As COVID-19 drove many employees into remote work, IT departments rushed to get everyone online with access to the data and applications they needed to be productive. Chief information security officers (CISOs), however, were nervous. They understood many home computers lacked up-to-date protection, that the machines might also be shared by less security-minded household members, and that cybercriminals would be looking to exploit the situation by attacking remote desktop services as they become publicly available.
By Mike Jumper, CEO and Co-founder of Glyptodon
They were right. Microsoft’s Remote Desktop Protocol (RDP), already a common target, has become even more heavily targeted. According to research from cybersecurity firm ESET, Windows RDP attacks rose an astounding 768% in 2020. In fact, malware like Trickbot now includes RDP scanners to search for open ports, and distributed denial-of-service (DDoS) attacks have been using RDP as a way to amplify their impact.
To be fair, the issue here is not RDP itself. RDP is a very useful and functionally rich protocol, and the open-source project I work on, Apache Guacamole, uses it internally with great success. The issue is the attack surface created by the position of the remote desktop service within the operating system. This can be eliminated with proper system design.
Protecting Privileged Services
To enable a user to operate a machine remotely, RDP requires administrator-level privileges. Should an attacker exploit a vulnerability and execute arbitrary code, that code will inherit those privileges. A successful attack against a privileged service can be catastrophic mainly due to the privileges the attacker gains once they control that service.
Two of the vulnerabilities found in 2019, popularly known as BlueKeep and DejaBlue, can be exploited to do just that on unpatched Windows servers with public RDP services. This can result in the introduction of malware, the initiation of a ransomware attack, and allow hackers to move laterally across the network and infiltrate other computers.
As a privileged service, RDP should always be carefully guarded and never exposed publicly. Instead, all access should take place through an entirely independent service, one with tight controls and limited privileges so that a successful attack cannot result in gaining administrator status
Protecting Against the Unknown
A system should never remain unpatched. The reasons why are basic and abundantly clear: older, unpatched software possesses known vulnerabilities. That said, the foremost concern amongst CISOs regarding remote access should be unknown vulnerabilities. When a new vulnerability emerges, it is not always possible to patch the system before the vulnerability begins to be exploited, and it’s on the system’s design to protect against this.
When hackers exploit a vulnerability, they perform an action that a software’s security model should otherwise deny. CISOs must be sure IT sets boundaries that can be enforced independently through layers of protective services while limiting privileges to only what is essential for operation. Respectively, these are known as defense-in-depth and the principle of least privilege.
Authentication and authorization should not just be a part of connecting with RDP, they should be preconditions that are satisfied before RDP is even available. To this end, a remote desktop gateway should be the only way in and should be positioned in front of RDP. The gateway should provide access strictly to remote desktops assigned to specific users, and should operate with limited privileges to ensure an attacker cannot directly gain admin control if the gateway is compromised.
Virtual private networks (VPN) have been a popular approach for overcoming these hurdles. Unfortunately, they have a reputation for being sluggish and difficult to use, and deploying so generic a solution like a VPN can open up access to more of the private network than each user needs. With so many employees likely to remain remote post-pandemic, VPNs are not likely to provide a feasible solution for securing RDP at the enterprise level.
After deploying the gateway, IT should lock down the network firewall so that the gateway is the only means to access RDP from outside the network. Likewise, computers on the network should be locked down so that they allow access to RDP only via the gateway. By isolating remote desktops at the network level, a single hacked computer doesn’t put all computers in jeopardy.
The Remote Future
For CISOs, securing RDP is simply a matter of ensuring that it’s deployed carefully so malicious actors have nothing to leverage. Place RDP services behind a secure gateway, apply patches in a timely manner, and follow best practices, and you’ll have a long-term solution for your remote future.
About the Author
Mike Jumper is the original developer of Apache Guacamole, an open-source remote desktop access gateway. He is CEO and co-founder of Glyptodon, which provides a commercial build of Apache Guacamole with enterprise support.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.