What is Remote Desktop Protocol (RDP)?
RDP is a proprietary Microsoft protocol that allows a user to access their desktop and computing resources remotely from another computer. It is also sometimes referred to as Terminal Services.
Why is RDP vulnerable?
The presence of RDP being available over the internet can be easily detected by people scanning the entire internet. Cyber criminals routinely attack computers and servers where RDP is accessible in order to install malware such as ransomware, or to using the computer as a staging post for other attacks.
They attack RDP in various ways such as brute-forcing their way into the network by trying millions of different passwords that have been exposed in previous breaches, or by using compromised passwords from phishing attacks against the company. RDP is also subject to several software vulnerabilities that if left unpatched can allow an attacker access into your computer network.
Suggested steps to protect your network
- We recommend that you turn off Remote Desktop access if it is not necessary. If necessary, secure it behind a VPN and/or multi-factor authentication. This is often best achieved by using an RDP Gateway server in conjunction with a firewall.
- Use strong, unique passwords throughout your network. The UK’s National Cyber Security Centre has excellent guidance on modern password policies available at https://www.ncsc.gov.uk/collection/passwords/updating-your-approach.
- Keep your operating system updated. Several well-documented and routinely abused vulnerabilities exist in RDP, and new software vulnerabilities are found all the time so patching them in a timely manner is vital. Where the server is running an outdated version of the Windows operating system (such as Server 2008 or Windows XP) look to upgrade the software to a more modern version currently receiving security patches.
- Limit the number of failed logon attempts before timing out to a number suitable to your organisation. This makes systems significantly more resilient against brute-force attempts to guess user passwords. You can also disable the built-in Administrator account on Windows servers and/or rename it to something else, as that is the most commonly guessed username.
Have a question? Reach out to our Cyber Incident Response Team today.