Securing Remote Desktop
Remote desktop access has made a significant rise in use in recent months, partially thanks to the spread of the Covid-19 virus. Once there was a time when most companies said they couldn’t work from home for x, y and z reasons, to be later forced to work from home to safeguard staff.
Due to the quick turnaround of ensuring that staff can work from home, it’s no wonder that certain security configurations were missed, whether this is due to lack of experience or simply it was a rush job and would be fixed later remains to be seen. By far the biggest way of allowing people to gain access to their office environment is through Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP).
When performing passive scanning of systems around the world using Shodan, you can see the vast amount of machines that have RDP open to the internet, this configuration oversight can allow anyone with an internet connection and a little bit of knowhow to view information about the business (such as domain name, users and even machine names), to allowing people to brute force login attempts.
There have been several posts and articles from many information security professionals over the weeks, months and years stating that this is a problem, however people don’t appear to be learning the lessons. So, what can we do about it? Why does this way of connecting to office machines cause an issue? This article hopefully will answer these questions and help you protect yourself from any type of threats.
RDP is primarily used by the Microsoft Windows Operating System, so therefore anyone who looks to connect to any of these “exposed” RDP sessions has a change to gain a foothold within the business. The last few years has shown the weaknesses within the RDP protocol and several security vulnerabilities have been released with known exploits. These exploits are easy to perform and can allow a malicious attacker access to not only the machine being targeted, but any other machine within the network, once access has been gained.
Simply performing a quick search on the internet for “RDP CVE” will highlight several security bulletins from Microsoft and other leading security websites. Taking one finding as an example, CVE-2019-1181, this vulnerability discusses that there are many remote execution paths once a machine has been successfully exploited. This means that the attacker can establish a session from their attaching machine and the target machine, allowing full access and allowing the possibility for implanting malware into the environment to establish a permanent connection. The thought of this is frightening.
Making remote access secure
Making remote desktop access secure isn’t hard or shouldn’t be. There are several steps that can be implemented to ensure that your business and the method of connection is kept secure from unwanted visitors.
The first layer of security is to implement and utilise Virtual Private Networks (VPNs), these allow you to run some software and establish a network connection to your business thereby allowing you full access to your business network and work as normal. Once established you can then open a RDP connection to the internal name/IP address as normal.
Blocking port tcp/3389 at the firewall, so that people cannot gain access or establish a connection, this should be one of the first things you do on a firewall, ensuring that you only allow the ports you absolutely need to work and block everything else.
Ensuring that you implement Network Layer Authentication (NLA) on your RDP connection, will also help increase the layer of security on the connection. By implementing NLA, you are performing an authentication request before you attempt to establish a connection, thereby limiting the amount of information which is and can be exposed.
I’ve had people say that they’ve changed the port that RDP runs on, from the standard 3389 to something else, this doesn’t help the matter and only takes a few seconds to find which port it is running on.
Perform regular patching and updates on all machines, this should be a standard action within the business, but I see this way too many times, where no one has updated their systems in months or even years.
In summary, make sure that you don’t allow port tcp/3389 exposed on your firewall, use a VPN to access any business operations and ensure you patch.