Remote Desktop Protocol (RDP) is a way to access and control a computer over a network. RDP can work as a remote access solution. In effect, it lets users operate their office desktop computer from anywhere in the world. Since RDP is a standard feature of Microsoft’s Windows operating system, RDP was a lifesaver when businesses suddenly told employees to work from home.
Using RDP as a remote access solution — at scale — introduces new challenges and risks. In this article, we will review the technology’s benefits and its limitations. By the end, you will understand why RDP is a problematic remote access solution and what you can do to improve your organization’s security.
What is Remote Desktop Protocol (RDP)?
Microsoft introduced Remote Desktop Protocol in 1998 as part of Windows NT Server 4.0 Terminal Server Edition. Its original purpose was to let companies deploy “thin client” architectures. Business computers and other devices that could not run Windows software could log into more powerful Windows servers. The server received keyboard and mouse commands from the user’s system, ran the software, and sent the display output back to the user’s device.
Network administrators also benefited from RDP as it became a standard feature of Microsoft’s server and desktop operating systems. Updating and troubleshooting no longer meant visiting a computer on another floor, in another building, or on another campus. With Remote Desktop Protocol, administrators could simply log into the computer over the network. Working through RDP was no different from sitting in front of the other computer.
Over time, Remote Desktop Protocol became a way to give traveling employees access to their work computers. As opposed to a VPN connection’s network-level access, RDP gave employees desktop-level access. This was especially important when desktop software such as Microsoft Access or Excel performed business-critical functions.
Microsoft now offers RDP support beyond the Windows ecosystem. Remote client applications can run on systems based on macOS, Android, and iOS. An RDP web client lets users with Linux, macOS, or ChromeOS devices access a Windows desktop through a modern browser.
How does RDP work?
RDP establishes a dedicated, encrypted network connection between the host system and the remote device. Through this connection, mouse and keyboard data flow upstream from the user while presentation data flow downstream from the host system. Application execution, data storage and processing remain on the host system.
The host may be a physical desktop computer located on company property. Increasingly, however, companies use on-premises servers or cloud services to run virtual instances of the Windows desktop operating system. RDP gives users access to these virtual desktops whether they are in the office or working remotely.
This virtual approach is the modern version of thin-client computing. Whether users are in the office, traveling on business, or working from home, they always have access to “their” computer from any device. Especially in regulated industries, businesses like this architecture because they can keep data on protected systems. At the same time, this RDP use case makes bring-your-own-device (BYOD) policies easier to manage.
As we mentioned earlier, native Windows support for RDP came in handy when COVID-19 broke out. Companies could let users run RDP client software on their home systems and keep the business running. During the first three months of 2020, the number of RDP endpoints soared by 33%.
What are the benefits of Remote Desktop Protocol (RDP)?
Today’s Remote Desktop Protocol offers important benefits that improve the remote user experience while serving business needs.
Simplifies remote access
Since RDP is part of Microsoft’s server and desktop operating systems, implementing it as a remote access solution is straightforward. You can use your existing management tools to onboard and offboard users. Microsoft’s cross-platform RDP client and web apps let you tame the complexity of BYOD policies.
RDP even works for users, such as game developers or engineers, who rely on high-performance systems. For example, you can remove RDP’s default 30-frames-per-second limit on streaming performance. Microsoft-sanctioned workarounds support speeds up to 60 frames per second.
Microsoft’s integration of RDP into its operating systems made it an affordable way to enable remote access quickly. The software is already on Windows-based office computers. The client app is free to download and distribute to employees working from home. In addition, RDP works within a company’s existing network infrastructure.
Remote Desktop Protocol can make sensitive business data more secure. Only control and presentation data pass between company servers and workers’ personal devices. All proprietary data remain on company-controlled systems at all times.
Access legacy and restricted resources
Many businesses have resources that are only accessible from the on-premises network. These may be legacy systems or sensitive systems that require tighter access controls. Pandemic lockdowns prevented employees from accessing these systems and further disrupted business operations. RDP offered a solution by letting workers access restricted resources remotely through their office computers.
Why has RDP become problematic as a means for remote access?
Like anything else, RDP is not perfect. Companies that rushed out an RDP remote access system may not have considered the tradeoffs. These are some of the issues that RDP remote access introduces:
Sensitivity to bandwidth and latency
When you access a Windows desktop remotely, you are streaming a high-definition video of everything that happens on that computer. Bandwidth congestion degrades the RDP client’s “display” quality. And high latency adds an undesktop-like lag between mouse clicks and events.
At the user’s home office, the RDP stream competes with Zoom classrooms and mid-afternoon YouTube binges. On-premises, networks may not be ready for the simultaneous high-definition RDP streams from hundreds of workers.
This is especially true for firewalls and other endpoints. The only fix is to add more hardware which consumes the savings that made RDP an attractive choice in the first place.
The most significant issue with Remote Data Protocol is the way it expands your network’s attack surface. Cybercriminals love RDP and similar solutions because it is everywhere.
- In 2020, nearly one out of every three vulnerabilities were associated with Remote Desktop Protocol.
- Cyber actors exploited an unsecured remote desktop application to penetrate and manipulate a US water treatment facility.
- Even before the pandemic, the Multi-State Information Sharing and Analysis Center warned that a rising wave of ransomware was targeting unsecured RDP systems.
- Cyber insurer Coalition calls RDP “the critical security exposure that is most often present as a technical and predictive indicator of ransomware infections.”
So significant is the risk posed by RDP, that open RDP ports is something that cyber insurance underwriters now routinely look for during the underwriting process.
Exposed ports and weak passwords
The first security risk comes from the way RDP accepts incoming connection attempts. Client apps access the host through an open port, usually port 3389. Publicly visible ports are an invitation to cybercriminals. Simple scanning tools easily reveal over four million exposed RDP hosts on the internet.
The second security risk comes from a business’ failure to impose strong password policies. When users log into their desktop through RDP, they enter the same login password they use at the office. Weak passwords on office computers are bad enough. When RDP exposes those computers to the internet, however, companies become fat targets.
Combine easy visibility with weak passwords and cybercriminals can use simple brute-force attacks to gain access to the desktop. At that point, they have full access to everything on the user’s computer — and the office network.
If your organization uses an RDP solution, what should you do?
In the near term, you can take several steps to secure an RDP remote access system.
- Hide your RDP ports: Putting everything behind a firewall and VPN gateway hides the RDP systems from cybercriminals’ scanning tools (the VPN gateway, being public, is exposed to the public internet as well, but at least you can reduce the number of exposure points).
- Use access control: Allowlists and access control lists let you limit the number of IP addresses that may access your RDP system.
- Enforce strong passwords: Supply easy-to-use password managers or single sign-on systems to make strong password policies easier to enforce. Use multi-factor authentication for extra protection against brute-force attacks.
Replace your RDP system with a modern remote access solution
The stopgap measures only go so far. Hiding RDP behind a VPN, for example, simply replaces a weak security system with a slightly less weak security system. The advice that Coalition, the Center for Internet Security, and others give companies is to stop using RDP completely and use more modern and secure remote access solutions – or, if RDP is essential, then to protect it using more modern solutions.
Modern approaches use zero trust network access (ZTNA) principles to control who can access which resources under what circumstances. Unlike RDP, ZTNA assumes that nobody is trustworthy no matter which device they use or which network they connect from.
Implementing ZTNA through software-defined perimeters (SDPs) further protects company resources by making them invisible to anyone without need-to-know access privileges.
Replace RDP remote access with Twingate’s modern ZTNA solution
With little time to prepare, many companies turned to Microsoft’s Remote Desktop Protocol to make the sudden shift to remote working. Employees could use their work computers from whatever personal device they owned. At the same time, network administrators kept sensitive data on company-controlled systems. However, RDP’s convenience also makes it a security risk.
- Hiding resources from the public internet.
- Replacing VPN with role-based authentication and authorization.
- Enabling robust passwords and multi-factor authentication.
- Delivering more performant connections.