Remote Desktop Attacks Have Increased – Here’s What To Do
Windows Remote Desktop Protocol (RDP) is a workhorse of remote connectivity, allowing users and administrators to connect to the desktops of far-flung machines and perform tasks as if they were sitting directly in front of them. As global workforces shifted to remote work at the onset of the pandemic, RDP’s use as a means of accessing business systems increased dramatically. Hackers and cybercriminals took notice, and as a result, the move to remote work has seen a corresponding dramatic increase in RDP attacks. Such attacks increased a whopping 768% in 2020 vs. the prior year, according to one report. In all, a staggering 29 billion attempted RDP attacks were detected in 2020.
Because Remote Desktop is available in nearly every version of Windows, it can be a vulnerability even in instances where it’s not in use. Once a hacker has gained unauthorized access to a system via RDP, they have all the access afforded to the user account they have compromised, including any administrative privileges.
To reduce your risk and exposure, consider the following countermeasures and deploy those which make the most sense for your organization and environment. Some steps may require the involvement of a system administrator. Others (such as using strong passwords and keeping all system security patches up to date) can usually be performed by a regular user and should be, regardless of any additional measures taken. We’ve put the quickest and easiest measures first:
Apply the latest OS patches and updates. Yes, system updates can be a disruptive pain, but we all know that we need to keep our machines updated. Configure system policies to automatically download and optionally install critical updates or prompt the user when critical updates are available. Promptly installing any updates that contain security fixes and enhancements is one of the easiest ways to protect your system from intrusion.
Use strong passwords to protect against library cracking. Using easy-to-guess passwords or the same password for multiple systems is a great way to get hacked. Modern dictionary-based systems can crack a weak password in moments. Due to the plethora of breaches across the Internet, billions of user credentials are available to hackers in online databases. Use strong passwords consisting of upper and lowercase letters, numbers, and symbols, and change passwords regularly.
Use a desktop security program for detecting and blocking intrusion attempts. While this should go without saying, desktop security is a core requirement in the modern age. Most programs go beyond simple virus detection and monitor network traffic for potential intrusion attempts, including brute-force attacks directed at RDP.
Change the default port used by RDP via the system registry. Remote Desktop Protocol uses TCP and UDP port 3389 by default, so it follows that hackers will routinely scan this port for hijacking opportunities. If you feel up to the task, you can edit the Windows system registry to change the default RDP port for your system to one of the thousands of unassigned ones. Scanning thousands of ports per machine takes more time and resources than many hackers are willing to commit, so while it’s far from foolproof, using a non-standard port for RDP can reduce your exposure.
Disable Remote Desktop support for user accounts that don’t need it. Most Windows systems have multiple user accounts, but not all of those may require remote access capability. Disabling remote access for those users is a worthwhile security measure. Additionally, set the Local Security Policy on the remote machine to lock an account after a finite number of incorrect passwords are sent via RDP – this can foil hackers trying to crack a password using dictionary-based methods.
Restrict access with a firewall. A good firewall situated between your machine and the Internet can protect against a world of dangers. A range of methods can be used to validate and restrict network traffic, such as the use of a whitelist for known safe IPs, or blocking port 3389 entirely and using a port forwarding rule to take RDP connections on a non-standard port and direct them to the default RDP port on a specific machine. Even sophisticated protections like automatic blacklisting of remote IPs after a given number of connection attempts can be accomplished with relative ease.
Enable Network Level Authentication (NLA). A feature of Windows that is typically enabled by default, NLA will not allow any level of connection to the remote machine without proper credentials. It’s most likely that this feature is already in use, but if you see a login screen on the remote desktop via RDP *before* you submit credentials, that would indicate that NLA has been disabled. It is highly recommended that NLA be used on all remote machines.
Use an RDP gateway instead of a direct connection. Setting up an RDP gateway server for your organization requires some effort from your IT department, but it may be well worth it if you have many RDP users. An RDP gateway adds a layer of protection by shielding remote machines behind a single gateway server. Remote target machines can be configured to only allow connections from Gateway, blocking any direct intrusion attempts.
Use multi-factor authentication (2FA/MFA). Once your organization invests in setting up an RDP gateway, it can be configured to send an SMS or a mobile app MFA challenge for each login attempt. This adds a robust additional layer of security as connections will be denied for any user that does not complete the MFA challenge successfully.
Tunnel RDP via IPSec or SSH. A network tunnel is an encrypted connection between two points on a network. A typical example of this is the Virtual Private Network (VPN). An encrypted tunnel essentially creates a second layer of security that wraps the connection from the moment RDP is initiated. Tunnels can be a bit complex to set up, but the added security is substantial.
Risk is inherent with any device or service connected to the public Internet. Measures like the above can help reduce exposure but are no guarantee. Deploying a selection of these measures can increase your remote computing environment’s security, but safe practices and vigilance are ongoing requirements.