Mitigating RDP Exploits

By Greg Dietrich, VP – Customer Success – HiveIO Inc.

With over 4.5M unsecure RDP endpoints accessible on the internet at the height of the Covid19 pandemic (based on these McAfee findings), RDP has been painted with a massive target and it is no wonder the eyes of threat actors have wandered there.

Exploiting the Remote Desktop Protocol (RDP) has long been a popular method of spreading malicious content, with no respite expected any time soon. Commonly used methods for exploiting this vulnerable attack surface include Denial of Service (DOS), personal data exploitation, and most recently Venus Ransomware. RDP is a cornerstone for remote system access solutions, and you should not simply avoid it as some industry technologists suggest. You must be smart about how you use it and ensure that technologies you employ do not further exacerbate the problem.

Of course, the first and most obvious method to protect against unwanted guest access across RDP is to avoid exposing it to the internet. Additionally, simply changing the default port for RDP access is not an effective mitigation strategy. Attackers utilize technologies to identify open protocols and ports, so merely hiding the port simply will not suffice.

VPN software can be a viable alternative for securing remote access and depending on the implementation can be effective. However, this too is not close to being infallible, and can leave your organization exposed to a multitude of additional threats outside of those associated with RDP. A rule of thumb in security decrees that security is only as good as the weakest link, and that unfortunately is mostly your end user and their computer.

Experts encourage the use of native Microsoft features to enhance the security of your RDP solution, which include enabling the available Active Directory (AD) Group Policy Objects (GPO) settings to protect against the exploitation of RDP. Commonly used GPOs restrict automatic reconnections, the number of connections, and the keep-alive interval for connections. Others include specifying required security for the remote connection and who can modify the permissions related to remote access. Best practice suggests you thoroughly evaluate any changes under consideration to help mitigate RDP exploitation prior to production use.

HiveIO has always been clear on this point, DO NOT expose direct RDP to the internet. For our remote connectivity, Hive Fabric secures access by using a combined firewall and gateway configuration. HiveIO protects access to our desktops with AD authentication, 2FA/MFA, user-based rights for remote access to the desktop, randomized transient port access, with optional source IP lockdown (authentication and RDP must utilize the same IP address). This multilayered approach has proven highly successful in mitigating attacks on our virtualized desktops, as well as being lightweight, highly scalable and redundant.