fbpx

What is Remote Desktop Protocol? How Secure RDP is?

Details
Category: Cybersecurity PRISM
Remote Desktop is about being able to connect to and use a desktop computer which is far away from you. This allows you to access your desktop, to open and edit files, and use the applications installed on it, as if you are actually sitting on that desktop, but without being there.
 
It is quite common to use remote desktop now a days. People are frequently using this to access their office computers when they are working from home or travelling.
 
However, accessing remote desktop is not akin to cloud computing. But you need to remember that cloud computing is much better option, viz-a-viz, remote desktops. Still, lot many companies and their employees are still using remote desktop access to carry out many tasks of their work-routines.
 
There are many different protocols which can be used by software for this purpose, for example, RDP, VNC, and ICA, etc. But RDP is most widely used protocol.
 
The Remote Desktop Protocol (RDP) Remote desktop software can use several different protocols, including RDP, Independent Computing Architecture (ICA), and virtual network computing (VNC), but RDP is the most commonly used protocol. RDP was initially released by Microsoft and is available for most Windows operating systems, but it can be used with Mac operating systems too.
 
-
 

What is Remote Desktop Protocol?

It was initially developed and released by Microsoft and most Windows Operating Systems have this feature by default.
 
RDP is a protocol, or technical standard, for using a desktop computer remotely, typically over TCP port 3389. It provides network access for a remote user over an 'encrypted channel.'
 
Network administrators use RDP to diagnose issues, login to servers, and to perform other remote actions. Remote users use RDP to log into the organization's network to access email and files.
 
RDP is an alternative to the open-source Virtual Network Computing (VNC) protocol commonly used on Linux and other platforms. RDP provides a graphical interface for remotely connecting one computer to another. Currently, some version of RDP is available for all common operating systems, including Windows, Linux, Unix, Mac, iOS, Android, and others.
 
RDP is designed to support many different types of Network topologies, such as ISDN, POTS. RDP is also designed to support many LAN protocols, such as IPX, NetBIOS, TCP/IP. The current version of RDP will only run over TCP/IP.
 

Some key features of RDP include:

  • 128-bit encryption
  • 32-bit color support
  • Audio, file system, printer, and port redirection to allow users to connect to local resources from within a terminal session
  • Support for a number of different network topologies
-

How Does RDP Work?

 
For RDP connections to work, you need two components—an RDP server and an RDP client. A typical RDP server is the Windows PC or server you’re connecting to and will control. The client is a PC or mobile device with an RDP client app installed, from which you control the server. Microsoft offers its own client for Windows, macOS, Android, and iOS, with various third-party options available for Linux and other platforms.
 
The basic functionality of RDP is to transmit a monitor (output device) from the remote server to the client and the keyboard and/or mouse (input devices) from the client to the remote server. The communication during an RDP connection will be extremely asymmetric, while most of the data will go from the server to the client. RDP communication is encrypted with RSA’s RC4 block cipher by default.
 
Communication in RDP is based on multiple channels, and the protocol theoretically supports up to 64,000 unique channels.
 
RDP protocol creates a dedicated network channel for sending data back and forth between the connected machines (the remote desktop and the computer currently in use). It always uses network port 3389 for this purpose. Mouse movements, keystrokes, the desktop display, and all other necessary data are sent over this channel via TCP/IP, which is the transport protocol used for most types of Internet traffic. RDP also encrypts all data so that connections over the public Internet are more secure.
 
When you use RDP, your keystrokes and mouse activity is first encrypted and then transmitted over the internet to the remote desktop. This takes a few milli-seconds. Then, remote desktop 'display' is transmitted back to you. This also consumes a few extra milli-seconds. I guess, most of you must have witnessed the slight delay of actions and short delay of display, while using Remote Desktop. Essentially, RDP allows you to control your remote Windows machine as if you were working on it almost locally.
 
Not only most versions of Microsoft's Windows and servers come equipped with RDP, Microsoft’s Azure and Hyper-V platforms also are using it as the 'default' remote connection protocol.
 
Sending and receiving data through the RDP stack is essentially the same as the 7 layer OSI model for communication. The data transmitted is sectioned, directed to a channel, encrypted, wrapped, framed and packaged before going over the wire to the other party, then it goes through the same process in reverse.
 

When a RDP connection is established, it can be broken down into a few stages:

 
  • Connection Initiation
  • Basic Settings Exchange
  • Channel Connection
  • Security Commencement
  • Secure Settings Exchange
  • Licensing
  • Capabilities Exchange
  • Connection Finalization
  • Data Exchange
 
Lot many things happen during these stages. But those things cannot be explained here given technicalities involved.
 
-
 

How Secure RDP is?

 
RDP is not 100% secure.
 
There have been instances when hackers had used misconfigured RDP ports that were open to internet, to gain access to networks. They had been in a position to potentially move 'laterally' throughout a network, escalating privileges, accessing and exfiltrating sensitive information, harvesting credentials, or deploying a wide variety of malwares.
 
This is a very popular attack vector, you know. When threat actors are using RDP they are able to maintain a low profile since they are utilizing a legitimate network service and it provides them with the same functionality as any other remote user. Threat actors/hackers have been using tools, e.g., Shodan, to scan the Internet for open RDP ports and then they were using brute force password techniques to access vulnerable networks. Compromised RDP credentials are also widely available for sale on 'dark web' marketplaces.
 
Some ransomware variants which strategically target networks through unsecured RDP ports or by brute forcing the password, have been found too.
 
  • BlueKeep (CVE-2019-0708) is a very well-known RCE vulnerability in Microsoft’s RDP server, affecting Windows machines from Windows 2000 to Windows 7 and Windows Server 2008 R2. It was found and patched in May of 2019.
  • DejaBlue (CVE-2019-1181 & CVE-2019-1182) is another RCE vulnerability in Microsoft’s RDP server (hence the name) discovered in 2019. This time, the vulnerability affected all versions of Windows (7-10) up until the patch released in 2019.
 
Remember, not all RDP servers are Windows servers, we have seen similar vulnerabilities shared between the different implementations of an RDP server, so Windows is not the only potential target. FreeRDP (popular open-source RDP server) also had its own share of vulnerabilities.
 
RDP is a complex protocol with many extensions. Because of its complexity, the potential of finding new critical bugs is still high.
 
-
 

What Can You Do?

 
  • As the bare minimum, you should try to prevent the exposure of your RDP servers to the internet, keeping them behind your firewall.
  • Next, You should enable Network Level Authentication (NLA). This is enabled by default in Windows 10, Windows Server 2012, and newer, but if you’re using older versions of Windows, you should enable this yourself. NLA ensures that a connection can only occur when it is properly authenticated and a right username and password is provided.
  • You should only allow non-administrator user accounts to remotely connect to Windows PCs. Standard user accounts can’t change settings, install software, and have limited access to files. This should limit the damage that any potential rogue connection could make. Don't allow RDP to be used for administrator accounts. Specific trusted hosts should be whitelisted. Adhere to the Principle of Least Privilege, ensuring that users have the minimum level of access required to accomplish their duties.
  • You should limit the number of incorrect passwords on an account before it is locked out, which should limit any damage from a denial of service attack.
  • Using secure passwords is good advice for any situation, but especially for Windows Remote Desktop connections. Don’t use the same password for multiple accounts, and use a combination of letters, numbers, and symbols. Usage of Multi-factor authentication is far more advisable.
  • You should always enable automatic updates for the client/server software you are using so that you can be sure you always have the latest version, in which known security vulnerabilities are fixed. Also enable automatic Microsoft Updates to ensure that the latest versions of both the client and server software are running.
  • By default, RDP connections will always try to use the highest possible level of encryption. To ensure that the highest level of encryption is always used, however, you can set the default encryption level using the Group Policy Editor (Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Set client connection encryption level > Enabled > High Level).
  • If RDP is not required, perform regular checks to ensure RDP ports are secured.
  • It is very important to log and review RDP login attempts for anomalous activity and retain these logs for a minimum of 90 days. Ensure that only authorized users are accessing this service.
  • You should also verify cloud environments adhere to best practices, as defined by the cloud service provider. After cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
 
-
 
Kindly write 💚 your comments 💚 on the posts or topics, because when you do that you help me greatly in ✍️ designing new quality article/post on cybersecurity.
 
You can also share with all of us if the information shared here helps you in some manner.
 
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
 
With thanks,
Meena R.
_________

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM