As workforces return in whole or in part to the office, cybersecurity remains top of mind for many IT departments. And rightfully so. Malware and cyberattacks surged during the pandemic, and the explosive growth in the number of remote users opened up new vulnerabilities and attack vectors for cybercriminals as organizations struggled to find the tricky balance between ease of access and strict security measures.
When the spotlight fell on those vulnerabilities, two common culprits emerged. One was phishing, which tends to exploit human trust and ignorance to turn an unsuspecting employee into an attack vector. The other was the Remote Desktop Protocol, or RDP, which is the technology on which so many forms of remote access rely. In mid-2020, ZDNET went so far as to say that RDP “reigns supreme” when it comes to ransomware exploits.
The identification of RDP as a potential security risk wasn’t news to a lot of people in the IT industry. During the pandemic, however, its threat as an attack vector magnified because of how widespread its use became in debilitating ransomware attacks. According to Palo Alto Networks’ Unit 42 Cloud Threat Report, 1H 2021, RDP exposures increased by 59% across all cloud providers in the short span between Q1 2020 and to Q2 2020. The 2020 Incident Response and Data Breach Report from the same group found that RDP was the initial attack vector in 50% of the 1,000+ ransomware deployment cases it studied.
What is the Remote Desktop Protocol (RDP) and why does it pose security risks?
The Remote Desktop Protocol is a part of a suite of technologies found on Microsoft Windows systems that are designed to allow users to remotely connect to and control a separate system. RDP works in conjunction with Remote Desktop Services (RDS) to provide a graphical representation of the host’s desktop interface on any remote client machine that supports it. This was traditionally used for IT to diagnose and fix issues on a remote user’s computer via the GUI, but these days it’s far more common to find RDP being used to provide users with virtual desktops or perform remote management.
(As a brief aside for the sake of clarity, Microsoft’s official name for their RDP client software is the Remote Desktop Connection. This was previously known as the Terminal Services Client because of its roots in Windows Server’s Terminal Services.)
RDP connections pose a security risk for three simple reasons:
RDP is the de facto industry standard for providing remote desktop sessions and other services to remote users.
The increase in remote work has likewise increased the use of virtual desktop and other remote access solutions that rely on remote desktop services.
Because of how RDP works by default, simple RDP vulnerabilities have the potential to grant hackers access to entire networks.
Through the use of man-in-the-middle attacks or phishing campaigns that allow for unauthorized access to a remote client, a malicious actor can use that client as an attack vector to (or through) the remote desktop gateway. Virtual private networks (VPNs) exacerbate this situation because they assume legitimacy and offer network-level authentication to remote clients. Even strong passwords and IP address whitelists don’t offer sufficient protection when VPNs are at play.
Yet it’s important to note here that infected endpoints aren’t the only potential RDP vulnerability. Ransomware.org details what’s known as a reverse RDP attack, whereby the threat actor plants malware on the RDP server. Any client that connects to that infected server becomes infected itself. Entire organizations could therefore potentially find themselves on the wrong side of a system-wide lockout.
How does the server become infected in the first place? This is done through brute force attacks that run through authentication permutations until they hit the right combo that gives the hacker RDP access. Many organizations face challenges in preventing this because they have to open their firewall to common RDP ports in order to provide seamless access to authorized remote users.
Older, unpatched versions of RDP also have innate security vulnerabilities that make them susceptible to malware like BlueKeep (CVE-2019-0708), which is a “worm” that can infect a server and spread to connected devices.
Does that mean RDP security is a lost cause?
With so many actual and potential RDP vulnerabilities, it might seem like secure remote access is an impossible task. And if that’s true, it presents IT departments with a terrible choice: Either forbid hybrid and remote work altogether or allow hybrid/remote work and accept malware and other security concerns as a necessary consequence.
Fortunately, that isn’t the case.
Zero Trust security is a best practice that approaches network security from a different angle — and in doing so aims to provide better balance to the “trust versus threat” dilemma. Instead of assuming that authentication should equate to full network access, Zero Trust security models treat every device as a possible security risk. It operates on a model of least privilege, so both remote users and those at in-network workstations are only granted permissions to access the apps and data they need and nothing more. You can think of Zero Trust as compartmentalizing and containing users rather than just opening a single door to the organization’s entire network.
Any Zero Trust model will both require and strengthen a secure remote desktop policy. To put that another way, organizations can leverage Zero Trust security to empower their hybrid/remote workforce even as they mitigate the security risks associated with remote-enablement technologies like RDP. But much of that depends on sourcing and implementing the solutions that also prioritize that balance.
Virtual App Delivery can be a building block of a Zero Trust model
For organizations that are as serious about Zero Trust as they are about hybrid and remote work, some Virtual App Delivery (VAD) systems can help them provide their people with seamless access to apps from any device while bolstering security with Zero Trust.
The VAD platforms capable of this are able to do this in part because they are OS-independent. They don’t require a special client; all apps are delivered to the user via a dedicated encrypted HTTPS (TLS/SSL) HTML5 browser session. This means that clients running operating systems like Windows, ChromeOS, iOS, Android, and Linux can all work with software that retains its full desktop functionality, yet the software is never running on the remote device itself. This likewise means that all user interaction with the app is abstracted from the host machine — so the attack vector is obfuscated for malware payloads.
And since VAD platforms do use industry-standard RDP for remote access (just like their VDI & DaaS counterparts), you should check with your VAD vendor (or VDI/DaaS vendor) to make sure they have systems in place to safeguard your networks against brute force attacks, ransomware and other cyberattacks. Below is a checklist that you can use to make sure the vendors you are evaluating have a true Zero Trust security model in place:
Single Architecture – It should not rely on acquired/bolt-on technologies or third party products that significantly increase the surface of attack for hackers.
Eliminate Open Firewall Ports – It should leverage a proxy server between the end user device and your serves, eliminating the need to open firewall ports to direct inbound traffic. It should also eliminate the need for VPNs because the end user device is completely isolated from the corporate network. Both are a major attack vector for hackers.
Eliminate Open RDP Ports – It should close HTTP, HTTPS, and RDP ports at the Windows firewall and dynamically opens them to authorized users only when they need access. Server ports are another favorite for hackers.
Least Privilege Principle – Users must have ZERO admin privileges. In the event a hacker gains access to a user session, they should be locked into the session and unable to move to other areas of the corporate network.
Non-persistent Servers – When a user closes a VAD session, their data and entire user profile should be deleted. Be sure to find a VAD technology that stores the updated user profile separately and seamlessly syncs the user profile upon session relaunch for a seamless experience without compromising security.
HTTPS security and encryption – All servers should be automatically created with HTTPS to ensure all data/sessions are encrypted.
Through this combination of secure RDP technologies and Zero Trust, VAD platforms can provide your hybrid/remote work users with seamless, secure access to all their apps from any device while simultaneously solving RDP security issues and reducing your overall attack surface.
You can learn more and download a Zero Trust security checklist and white paper here.