The Remote Desktop Protocol (RDP) still serves a critical function since Microsoft first adopted the technology well over twenty years ago. By enabling remote connection to computers, RDP aids in work-from-anywhere efforts as well as troubleshooting and other tech support services. Despite its usefulness, however, RDP also serves as a major target for threat actors looking to penetrate a network. Let’s explore the pros and cons of RDP and what organizations can do to protect themselves from potential vulnerabilities.
RDP allows users to remotely access and control computers. It was first introduced in 1998. Using a Windows client interface over TCP/UDP port 3389, the user operates the machine as if they were sitting in front of it.
In practice, RDP has numerous benefits.
With many other potential applications, RDP proves useful for any situation where someone needs to remotely connect to and control a computer or server.
Although useful, RDP has a major downside: it can be exploited by attackers as well. Because it is exposed to the internet, theoretically anyone can use it to remotely access a system. If a threat actor discovers an exposed RDP session, they can break into it through various methods and gain control over the system as if they were an authorized employee. Doing so grants them nearly unlimited access to the system, leading to dire results.
What’s more, if an attacker somehow gains control over a system through some other method, they can establish an RDP connection to ensure persistence. That way, they can go back to the compromised system after initial access, helping to mask their actions over longer periods of time and allowing them to return later and carry out other misdeeds.
Another growing use of RDP is the proliferation of ransomware. Because it grants direct remote access to systems, RDP gives bad actors the ability to deploy ransomware directly onto them. And, since these systems are often bound to on-premises networks, ransomware can easily spread to other parts of the network.
Critical vulnerabilities and exploits (CVEs) have been discovered in RDP over the year, including recent ones that allow for remote code execution. Microsoft is aware of these vulnerabilities and has issued patches for many of them, but the fact remains that RDP presents a major cybersecurity issue and the consequences can be much worse, if the ports are enabled for access via the internet.
So, understanding both sides of RDP, what can organizations do about it?
Proper cyber hygiene is always important. Be sure users are logging into RDP with longer, complex passwords to make it harder for threat actors to brute force their way through.
Like with many other aspects of the IT and cybersecurity landscape, it’s best to stay up to date as possible for all patches, especially ones pertaining to RDP. Of course, some patches may contain other zero-day vulnerabilities, so stay tuned to news outlets and threat intelligence feeds to remain informed on new exposures.
Although not a one-for-one RDP replacement, virtual private networks (VPNs) allow remote users to access network resources remotely. It should be known that you cannot use a VPN to fully access a remote computer like you can with RDP. So, for those use cases, a different solution is required.
But, in cases where remote users need to access on-prem files and servers, VPNs can be used similarly. Unfortunately, just as is the case with RDP, VPNs have also been known to harbor CVEs that attackers can prey on.
By default, RDP connections use port 3389 and are open to the internet. You can perform several changes to remedy this, including switching the default port or closing access to it. Using firewall rules or other configurations, you can restrict access to RDP ports to specific IP addresses or networks. This reduces the accessible attack surface while promoting a more zero trust approach to RDP security. That said, if an end user’s computer is physically compromised, or they’re acting as a malicious insider, these methods may not prevent compromise.
Secure Access Service Edge (SASE) allows organizations to abstract their network to the cloud, establishing secure, untouchable connections between resources. Using a software-defined perimeter established by downloaded agents, SASE protects traffic and activity between systems by preventing exposure to the open internet.
To see how SASE can help you address the security concerns of RDP, read this case study. In it, you’ll learn how one MSP used SASE to practically eliminate RDP and VPN usage while promoting cybersecurity, saving their client thousands of dollars annually.
