How do RDP vulnerabilities expose organizations to security risks?
Businesses across industries and millions of work-from-home employees take advantage of Microsoft RDP (Remote Desktop Protocol) to connect their remote devices to the organization network, access data, and collaborate directly on remote desktops.
Though remote connections make it convenient to work together and access crucial data on organization's PCs from any location, remote desk vulnerabilities have made them prime targets of cyber attackers. These malicious actors often position themselves as the man in the middle of the network and steal sensitive data, user's credentials, or as a vector for ransomware distribution.
RDP is used for business continuity
RDP allows Microsoft Remote desktop Connection and Apple's macOS and Linux systems to operate. They also allow a business operate on Android and iOS mobile operating systems. But allowing on both desktop and mobile systems, RDP provides business continuity.
Main security vulnerabilities of RDP
Vulnerability is a weak spot or gap in software that allows attackers to access the network system in an authorized manner. It is like an improper door latch of the foot door of a hose that allows burglars to break in.
Types of vulnerabilities in RDP:
Weak sign-in credential of users
Users use passwords to access their desktop computers at the workplace. They decide on making any password they want, and they are the sole owner of it. The problem is that when in remote locations, the user uses the same password to RDP remote login as well. Organizations do not have a role in making the passwords for the employees, and neither do they check their strengths or manage them. When used from remote locations, weak passwords make remote connections vulnerable to attacks like credential stuffing or brute force.
Unrestricted port access
In networking, ports are designated for certain types of connections, and they are software- based. By assigning different processes to different ports, computers easily keep track and identify the activities. For example, HTTP traffic goes to port 80, whereas secured HTTPS traffic is directed to port 443.
For RDP connections, the port mainly used is 3389, and these attackers know and assume that the port used will be the same and hence target it to carry out on-path attacks. So, in short, the two principal vulnerabilities of RDP are weak password and port targeting.
Ways to counter the RDP vulnerabilities
Single Sign-on (SSO)
The SSO is known to reduce the prevalence of weak credential sign-in. The organization uses SSO services to manage the user login for different applications. SSO allows organizations to enforce stronger password rules such as allowing only a minimum of 8-character complex passwords and implementing more secure measures like Two-factor authentication or 2FA. To strengthen the user login vulnerability, one can place the RDP behind the SSO. Certain cyber solutions service provider allows companies to do this.
Many companies do not use RDP behind the SSO as it may not be an option. At best, they advise the employees to reset their desktop computers to mote stronger passwords.
To protect against attacks on ports, port 3389 is protected by a secure tunnelling software that prevents attackers from sending a request that can reach port 3389. Software service providers provide a secure tunnel to avert any requests that do not pass through the secure tunnel get blocked.
It is impossible to configure a corporate firewall manually so that no traffic to port 3389 is allowed from any other IP addresses other than those permitted and listed, for example, only from devices that belong to employees. This process is slow and takes plenty of manual effort. They are also vulnerable if the hackers hijack an IP address that is allowed listed or compromise the employee's device. There is the problem of identifying and allowing the listing of all employees in advance. It results in continuous requests from employees to IT administrators to unblock their device IP.
Other types of RDP vulnerabilities
RDP has vulnerabilities patched by security teams, but they can be severe damage if left unchecked. One such vulnerability in RDP is known as “Blue Keep”. It is officiated designated as CVE-2019-0708 and is a vulnerability that enables an attacker to execute any malicious code on a computer by sending a request crafted for the right port, primarily port 3389. The nature of "Blue Keep" is that it is workable, which means it can spread to all computers in a network with no actions from the users. The best way to defend against this vulnerability is to disable RDP when it's not required and reactivate again when needed by the system.
The other way is to block Port 3389 by using Firewall. In 2019, Microsoft used a patch that corrected this vulnerability, and it is, therefore, significant that IT administrators install this patch.
RDP is like any other protocol or program that has vulnerabilities. They can be eliminated mainly by using the latest version of the protocol. Apart from installing new software, vendors also patch vulnerabilities in each new software version they release periodically.
Cybersecurity service providers help organizations secure remote access, offering many solutions depending on the company’s IT infrastructure and security needs. For removing the two main types of vulnerabilities discussed above, they use specific solutions. Unlike Corporate Firewalls, solutions for RDP are more software-based and do not require manual configuration.
It is estimated that millions of computers are still running an older version of Microsoft Windows and are vulnerable to RDP attacks despite the patches released. These computers are potential victims of targeted or automated cyberattacks. Organizations should be on high alert to different types of exploits emerging daily.