The remote desktop protocol performs admirably in ideal and regulated environments. RDP server security, on the other hand, necessitates a degree of IT security maturity much beyond default RDP settings to prevent rogue sessions, hijacking, unauthorized access, exploits, privileged escalation, and so on.
RDP’s default encryption and security settings are merely a starting point. If these settings are exclusively utilized for security and are left alone, they create a situation that poses an unacceptable danger to most businesses. So, how do you keep RDP safe for both internal and external operations?
The first RDP server security guideline is that no matter how much endpoint and system hardening is done, leaving RDP open on the Internet for access is totally unacceptable. Such exposure has simply too many hazards. RDP is only intended for usage within a local area network (LAN).
Even the most secure installations may be characterized as a Windows operating system and its version since RDP hosts allow a listening port for inbound connections. Once this is known, social engineering, missing security updates, zero-day attacks, credentials obtained on the dark web, inadequate password management, and other factors might all lead to unauthorized RDP access.
But, what goes into properly protecting RDP for internal use? Let’s start with what we already know about the default settings:
- Access lists: By default, enabling RDP on Windows Hosts only enables local or domain administrators access (depending on its current configuration). While this prohibits regular users from accessing the item, it poses an unacceptable risk because only administrators have access to the asset through RDP. This violates the principle of least privilege in security. As a result, administrators’ access should be disabled. Only the relevant standard user accounts should be provided RDP access, and this should be done on a just-in-time basis, which means access should only be granted for the time it takes to accomplish a job. Session activity should also be closely monitored to verify that it is suitable. The least privilege, just-in-time access, and session monitoring rules can all be applied to the fullest extent possible.
- Default accounts: If the above-mentioned access lists are not carefully followed, a threat actor might readily guess the administrator account for resource access. If the administrator’s default username is “administrator,” a breach is essentially a guaranteed conclusion. So, my proposal is that the local machine or domain administrator account be changed to something distinct, unique, and unguessable. Furthermore, RDP’ing (yep, it’s a word) as an administrator should be limited to use cases when it’s inevitable, rather than for everyday remote access demands.
- Authentication: The strongest approach for authenticating RDP connections is Network Level Authentication. If this option is disabled, credentials are delivered to a remote computer or domain controller in cleartext.
- Encryption: For RDP network communication, the ‘High’ encryption setting provides the strongest encryption available. If this isn’t specified, a domain controller negotiates the target’s maximum key strength (rather than the maximum key strength provided by group policy options).
- Clipboard redirection: a feature of RDP Servers that allows remote sessions to effortlessly cut/copy and paste material from distant computers to the connected device, and vice versa. This approach is vulnerable to misuses, such as data extraction or the pasting of sensitive system data, such as passwords.
- Network and LTP printer redirection: For remote access sessions, RDP Servers provide printer redirection. This feature enables local devices and domain controllers to connect to the remote asset via network and LTP (Line Terminal Printer) printers. This can lead to the printing of sensitive data and the installation of malicious printer drivers on a system. For network and LTP printers, RDP should be set up without redirection.
- Session management: Multiple RDP sessions per user account are possible with Windows Servers. Because a new session does not reconnect to the prior session—it is orphaned—if a user is mistakenly disconnected, the outcome might be a loss of productivity or knowledge. This scenario can be minimized by restricting access, particularly by limiting administrators to one session. Because only one session may occur at a time, this option also serves as a basic session management solution for malicious RDP.
Organizations should specify all of these settings in Group Policy Options and apply them via Active Directory to deploy them. Non-domain-joined resources must be configured individually. Regardless, if one host is misconfigured in any configuration situation, it poses a significant risk. Nonetheless, this occurs frequently.
While we follow security best practices while configuring RDP, there are other hazards that must be monitored and addressed on a regular basis:
- Vulnerabilities: RDP has had several vulnerabilities since its debut, including a couple that permitted remote code execution and privilege escalation, such as BlueKeep and DejaBlue. Information technology administrators in every setting that uses RDP must remain up to current on security upgrades and implement them as soon as possible. Few mitigation actions can prevent exploitation without several of these security fixes.
- Clients: RDP is a well-documented protocol. Many third-party solutions provide the ability to operate as an RDP client. In addition, native RDP clients based on open source and proprietary technology are included in other operating systems, such as macOS and Linux. If any of these clients have a vulnerability, the risk can be transmitted back to an RDP host server. Controlling, restricting, and managing the RDP clients permitted in your system (through application control, for example) is crucial to ensuring that end-user access does not become an attack vector.
- Licensing: To utilize the RDP protocol in an environment, Microsoft requires a license. Using a third-party solution or open-source versions may be in violation of your Microsoft license agreements. As ridiculous as it may sound, make sure that any third-party RDP solutions you use have a valid Microsoft license to instrument their technology.