Rawpixel - Fotolia
Microsoft's remote desktop protocol is susceptible to a variety of security breaches, so IT should be aware of best practices to help protect against any RDP vulnerabilities.
There are a variety of potential attack methods that underscore the importance of keeping antimalware protection up to date and using firewall rules to block port 3389, the RDP port, wherever possible. Some organizations, for example, only allow RDP traffic on isolated management network segments and block it on all other segments.
Patching is an important first step in the prevention of RDP security issues, but there are additional RDP best practices that IT should consider.
Use Group Policy to prevent RDP security issues
First, an organization should consider whether or not remote access capabilities are actually needed for various classes of machines. An organization may determine that it needs remote access capabilities for servers, but not for Windows desktops.
Once an organization makes that determination, IT should use Group Policy to disable remote access to those machines that do not need it. IT pros can disable remote access by opening the Group Policy Object Editor and navigating through the console tree to Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Connections. IT can then use the Allow Users to Connect Remotely Using Remote Desktop Services setting to disable remote desktop access.
If IT pros determine that remote access is required for some machines, then they should make sure that Windows is configured to require Network Level Authentication. Network Level Authentication requires Windows to authenticate a user before they can create an RDP session. IT can use Group Policy to enforce the requirement for Network Level Authentication.
To do so, IT can open the Group Policy Object Editor and navigate through the console tree to Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security. Here IT pros will find a setting called Require User Authentication for Remote Connections by Using Network Level Authentication.
Consider different types of RDP security issues
First, an attacker might try to establish an RDP session directly across the internet. At first, it may be tempting to dismiss this possibility. After all, most organizations do not enable RDP on machines that are directly exposed to the internet. However, virtual machine instances hosted on public cloud providers such as AWS or Azure are commonly accessible through an internet-based RDP session.
Protect against BlueKeep
In May of 2019, Microsoft released a patch for a vulnerability named CVE-2019-0708. This vulnerability, which later became known as BlueKeep, is a serious RDP vulnerability that can allow an attacker to remotely access Windows systems without having to provide a username or a password.
The CVE-2019-0708 vulnerability does not exist in newer versions of Windows, such as Windows 8 and Windows 10. Instead, the vulnerability exists in several older Windows versions including Windows 7, Windows Server 2008, Windows Server 2008R2, Windows Server 2003, Vista and Windows XP. The fact that Microsoft has released patches, even for versions of Windows that are no longer supported, underscores the seriousness of this vulnerability.
The first step in protecting an organization against the BlueKeep vulnerability is to patch any affected systems. Patches for Windows 7, Windows Server 2008 and Windows Server 2008 R2 are available through Microsoft's Security Update Guide. Patches for Windows Server 2003, Windows XP and Windows Vista can be found on the Windows Security Support site.
Second, since Windows servers in an organization's data center are often RDP-enabled, there is always a possibility that an attacker could launch an RDP-based attack from inside of an organization.
Third, an attacker could code an RDP exploit into malware. This means that even if an organization's servers are not directly accessible from the outside world, an attacker may be able to gain access simply by infecting a user's desktop.