How to Protect Yourself Against RDP Attacks

Now more than ever, the battle for control of your network is centering in one place: port 3389. That’s the conduit for the remote desktop protocol (RDP), and it’s become a hotbed of activity. If you haven't secured this port and the services that connect to it already, now’s the time.

RDP is a protocol that people use to log into Windows boxes from afar. It connects to Remote Desktop Services, a Windows feature that gives you desktop access on a Windows computer from wherever you are.

The protocol also has a history of insecurity, leading to attacks either by direct manual hacking or by malware. It's been so bad that the FBI even issued a warning about it in 2018. Ransomware products including SamSam have relied heavily on this port to access systems. BlueKeep, the wormable Windows bug that threatened the internet last year, stemmed from an RDP vulnerability. The Trickbot banking Trojan now includes a module that allows hackers to launch brute force attacks via RDP.

Late March saw another worrying development: The source code for the Dharma ransomware-as-a-service operation appeared for sale online. That software also targets RDP, and its availability to others could spark a swarm of variants.

How can you lower the chances of an attacker pwning your network via RDP? Here are some tips:

Use Your Firewall
Blocking access to port 3389 with a firewall provides another layer of protection for those that don't use RDP at all. If a misconfigured machine has the port open by mistake, this network-level protection is a good catch-all.

Limit Access
Turning off RDP organization-wide might not suit many admins, especially as remote desktop port usage has spiked during the COVID-19 crisis. For companies facing this problem, limiting access can help. Leaving access open to all users by default when only a subset may need it increases your attack surface. Instead, turn off RDP access for those that don't require it, especially when dealing with administrative access.

Use Remote Desktop Gateway
Use a gateway that sits between the public internet and your internal RDP-enabled machines. Windows Server's Remote Desktop Gateway accepts SSL/TLS connections over port 443, relaying remote sessions securely to internal machines.

Use Network Level Authentication
This feature, turn on by default in modern versions of Windows and Windows Server, asks for extra authentication before connecting to a remote device.

Bolster Your Passwords
Manual attackers and software alike can brute-force weak passwords to gain access. Instigate a strong password policy before enabling RDS.

Using these techniques will help close loopholes that attackers are exploiting on a daily basis. As COVID-19 changes working practices and dissolves the average network's perimeter even further, there's no better time to seal off this potential security weakness.

What’s Hot on Infosecurity Magazine?