Is RDP secure?
Questions surrounding RDP security have always existed, and for good reason [https://www.solarwindsmsp.com/blog/remote-access-security-built-dna-your-solution]. While Microsoft has gone to great lengths to secure RDP connections, weaknesses still abound. The most recent discussions have focused on the Credential Security Support Provider Protocol (CredSSP), an authentication provider that processes authentication requests. According to Microsoft, a vulnerability was discovered in unpatched versions of CredSSP that allowed attackers to relay user credentials to execute code on a target system. This put any application that relied on CredSSP for authentication at risk.
Microsoft has since offered a security update to remedy this issue, but other security concerns persist. Pre-existing encryption vulnerabilities, the use of lower-level encryption settings, and the general nature of remote desktops, with their open ports and power to grant administrator access remotely, all put data at risk. One of the most common attacks to befall RDS sessions is the man-in-the-middle attack, when an attacker secretly observes and possibly alters communication between two parties. Brute force attacks, which involve a hacker trying to gain system access through thousands of authentication attempts per minute, are also prevalent within the RDP space.
If you’re wondering how to secure remote desktop access, there are many best practices out there to address RDP security risks. A few of the most important ones to follow are:
- Powerful passwords: Weak passwords with little-to-no variation, including numbers, unique characters, and letters, provide attackers with ample opportunity to access an account. Ensure your customers—and your team—are using long passwords with a minimum of 12 characters. Paraphrases, which string two or more unrelated words together, are especially powerful. Accounts should also be configured to lock a user out after three invalid attempts.
- User restrictions: Not all administrator-level accounts on a computer need access to the Remote Desktop. Teach your customers and technicians the value of limiting remote access, thereby limiting the number of opportunities out there for hackers. These settings can easily be updated through the local and group policy management settings.
- Regular updates: Updates are critical for any type of software because they ensure the latest patches are in place. Microsoft’s patch cycle automatically updates client and server Remote Desktops with the latest security solutions—just make sure you’ve enabled automatic Microsoft Updates in your settings.
- Firewall safeguards: Placing the RDS behind a hardware or software firewall can help restrict access to the default Remote Desktop Listening port, TCP 3389. These firewalls are designed to ensure only legitimate requests reach your server.
- IP address restrictions: Restricting access to the Remote Desktop port to an individual or group of trusted IP addresses is called “scoping” the port. This can be achieved through the Windows firewall. Scoping the RDP port means the server will not accept connection attempts from any IP address outside of the scope you have set. This takes pressure off the server by relieving it of the duty to process malicious connection attempts.
- Multi-layer authentication: Implementing at least two unique forms of authentication can further safeguard sensitive data shared over the RDP. Software that offers usernames and passwords in combination with time-based one-time passcodes (TOTP) are considered especially secure.
- Secure ports: A majority of brute force attacks on RDP are conducted using the default 3389 port. If you notice a suspicious number of failed login attempts on the Remote Desktop, you may have an attacker on your hands. Switching to a new port can help you shake the cybercriminal and keep your customer’s information out of harm’s way.
How do I restrict access to Remote Desktop?
There are several ways to restrict access and secure Remote Desktop. You can help your customer limit the number of administrators with access to the Remote Desktop and you can scope the port (limit access to specified IP addresses), as mentioned above. Restricting access to the Remote Desktop through either, or both, of these methods is a great way to protect systems from hackers searching for easy ways to enter and snatch highly-sensitive data.
To remove local administrators from RDP access and restrict access to a specified group follow these steps:
- Click Start on the desktop, then Programs/Administrative Tools/Local Security Policy.
- Under Local Policies, select User Rights Assignment.
- Navigate to Allow Logon Through Terminal Services (depending on your software, it may read, “Allow Logon through Remote Desktop Services”).
- Remove the Administrators group and leave the Remote Desktop Users group.
- Use the System control panel to add specific users to the Remote Desktop Users group.
These simple, straightforward steps can go a long way in your efforts to ward off attackers. To secure Remote Desktop by limiting which IP addresses can access it, follow these steps:
- Connect to the server via RDP.
- Open Windows Firewall with Advanced Security.
- Click on Inbound Rules in the left pane.
- Locate the RDP Rule.
- Right click the rule, go to Properties, and switch to the Scope tab.
- Once in the Scope tab, select the Remote IP Address section.
- Click the button next to These IP Addresses.
- Then select Add.
- If using a single IP Address, type it in the top text field and click OK.
- Repeat steps 3 and 4 for every IP address you’d like to add.
- You can also add an IP range by clicking on the button next to This IP Range.
- Type the start of the range in the From field and the end of the range in the To field.
- Repeat steps 6 and 7 for every additional range.
How to Ensure Your Customers Are Protected
Your customers trust you with remote access to some of their most valuable assets. Avoid putting highly sensitive information at risk with remote access software that will help ensure you are following best practices and securely gaining an inside look into your customers’ systems. SolarWinds® Take Control and Take Control Plus come with a number of built-in, business-grade security features that can help ensure your remote troubleshooting is secure. A good remote support software will help increase your customers’ trust and give you greater peace of mind through:
- Improved encryption: Implementing Advanced Encryption Standards (AES) 256 data encryption allows remote software to keep data secure both in transit and at rest. Some software also leverages the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme to enable secure shared secrets between two endpoints.
- Safeguarded session creation: This helps you establish boundaries and ensure sessions are initiated only by those with appropriate permissions.
- Security compliance: Historical visibility with full session search, recording, and reporting paired with default data privacy features in some software can help ensure GDPR readiness and HIPAA compliance through default data privacy features.
FIPS-compliant open-SSL cryptographic modules are also available to aid compliance with rigorous cryptography standards.
- Advanced authentication: Help safeguard accounts with multi-layer authentication [https://www.solarwindsmsp.com/blog/securing-your-remote-access-are-you-managing-logins-effectively] methods via technician access permission settings, or through two-factor authentication (2FA) that requires both a username/password combination in addition to a tokenized protocol implementation.
- Secrets Vaults: Safeguard passwords and credentials using the Take Control Secrets Vaults feature. Secrets Vaults seals your clients’ machine credentials in impenetrable vaults, quickly injecting the information to unlock access when needed, all without the technician, or end user, being able to see the content at any point.
- IP designation: Designating which IP addresses can access the remote desktop helps ensure only authenticated users have access to your customer’s resources.
- Timeout control: Idle session timeout controls are a good way to prevent hackers from stealing a session that has sat unattended for too long.
- Clipboard deletions: Automatic clipboard deletions after sessions can help ensure sensitive data, like user credentials, don’t get stored after use.
A remote connection is a gateway to your customers’ most valuable assets—their machines, their IP, and, ultimately, their data. It’s important you take the right steps to ensure your remote access gains and maintains their integrity and trust.
Need a tool that allows you to securely access remote computers? Try Take Control free for 14 days.