Photographee.eu - Fotolia
In a Windows deployment, the Remote Desktop Protocol enables an IT professional to control a user's computer from a separate device.
Using a Windows computer through a Remote Desktop Protocol (RDP) session provides essentially the same experience as sitting directly at the computer's console. IT pros use RDP for server management a lot. It is also the protocol of choice for help desks that need to remotely assist users with problems.
As the name implies, RDP hijacking refers to an unauthorized person gaining RDP access to one or more computers on a network. The phrase RDP hijacking can describe a newly established, unauthorized RDP session or a hacker taking over an existing RDP session.
How do attackers gain rogue RDP access?
There are a few different methods for gaining rouge RDP access, but the easiest is to run Tscon.exe -- a Windows system file that establishes connectivity to a remote system as the system user. This enables a hacker to establish an RDP session with other Windows machines on the network without having to enter a password. If he can find an administrative RDP session to take over, then he can gain admin access to the network.
Gaining system access to a Windows machine might seem like a tall order. There are several tutorials on the internet that show how to leach system access from the operating system without even having to log into Windows.
The problem with this type of RDP attack is that it is difficult to detect. RDP is common in organizations, so a rogue RDP session could easily blend in with other sessions.
How to prevent RDP hijacking
The most important thing an organization can do to limit the risk of RDP hijacking is to block RDP access from the internet. By doing so, IT can make it so someone would have to physically be on the network to hijack an RDP session.
It's also a good idea to use Group Policy settings to automatically log off disconnected sessions. This will prevent a hijacker from taking over an abandoned session -- possibly a session using administrative credentials. The setting is located in the Group Policy Object Editor at Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits > Set Time Limit for Disconnected Sessions.
Dig Deeper on Virtual desktop management
Related Q&A from Brien Posey
Removing personal data from a database is a simple process, but eliminating that information from full backups could undermine the integrity of your ... Continue Reading
Mistimed updates in Windows 10 can drive users crazy and cost organizations in terms of productivity. There are steps you can take to pause these ... Continue Reading
App layering, which separates apps from the underlying OS, helps IT in several ways, including allowing it to deliver apps to specific groups, but ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.