Microsoft’s Remote Desktop Protocol (RDP) is one of the most popular tools for both system admins and end users to gain remote access to a host computer. As companies shifted to remote work in 2020, many turned to RDP as a solution to provide work-from-home access for their remote workforces. While this was a relatively simple and readily available solution for Windows users, its widespread use has also made it a major target for cyberattacks, exposing companies to significant risk in the process.
According to the FBI’s Cyber Division, cybercrime increased 300% in 2020, and several security studies have shown that RDP was the single most common source of ransomware incidents in these attacks. In a 2020 study from Coalition, a leading cyber insurance provider, it was found that the severity of cyber-incident losses also increased dramatically by 65% year over year. Despite all these risks, many companies continue to rely on RDP, often out of necessity. So what makes RDP such a popular target for cybercriminals and what can you do to minimize the risk to your organization?
Challenges with RDP
RDP was first introduced by Microsoft in the late 90s, in the early days of the public internet, as a way for a limited number of authorized admins and users to remotely access a machine on the local corporate network. It was not originally designed to meet the diverse set of security and privacy requirements we expect today, with the proliferation of devices, networks, cloud services, and of course remote work. As a result, RDP has consistently been a favorite target of cyber criminals throughout its history and continues to suffer from several significant security weaknesses, including these most significant ones:
- Exposed default ports: RDP uses port 3389 by default to enable inbound connection attempts. Because this is widely known, this is also one of the most common attack vectors for any corporate network, as this port is constantly being scanned by cybercriminals. This makes an RDP service vulnerable to password stuffing attempts and other brute force attacks.
- Password complexity enforcement: One way to make it more difficult for attackers to access RDP systems is to enforce password complexity requirements. Unfortunately, not everyone does this, as it can often lead to frustrated users overwhelming IT teams with password recovery requests. A McAfee report found that the most common passwords to vulnerable RDP systems included easily guessable strings, such as “123456” and “password.”
- MFA support for RDP is limited: Another common way to provide additional protection against unwanted access is to implement an MFA (multi-factor authentication) requirement for RDP access. Unfortunately, this typically requires additional third party software or deploying a Remote Desktop Gateway to broker the connection, introducing additional complexity for admins.
- Known security vulnerabilities: RDP was never designed to run over the public internet. Its original intent was for use within a secure LAN. As a result, RDP is simply not secure by design, and has suffered more than its fair share of security flaws throughout its history. For instance, the now-infamous Bluekeep vulnerability was a serious flaw that allowed attackers to perform remote code execution on the affected system.
While Microsoft has been consistent in its ongoing support to address known issues, it is always up to admins to apply these patches. This can present additional challenges, as disruptions to service and other system risks may sometimes prevent critical patches from being applied promptly. In addition to known vulnerabilities in Microsoft’s RDP server, there have also been numerous weaknesses found in RDP clients, further exacerbating the security risks involved.
- VPNs help, but are not perfect: Putting your RDP server behind a VPN is often recommended as a more secure way to provide remote access. Although this would certainly be an improvement over exposed public RDP ports, this would not protect from an attacker who was somehow able to gain access to the VPN itself.
In addition, VPNs introduce their own set of problems. Besides the additional complexity and cost of implementing the VPN itself, there are also significant user experience and productivity questions to consider. RDP is relatively bandwidth intensive. If RDP is intended to be a longer-term solution for remote work, then performance and user satisfaction are important considerations. For instance, VPN gateways tend to be a traffic bottleneck during peak times, which means higher latencies between the end user and the RDP server. This, in turn, can mean an extremely frustrating experience for the user and significant lost productivity for the organization.
How to simplify RDP security with Twingate
Twingate is a modern Zero Trust Network Access solution built on the concept of Identity-First Networking. With Twingate, we can address all of these more important security risks with no hardware to install, easy integration with your existing infrastructure, and no performance impact to your end users. Deploying Twingate in your RDP server environment helps with the following:
- No publicly exposed RDP ports. Ever.
- Fully encrypted tunnel between client and server.
- Security without password fatigue. Use the same identity as your main IdP.
- Protect RDP with multi-factor authentication.
- No bottlenecks through VPN gateways.
- No performance impact to users.
- Software only solution. Works with your existing infrastructure.
- Reduce likelihood of ransomware attacks.
4 steps to making RDP more secure with Twingate
Once you have a Twingate admin account set up, just follow these simple steps to protect your RDP system and easily implement multi-factor authentication.
- Install the lightweight Twingate connector on a Linux VM on the same subnet as your RDP server.
- Add the local DNS name or the local IP address of the RDP server as a Resource from the Twingate admin console.
- Add this newly created RDP Resource to a Group for which you wish to grant access.
- Enable two-factor authentication for this Group.
That’s it. Congratulations! In less than 10 minutes, you have effectively secured your Remote Desktop service from would-be attackers and implemented MFA without any additional hardware deployment.
If you would like to learn more about how Twingate can help your organization protect itself from unauthorized access and other cyber threats, while providing admins and users a consumer-grade user experience, drop us a line. We’d be happy to give you a demo and walk you through our product.