Since Easter 2020, we have seen a steady increase in Windows systems being compromised by threat actors and ransomware groups. In the vast majority of cases, the method of access has been by open Remote Desktop Protocol (RDP).
The threat actors typically get in leveraging simple passwords and once in the system will poke around, try and identify all your servers, where your backups live, obtain your passwords, and when they’ve poked around enough, run ransomware on the lot. In recent months, ransomware gangs are also exfiltrating data (taking copies of your data) and threatening to release it to the public – which may trigger privacy obligations because you’ve lost control of sensitive customer and/or employee data.
I wanted to take a moment to talk about RDP, what it is and what your business should be doing to protect yourself against this risk. (I actually talked about this sort of behaviour back in 2016.)
What is Remote Desktop Protocol (RDP)?
RDP is the technology used to allow your desktop computer (or thin client) to connect to another computer or server, typically known as a Terminal Server or Remote Desktop Server. In this fashion, your local keyboard, mouse and monitor become the controls for the remote device.
Many businesses that have complex database systems that require a server to run will leverage Remote Desktop Servers to allow their staff to all work from one location. Money is invested into the server, as opposed to the desktops, and maintenance is minimised because whenever a new software update has to be rolled out for the database application it only has to be installed on the Remote Desktop Server(s), instead of every computer in the business.
Some businesses will also use RDP to allow their staff to remote into their own desktop from home or when on the road, as a cost effective way to provide remote access to their work computer.
RDP is built into the Windows operating system and whilst there are many other remote access solutions like TeamViewer, LogMeIn, ScreenConnect, etc, it has become the defacto remote access technology used by most businesses wanting remote access to a server or computer.
Is RDP Insecure?
Tricky question. The problem isn’t so much that RDP itself is insecure, but that single factor authentication (ie: just using a username and password) is inherently insecure. That’s not to say there have not been bugs in RDP that haven’t made it insecure, but most attacks are successful due the use of simple passwords.
10 to 15 years ago it was feasible to simply change the port used by RDP from the default of 3389 to something else to obscure it. (Every application talks via different ports, some of which are reserved for certain applications.)
Unfortunately these days you can get free and open source software that will scan and identify common applications irrespective of the port it’s assigned to, meaning that the old “security through obscurity” trick is no longer a sustainable approach.
Then you go and throw something like shodan.io into the mix, which is a publicly accessible system that scans IP addresses across the internet and makes a record of what applications (ports) are open on those IP addresses, and the barrier to entry for your average cyber criminal is very very low.
How do your protect RDP?
The best way to protect your business against being compromised via RDP is to require all remote users to use a VPN (typically SSLVPN). VPN’s create a secure “bubble” which allows the remote device to access protected resources after securely authenticating.
We would also recommend the use of Multi Factor Authentication (MFA) on either the VPN service or the RDP sign in process. This ensures that even if someone does manage to “crack” the VPN credentials (or find an exploit in your VPN firewall), there is an extra challenge stopping them from immediately gaining access to your business.
In a perfect world we’d say put MFA on everything – but all this will do is piss off your users because they’ll get sick of having to type in the codes over and over again. It’s really important to get a good balance of security and practicality if you want your team to not resent your security program.