and capabilities as if they were seated at the keyboard in front of the computer.
There are additional security controls that can make the use of RDP more secure, such as the use of a virtual private network (VPN) and multi-factor authentication (MFA), but even today, many organizations still do not implement these protective measures within their environment. Other security methods include changing the internal settings of Windows to restrict which accounts can use RDP and to prevent automated “brute force” attacks where hundreds or even thousands of passwords are tried in rapid succession. Many organizations are not aware of or otherwise do not make use of these defenses and those who do are typically not monitoring for evidence of this type of attack.
With no additional safeguards in place, the password is often all that stands between a computer system and a threat actor seeking to gain entry via RDP. Despite the emphasis today on using unique and complex passwords, along with frequent password changes, the reality is that many organizations do not follow these security guidelines making it all too simple for their passwords to be discovered and used without their knowledge. Furthermore, even complex passwords are frequently stolen and added to common-use lists that are implemented by attackers.
Old software is dangerous
Software developers, such as Microsoft, want their products to work well and be safe for users, but the reality is that the operating systems and programs that we all use are complex. Despite testing and other efforts to find and correct any problems, many of these security gaps do not reveal themselves until after the software is released. We, therefore, must regularly update our software: to not only add new features but, more importantly, to correct security problems as they are discovered. These security issues are commonly referred to as “vulnerabilities” and frequently exploited by hackers to gain access to systems and carry out their malicious activities.
RDP has been fraught with vulnerabilities. Several significant ones have surfaced in recent years that resulted in virtual waves of attacks against systems. Some of these vulnerabilities even allow for the remote execution of code, software or programs, on those systems and resulted in allowing threat actors to gain full access and control. Since 2001, a total of 40 vulnerabilities have been identified with RDP, including 4 new ones released in the first quarter of 2020. Even tangential implementations, like Remote Desktop Gateway, have had some significant troubles lately (see CVE-2020-0609). Although patches for most of these vulnerabilities were quickly released by Microsoft, many organizations delayed or neglected to install these updates. In some cases, organizations have continued to use older versions of Windows (and RDP), some of which have stopped being supported and for which security updates are no longer available. Even with good software update hygiene, there is a strong likelihood that if you allow the use of this protocol from the public internet, you will be vulnerable to attack for at least some amount of time between the inevitable discovery of the next RDP vulnerability and patch implementation.
How does this impact businesses?
Historically, small businesses have not been a major target for exploitation. Larger businesses have been the focus of cyber attacks because in order to effectively monetize an attack, the hackers needed to be sophisticated and skilled. Recent trends, especially those surrounding the use of ransomware during the course of an attack, have proven that small businesses are not only easier targets but can now be monetized easily for very little effort. RDP is easy for unskilled system administrators (and non-administrators with high levels of authority configured for their user account) to implement. Improperly implemented RDP is easy for non-skilled attackers to exploit. This has led to an explosion of hacker activity – one no longer needs to be an expert in hacking in order to extort large sums of money from a large population of potential victims. Compromised credentials can be purchased easily for use in an attack, and many times of ransomware are now being sold as a cloud service, much like legitimate software. One of the largest contributors to this problem is the prevalence of RDP exposed to the internet. According to a recent report from Coveware (ransomware negotiation specialists), RDP has been the preferred attack surface for ransomware-wielding hackers consistently since 2018. More than 50% of all security incidents involving ransomware also involved RDP, with some time periods measured at more than 80%.
What can be done?
Some of the most effective ways to reduce the risks associated with RDP are the simplest:
- Disable RDP altogether if you do not need or use it.
- Use current versions of Windows and regularly update and patch.
- Enforce a strong password policy with regular password changes.
- Allow RDP access to only those networks and accounts that actually need it.
- Use a VPN with MFA if you do use RDP.
RDP is a powerful tool and can be used safely with a bit of planning and effort. It does not have to be dangerous but often is due to the lack of proper configuration and inadequate security controls. It is a virtual door into Windows computers, but it does not have to be an “open door” for just anyone to enter. Lodestone Security offers multiple services that can help you improve your overall security posture, including instruction for the proper way to implement and make use of RDP.
We at Lodestone Security look forward to keeping you, your customers, and your employees safe from cybercriminals. Please contact us at your convenience:
Phone: (203) 307-4984