Remote Desktop Protocol, known as RDP, is a service built into Microsoft Windows operating systems that allows a user to connect to a remote computer over the network. This capability makes remote access and management of computer resources easier, which leads to efficiencies for IT staff. Unfortunately, RDP is also commonly leveraged by criminals to break into and move laterally within corporate network environments.
While RDP is a useful and reasonable solution for remote management within a private network, it should not be deployed as an internet-facing service. When connecting to an RDP server, the remote user is presented with an interface that is roughly equivalent to physically sitting in front of a computer. Therefore, access to this protocol should be tightly controlled.
Criminals often leverage exposed RDP servers as an entry point into a targeted network. While exposing RDP does not necessarily provide instant access, many exposed servers do not have rate-limiting or failed login limits on these servers. This allows criminals to try logging in millions of times in a row using common account names and passwords. If just one of these attempts is successful, the attackers are in and can move on with their objectives, whether it is ransomware, data theft, or other goals.
Soteria’s incident response team is responding to an increasing number of intrusions that begin in this exact manner. Cyber insurance underwriters have also taken note, with some providers offering discounts to their clients if they have disabled RDP and utilize multi-factor authentication (MFA).
To prevent your organization from becoming the next victim, consider the following strategies to limit your risk for this attack vector:
- Do not expose RDP directly to the internet. RDP should be accessible only from within trusted networks.
- If it is necessary to have RDP access from outside the network, consider implementing a Virtual Private Network(VPN), or even better, a zero-trust access solution to facilitate conditional access from only authorized users and devices and to continuously verify their identity as well as the health of their device and network.
- Don’t stop there! Perform regular reviews of your internet-facing footprint. Are there any services that do not need to be exposed, or that could be implemented more securely? Attackers are constantly changing their techniques, so limiting your exposure is a great way to stay ahead of threats.
- If RDP is not used on your Windows systems, disable the service altogether.
These basic steps, while not comprehensive, can go a long way in keeping your organization from being targeted by this particular attack. If you are concerned about your RDP exposure or any other cyber security issues, Soteria recommends having an external party conduct a security assessment to assist you in finding and mitigating your risks.
To learn more about Soteria’s security assessment services, go to https://soteria.io/cyber-security-consulting/ or contact us directly at (843)501-0313.