With so many employees sheltering in place due to Coronavirus, enterprises with Windows are depending on VPNs and Microsoft’s Remote Desktop Protocol (RDP). However, while this allows employees to access company apps and files, using VPN and RDP surfaces creates other, longer-lasting problems.
By Gil Azrielant, CTO and Co-founder, Axis Security
VPNs are notoriously problematic to begin with, especially when paired with RDP’s security flaws. RDP has numerous known vulnerabilities (CVEs) registered against it. And even with patches, new vulnerabilities continue to emerge.
For an organization to thrive in this environment, they will need to adopt security measures when deploying Microsoft RDP-enabled access widely — ideally without having to constantly upgrade their servers. This is difficult when they have to provide remote access quickly, without the privilege of upgrading software.
How vulnerable is your RDP environment?
For remote workers to do their jobs, they often need to connect to remote workstations, servers or applications within the company. That’s why so many organizations with Windows computers rely on both VPNs to get on the network and Microsoft’s Remote Desktop Protocol (RDP) via the Remote Desktop Connection application to get to a particular machine.
VPN enablement can be painful for both IT and end users. In fact, VPNs can aggravate RDP’s security flaws. While many have patches available, some may not be able to receive upgrades, resulting in untold numbers of vulnerable legacy servers, which may or may not be able to receive upgrades. And even with those patches, RDP vulnerabilities continue to emerge.
Common vulnerabilities and exposures (CVEs) of RDP include BlueKeep, which allows cybercriminals to remotely take over a connected PC. We have listed relevant CVEs at the end of this post. Further, hackers continually use brute force attacks to try to obtain user credentials that have remote desktop access.
We recommend that, when using Microsoft’s RDP, organizations adopt additional security measures. Some are simply procedural. But whatever form they take, they are necessary to keep enterprise data safe.
How to alleviate RDP’s vulnerabilities?
Providing large scale urgent access while keeping users safe is not easy. But new access and security technologies make it possible without fiddling with VPNs or directly upgrading servers. A modern solution that is equipped to handle RDP’s vulnerabilities will provide a layer of security over all managed RDP servers. These solutions will analyze all user requests before they are securely forwarded to the RDP server. This protects the RDP host and its data by acting something like an RDP request broker.
This process of preventing the remote users from touching the applications effectively mitigates all those RDP-related CVE’s below, reducing the application attack surface and minimizing risk.
The most important thing to remember regarding RDP is to never put your RDP servers on the public Internet. Within minutes of public-facing RDP servers going out, they will be scanned, and then every hour numerous connection requests and exploitation attempts will take place. It is impractical that such legacy protocols can be secure on the Internet.
Other important steps that can be taken to protect against RDP vulnerabilities include:
- Enable network level authentication (NLA)
- Eliminate network access to the machine
- Enforce MFA for every login
- Focus on system patching, with virtual patching being the ideal technique for this
- Choose and enforce a strict policy
No VPN required, Giving your access and security a boost
The risks of enabling remote access are legitimate concerns for any enterprise. Traditional mitigation techniques, such as upgrading the server operating system, can take time and have cascading consequences. But new technologies are stepping up to improve access security and minimize complexity when it comes to VPNs and server software upgrades.
Here’s a partial list of CVEs related to RDP, which can be mitigated with the right steps taken and the support of the right technologies:
CVE-2019-0708 (BlueKeep) – The exploitation requires the client to bind to a specific channel. Axis security has a whitelist of allowed channels, and the MS_T120 channel is blacklisted.
CVE-2020-0660 – Is caused by insufficient validation of requests, that allow a crafted-malformed request to be sent and crash the system. Malformed packets will never be sent from the Application Access Cloud to your servers, as it validates and disarms every request and response before sending it over.
RDP as implemented in versions of Windows, including Server 2008/12 R2, 7, 8.1, 10, are known vulnerable to exploits described:
CVE-2020-0609 – This vulnerability lies in Windows RD Gateway. We isolate your RD gateway from the internet, so no one can send malicious requests to it. Malformed packets will never be sent from the Application Access Cloud to your servers, as it validates and disarms every request and response before sending it over.
CVE-2020-0610 – This is very similar to the last one. This vulnerability lies in Windows RD Gateway. We isolate your RD gateway from the internet, so no one can send malicious requests to it. Malformed packets will never be sent from the Application Access Cloud to your servers, as it validates and disarms every request and response before sending it over.
CVE-2019-1181 – This vulnerability affects unpatched versions of Windows Server 2008-2019, and Windows 7-10. Our RDP service is not vulnerable to this vulnerability.
CVE-2019-1182 – This vulnerability affects unpatched versions of Windows Server 2008-2019, and Windows 7-10. Our RDP service is not vulnerable to this vulnerability.
CVE-2019-1222 – This vulnerability affects unpatched versions of Windows Server 2016-2019, and Windows 10. Our RDP service is not vulnerable to this vulnerability.
CVE-2019-1226 – This vulnerability affects unpatched versions of Windows Server 2016-2019, and Windows 10. Our RDP service is not vulnerable to this vulnerability.
About the Author
Gil Azrielant is the Co-founder and CTO of Axis Security. He is responsible for technology strategy and the development of the company’s cloud-based zero-trust application access platform. Gil’s cybersecurity career began in the elite Unit 8200 of the Israeli Army Intelligence Corps, where he worked on advanced cybersecurity and code decryption. He served five years inside this elite unit, working as a researcher and team leader.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.